Philippine firms urged to rethink cloud as cyber risks grow

 

By Francis Allan L. Angelo

The average cost of a data breach in ASEAN has reached USD 3.23 million, posing a severe threat to small and medium-sized enterprises (SMEs) in the Philippines.

According to Marcus Teo, chief revenue officer at Zimbra, “This figure represents more than just direct financial losses from fines or ransomware payments—it signifies a chain of cascading consequences that can cripple some companies.”

Teo said that operational disruption is often the first blow, followed by reputational damage and customer attrition, which are especially devastating for SMEs that lack the resources for recovery.

He warned that breach recovery diverts valuable manpower as employees are pulled from their roles to manage legal, forensic, and incident response activities.

The lack of transparency in proprietary cloud models—often referred to as “black box” systems—is now a major concern for Philippine CEOs and CIOs.

“The most critical blind spot created by proprietary ‘black box’ cloud solutions is the lack of transparency and control over the physical location and management of their data,” Teo said.

This creates regulatory vulnerabilities, undermines compliance with the Philippine Data Privacy Act, and exposes organisations to geopolitical threats.

Teo said data leaders often have no idea where their data resides, who accesses it, or what protections are truly in place—leaving them unable to assess risks or audit compliance.

He clarified that the growing number of cloud breaches isn’t due to flaws in the cloud model itself, but rather in how organisations use it.

“Many companies fail to understand the shared responsibility for security,” Teo said, citing misconfiguration, weak access controls, and lack of training as top contributors.

He added that as AI-powered cyberattacks grow more sophisticated, Philippine companies must adopt cloud solutions that allow for visibility, control, and proactive defense.

The shift away from a “Cloud-First” mindset toward a “Cloud-Smart” approach is now underway, driven by concerns over data sovereignty, cybersecurity, and vendor lock-in.

Teo pointed to the Philippine Data Privacy Act as a key reason organisations are abandoning an all-in cloud strategy in favor of hybrid models with stronger local control.

He said the rising threat of ransomware and business email compromise (BEC), coupled with the high costs of switching cloud providers, is pushing companies toward more strategic decisions.

For SMEs in the Philippines, Teo said the cost and complexity of hybrid or on-premise solutions are outweighed by long-term benefits.

“A ‘simple’ cloud solution often comes with hidden costs, such as data egress fees, escalating subscription rates, and the need for third-party security add-ons,” he said.

He emphasized that hybrid models offer predictable operational expenses, stronger compliance, and less reliance on foreign vendors.

In sectors like banking, healthcare, education, and critical infrastructure, Teo said the case for on-premise or hybrid deployment is particularly strong.

These industries, he said, manage highly sensitive data and face severe consequences if they lose control of it due to foreign legal access or cloud vendor failures.

Teo highlighted the value of open-core platforms, which can be deployed on-premise and offer full transparency through publicly accessible source code.

“This allows the government agency, or its trusted local partners, to inspect the code for vulnerabilities, understand precisely how data is processed and stored, and verify there are no hidden flaws,” he said.

He contrasted this with proprietary cloud systems, where data may be stored in foreign jurisdictions with limited oversight.

Teo acknowledged that open-core adoption can seem daunting due to perceived feature gaps or support challenges but said these concerns are outdated.

“Many modern open-core platforms offer a rich and comparable suite of collaboration tools,” he said, adding that enterprise-grade support is often delivered through local partners with fast response times.

Teo said open-standards email platforms also provide better phishing protection by enabling custom security layers and protocol-based authentication.

“An open-standards platform, built on publicly defined protocols, allows a company’s IT team and security experts to inspect its behavior and proactively address potential issues,” he said.

He warned against vendor lock-in, sharing how organisations relying on proprietary email systems face costly, disruptive migrations when those products reach end-of-life.

“An open-core platform would have changed this outcome,” Teo said, noting that such systems allow for continued support and customization beyond official vendor timelines.

Looking ahead, Teo identified AI-driven phishing and business email compromise as the biggest cybersecurity threat to the Philippine economy in the next 18 months.

“These threats are particularly dangerous for organisations that rely on legacy or opaque communication systems,” he said.

He said attackers now use AI to mimic voices and generate convincing fake messages that bypass traditional filters and deceive even trained users.

Teo urged Philippine business leaders to immediately evaluate their risks and outlined three steps for auditing cloud vulnerabilities.

First, companies should demand full transparency on data location and access from their providers.

Second, they should commission an independent risk audit to uncover hidden weaknesses in access control and incident response.

Finally, they should explore open-core or hybrid solutions with local deployment options to regain data sovereignty.

“These platforms offer the transparency and control that are often missing from proprietary models,” Teo said, adding that local partners can ensure compliance and operational continuity.