The Supreme Court (SC) has directed all judiciary officials and personnel to strengthen the courts’ cybersecurity measures “to protect sensitive data and minimize the risk of cyber threats.”
The directive was issued by the SC through Acting Chief Justice Marvic M.V.F. Leonen (Chief Justice Alexander G. Gesmundo is on official travel abroad), as it cited the recent data breach involving Philippine Health Insurance Corporation (PhilHealth).
In Administrative Order No. 150-2023 on “Proper Cyber Hygiene in Judiciary,” the SC said that “one of the most common ways of ransom ware attacks is done through phishing emails which usually contain malicious links or attachments.”
The SC warned: “Do not open these links or attachments unless they have been verified to be legitimate.”
To avoid being victimized, court officials and employes were advised to examine carefully the sender’s email address.
“Phishers often use email addresses that look similar to ones used by legitimate organizations but may have small misspellings or inconsistencies. Always take a close look at the sender's display name when checking the legitimacy of an email,” the SC said.
It said that court officials and personnel should “protect personal information; verify links prior to clicking by checking if the uniform resource locator (URL) or the web address, matches the legitimate website’s address; look for typographical errors, grammatical errors, or awkward language in the email; be cautious with urgent messages, as phishers often create a sense of urgency in their emails; check for generic greetings; double-check email attachments by scanning the same for viruses; and report suspicious emails as spam.”
On password security, the SC suggested that “under no circumstances should Judiciary personnel use personal information and dictionary words in creating passwords.”
Judiciary officials and employees are also urged to “use a longer password containing numbers, symbols, and both uppercase and lowercase letters; to avoid the same password for multiple accounts; to consider passphrases or a sequence of random words instead of passwords; to use a password manager; and to enable a multifactor authentication system in their accounts.”
They were advised “to never share their passwords with others, even with those who claim to be from trusted institutions, and to make sure that any written passwords are stored in a secure place.”
They were also directed “to ensure that the operating systems of their devices such as laptops, desktops, smartphones, tablets, and other electronic devices are up to date.”
To protect important files and ensure their recovery in case of data loss, the guidelines recommend that court officials and personnel follow the “3-2-1 backup rule” to ensure data redundancy and availability in case of hardware failure, data corruption, or other catastrophes.
Under the “3-2-1 backup rule,” the SC said that users must maintain three separate copies of their data (original in their primary device and two additional copies in different locations of media); two backup media/formats (i.e., one copy in an external drive and another in cloud storage); and one offsite backup, or a physical location different from both the primary data and its backup.
On safe internet usage and device security, the SC urged court officials and personnel “to avoid visiting high-risk websites and downloading files from untrusted sources in order to protect their personal information, privacy, and security.”
It also recommended the downloading of files and software “only from reputable sources and utilizing only secure and judiciary-approved file-sharing platforms for work-related activities.”
Court officials and personnel were also directed “to lock their respective computers and devices when not in use, especially when in shared or public spaces.”
They were also instructed “to immediately report lost or stolen devices as well as suspicious emails, links, ads, or email attachments to the Supreme Court Management Information System Office (MISO), to prevent data leak and to maintain a safe online environment.”
At the same time, the SC warned court officials and employees against “the risk of using artificial intelligence (AI) in digital applications, particularly those which require users to submit several photos of themselves to generate, through AI, enhanced portraits.”
The SC said: “This application compiles its users' data and creates a digital person that mimics how a real individual speaks and moves. While this may seem harmless and amusing, it can be maliciously used to create fake profiles that can lead to identity theft, social engineering, phishing attacks, and other malicious activities. There has already been a report of such a case.”