Acting Chief Justice Leonen Issues Guidelines on Proper Cyber Hygiene in the Courts
Mindful of the need to strengthen the Judiciary’s cybersecurity measures in view of the recent ransomware attacks targeting government institutions, Acting Chief Justice Marvic M.V.F. Leonen on Friday directed all courts, judiciary offices, Justices, judges, court officials, and employees to observe strict security protocols, remain vigilant in identifying and reporting suspicious cyber activities, and adopt a set of guidelines on the observance of proper cyber hygiene.
Through Administrative Order No. 150-2023, Acting Chief Justice Leonen issued guidelines to be followed on email safety, password security, software and system updates, data backup, safe internet usage, device security, and suspicious activity reports in order to enhance the courts’ cybersecurity practices, protect sensitive data, and minimize the risk of cyber threats.
To avoid ransomware attacks through phishing emails, the guidelines recommend that Judiciary personnel examine carefully the legitimacy of the sender’s email address for misspellings or inconsistencies; protect personal information; verify links prior to clicking by checking if the uniform resource locator (URL), or the web address, matches the legitimate website’s address; look for typographical errors, grammatical errors, or awkward language in the email; be cautious with urgent messages, as phishers often create a sense of urgency in their emails; check for generic greetings; double-check email attachments by scanning the same for viruses; and report suspicious emails as spam.
The guidelines suggest that under no circumstances should Judiciary personnel use personal information and dictionary words in creating passwords. Judiciary officials and employees are also urged to use a longer password containing numbers, symbols, and both uppercase and lowercase letters; to avoid the same password for multiple accounts; to consider passphrases or a sequence of random words instead of passwords; to use a password manager; and to enable a multi-factor authentication system in their accounts.
The guidelines also advise users to never share their passwords with others, even with those who claim to be from trusted institutions, and to make sure that any written passwords are stored in a secure place.
Software and System Updates
Court personnel are directed to ensure that the operating systems of their devices such as laptops, desktops, smartphones, tablets, and other electronic devices are up to date. In this light, the guidelines provide a step-by-step guide on how to check for system updates for both Windows and Apple/Mac users. The guidelines also list free third-party anti-virus applications that may be downloaded and installed by court personnel in their devices.
To protect important files and ensure their recovery in case of data loss, the guidelines recommend that court officials and personnel follow the “3-2-1 backup rule” to ensure data redundancy and availability in case of hardware failure, data corruption, or other catastrophes.
Under the “3-2-1 backup rule,” users must maintain three separate copies of their data (original in their primary device and two additional copies in different locations of media); two backup media/formats (i.e., one copy in an external drive and another in cloud storage); and one offsite backup, or a physical location different from both the primary data and its backup.
Safe Internet Usage and Device Security
Court officials and personnel are urged to avoid visiting high-risk websites and downloading files from untrusted sources in order to protect their personal information, privacy, and security. The guidelines recommend that court officials and personnel download files and software only from reputable sources and utilize only secure and judiciary-approved file-sharing platforms for work-related activities.
Users are also directed to lock their respective computers and devices when not in use, especially when in shared or public spaces. They are also instructed to immediately report lost or stolen devices as well as suspicious emails, links, ads, or email attachments to the Supreme Court Management Information System Office (MISO), to prevent data leak and to maintain a safe online environment.
PHILHEALTH Data Leak and AI Image Generators
In light of the recent data breach involving the Philippine Health Insurance Corporation, or PhilHealth, the guidelines provide the link to the site created by the National Privacy Commission (https://philhealthleak.privacy.gov.ph) through which Judiciary employees may check if their personal data are among those compromised.
Court officials and employees are likewise warned of the risks of using artificial intelligence (AI) in digital applications, particularly those which require users to submit several photos of themselves to generate, through AI, enhanced portraits. These digital applications collect users’ data and create digital images that mimic an individual’s looks and speech, which can be used to create fake profiles that can lead to identity theft, social engineering, and phishing attacks.
FULL TEXT of Administrative Order No. 150-2023, Re: Proper Cyber Hygiene in the Judiciary, 20 October 2023 at: https://sc.judiciary.gov.ph/re-proper-cyber-hygiene-in-the-judiciary/