In this Q&A with Techtravelmonitor, Gautam Ramachandran, Senior Director of Global-Go-To-Market at Zimbra, highlights that in the Philippines’ rapidly evolving digital landscape, data sovereignty has become a critical business strategy rather than just an IT concern.
From your perspective, why are Filipino businesses particularly vulnerable to cyberattacks in 2025, and what are the immediate risks if companies remain without a clear data sovereignty strategy?
Ramachandran: The Philippines is in a period of rapid digital transformation, but this progress has created a significant cybersecurity paradox. On one hand, you have a push for innovation and digitalization across government, financial services, and SMEs. On the other, many organizations are operating with legacy systems and a patchwork of solutions that create new vulnerabilities. The threats are becoming increasingly sophisticated, with AI-driven attacks making phishing, credential theft, and ransomware more effective and widespread. According to a report by Fortinet, ransomware attacks are already costing Philippine firms an average of $500,000 per incident.
If companies remain without a clear data sovereignty strategy, they face immediate and long-term risks. At a foundational level, data sovereignty gives an organization control over information, its most valuable asset. Without it, companies risk non-compliance with local data privacy laws and can be subjected to foreign legal jurisdictions, creating significant long-term legal and operational risks. It’s a risk that most businesses, especially those in critical sectors, simply cannot afford.
Can you explain how data sovereignty has evolved beyond a technical IT concern into a foundational business strategy – particularly in terms of consumer trust and national security for Philippine enterprises?
Ramachandran: Historically, data sovereignty was often viewed as a niche technical requirement, a box to tick for legal compliance. Today, that has fundamentally changed. As data breaches and online scams become commonplace, data sovereignty has become a foundational business strategy built on the pillars of trust, resilience, and accountability.
For Philippine enterprises, it’s about being able to tell customers and stakeholders with certainty that their data is protected by Philippine law. Let’s face it, technology has created an era where consumer trust is fragile and difficult to earn, which makes the concept of data sovereignty an even more powerful differentiator. For national security, particularly in sectors like government and finance, data is a strategic asset. Losing control of that data to foreign jurisdiction or a cyberattack could destabilize critical functions, from public service delivery to national economic stability. Ensuring that sensitive data is stored and managed under Philippine law is a critical component of national defense.
Therefore, many organizations must consider data sovereignty as a non-negotiable part of their strategy to safeguard public trust, maintain operational continuity, and protect national interests.
What does “cloud smart, not just cloud first” mean in practice for Filipino organizations? How can adopting a hybrid cloud model balance global innovation with the need to keep sensitive data secure on Philippine soil?
Ramachandran: “Cloud First” is a strategy that prioritizes moving everything to the cloud without a nuanced plan. In a modern context, this has given way to a more pragmatic, “Cloud Smart” approach that focuses on a deliberate and analytical approach in selecting the right cloud environment for the right data.
For Filipino organizations, this means they can balance the benefits of cloud innovation, such as flexibility, scalability, and modern collaboration tools, with the non-negotiable need for local control and compliance. In practice, this often means adopting a hybrid cloud model where sensitive data, such as government documents or financial records, can be stored in secure on-premises or private cloud environments that remain on Philippine soil, ensuring alignment with frameworks like the Cloud First Policy.
Solutions built on this philosophy provide a comprehensive suite of collaboration tools, including email, calendar, chat, and file sharing, in a single, integrated platform. This offers modern functionality without the security risks of fragmented systems. It allows Filipino organizations to have the best of both worlds, balancing global innovation with the non-negotiable need for local control and data sovereignty.
Could you outline a practical, step-by-step defense plan for IT leaders in the Philippines – including essential actions like encryption and access controls – to quickly bolster digital resilience and align with the country’s emerging National Cybersecurity Plan?
Ramachandran: The National Cybersecurity Plan emphasizes a “whole-of-nation” approach that brings together private and public sectors to strengthen proactive protection. For IT leaders, this means going beyond simply installing an antivirus. It is imperative for IT leaders in the Philippines to focus on building a robust, secure-by-design foundation. Here is a four-step approach:
Prioritize Your Data Sovereignty: Start by assessing your data to determine what is most sensitive. For critical and sensitive data, choose platforms that enable on-premises or in-country cloud deployment. This ensures your data remains under Philippine jurisdiction and aligns with frameworks like the National Cybersecurity Plan.
Adopt a “Security-by-Design” Mindset: Don’t treat security as an afterthought. Implement platforms with security built in from the start, rather than using a patchwork of disconnected solutions. This includes fundamental authentication and access controls such as multi-factor authentication (MFA), end-to-end encryption for email, and secure communication protocols.
Implement Automated and Proactive Defenses: Modern threats are often subtle and automated. Bolster your defenses with tools that provide real-time threat detection, advanced anti-phishing, and security standards like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). This helps your organization get ahead of threats before they can take hold by also extending defenses to general enhanced security across your organization’s network, endpoints, and data. .
Cultivate a “Human Firewall”: Technology is only part of the solution. You must invest in training and upskilling your employees, procurement officers, and leaders. A well-informed and trained workforce is a powerful first line of defense against social engineering and sophisticated cyberattacks. Running internal phishing tests to measure employee awareness and identify those who need additional training is a highly effective and proactive way to reduce the risk of a breach.
READ MORE TECH NEWS.
