CYBERSECURITY & PRIVACY...• The EU General Data Protection Regulation (GDPR) represents the most...
Transcript of CYBERSECURITY & PRIVACY...• The EU General Data Protection Regulation (GDPR) represents the most...
CYBERSECURITY & PRIVACY
Dave HartleyNovember 14, 2018
The Intersection of Cybersecurity & Privacy in 2018: An Analysis of the Forces Impacting 2019 Priorities, Investment and Risk
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
ABOUT ME
David Hartley• UHY – Virtual CIO• Former CIO – Arch Coal• Big 4 (EY, Andersen, Protiviti)• CPA since early 1990s• ISACA STL President 1999-2000• MOCPA Outstanding Visionary 2018
[email protected]://www.linkedin.com/in/davehartley/
2
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
ABOUT UHY LLP & UHY ADVISORS
UHY is a network of independent accounting and consulting firms with offices in over 325 major business centers across more than 98 countries Top 20 Global
Professional Services Firm Top 10 Fastest
Growing U.S. Firms
3
325
98COUNTRIES
8025PROFESSIONALS WITHIN OUR NETWORK
MEMBER FIRMS
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
TODAY’S OBJECTIVES
4
• Recap 2018 key events involving privacy and cybersecurity
• Understand privacy principles and the requirements in the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Recognize how privacy will impact your cyber future and how to get ahead of the curve in integrating privacy leading practices into your cybersecurity program.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
FORCES DRIVING CYBER & PRIVACY?
5
What are the 2018 developments in cybersecurity and privacy that will impact
companies in 2019 and beyond?
PRIVACYCYBER
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
TODAY’S TAKEAWAY
6
• Privacy leading practices represent a new set of requirements companies must design into their product, processes and program.
• Implementing these leading practices is essential at the design stage rather than attempting to retrofit at a later stage (substantially more complex and expensive). GDPR refers to this as “Data protections by Design and by Default.”
• Both companies and consumers are growing increasingly demanding regarding Trust and Transparency regarding cybersecurity and privacy.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
2018 HAS BEEN A BUSY YEAR
7
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
January 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
2017 DATA BREACH STATISTICS
9
Source: Gemalto Summary Infographic, https://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2017-Gemalto-1500.jpg
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WORST BREACH OF THE YEAR 2017
10
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHY IS EQUIFAX RATED A 10?
11
SIZE: 145.5 million records + SCOPE: everything you need to create a new identity – and many things you cannot change…• Names• Social Security numbers• Birth dates• Addresses• Driver’s license numbers• Credit dispute documents with personal identifying
information Future: DNA? Thumbprints? Retinal scans?
147.9 as of March 1, 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
March 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHAT HAPPENED?
13
• Facebook admitted that Cambridge Analytica collected personally identifiable information (PII) of up to 87 million Facebook users since 2014.
• Cambridge Analytica collected the data via an app called thisisyourdigitallife. Several hundred thousand users agreed to complete a survey for academic use only. Facebook’s design allowed the app to collect info from that user and their entire Facebook social network of contacts.
• The data was allegedly used to attempt to influence voter opinion on behalf of politicians who hired Cambridge Analytica.
• Following the discovery, Facebook apologized amid public outcry and falling stock prices.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHAT NEXT?
14
Senator Richard J. Durbin, Democrat of Illinois: “I think that may be what this is all about. Your right to privacy. The
limits of your right to privacy. And how much you give away in modern America in the name of, quote, connecting people around the world.”
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
THE IMPACT ON PRIVACY REGULATION
15
Quote from Senator John Thune, Republican of South Dakota: “After more than a decade of promises to do better, how is today’s apology different and why should we trust Facebook to make the
necessary changes to ensure user privacy and give people a clearer picture of your privacy policies?”
“In the past, many of my colleagues on both sides of the aisle have been willing to defer to tech companies’ efforts to regulate themselves. But
this may be changing.”
The arrival of privacy regulation (similar to GDPR) in the United States was likely accelerated by many years due to
the Facebook Cambridge Analytica scandal.
Source: https://www.nytimes.com/2018/04/10/us/politics/mark-zuckerberg-testimony.html
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
OTHER POSSIBLE IMPACTS?
16
• Consumers may rethink their online behavior and begin to value their privacy
• Marketing to consumers may become substantially more difficult and costly (customer acquisition cost)
• Transparency and trust will become increasingly important
• Will convenience still be preferred over privacy?• Will others follow Facebook’s lead and roll out GDPR-
compliant privacy policies around the globe (including the US, not just EU)?
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
April 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 18
Dilbert Explains Phishing
PHISHING IS NOT NEW
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
2018 VERIZON DATA BREACH INVESTIGATIONS REPORT
Source: Verizon 2018 DBIR, https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Published April 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
PHISHING IS INCREDIBLY EFFECTIVE
20Source: Verizon 2018 DBIR, https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Most Prevalent Scenarios?
1. Finance/Accounting –Wire Transfer, Phony Invoices, Instructions from CEO (Business Email Compromise, or BEC)
2. Human Resources (HR) – W-2 Fraud for Filing Fraudulent Tax Returns (3x increase in 2017)
Top PriorityStop Phishing Emails!
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
IF IT CAN HAPPEN TO THEM…
21
Source: https://www.sec.gov/litigation/investreport/34-84429.pdf
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHO IS GETTING BREACHED?
22
58 percent of data breach victims are small businesses• Despite cybersecurity being a growing priority for
organizations of all sizes, it's still unfortunately something that often breaks down into categories of haves and have-nots.
• The have-nots are getting breached significantly more often than their larger counterparts.
• This isn’t a huge surprise, since SMBs are both the largest group and the ones most resource constrained in their cybersecurity efforts.
Source: 5-Minute Highlights from Verizon's 2018 Data Breach Investigations Report, https://blog.barkly.com/verizon-dbir-2018-highlights
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
May 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
GDPREuropean Union (EU) General Data
Protection Regulation
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHAT IS GDPR?
25
• The EU General Data Protection Regulation (GDPR) represents the most significant update to privacy regulations in 20 years
• Historically the EU has always been well ahead of the US regarding privacy as a right of its citizens
• GDPR supersedes the 1995 EU Directive on Data Protection (95/46/EC)
• GDPR dramatically strengthens the privacy protections for the personal data of EU citizens
• Creates a single set of rules for all EU member states• Passed by EU in April 2016; enforceable since May 25, 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
DOES GDPR APPLY TO MY COMPANY?
26
Yes, you must comply with GDPR if you…• transport data on EU residents (known as
data subjects) from EU to the US, or• collect and process EU resident personal
data, or• target or profile residents of the EU, or• have employees that are EU citizens.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
GDPR GUIDING PRINCIPLES
27
1. Processing must be lawful, fair, and transparent to the data subject. 2. Purpose Limitation. Process only for the stated purposes for which
the data subject gave consent. 3. Data Minimization. Process only the minimum necessary to
accomplish the stated purpose.4. Accuracy. Data must be accurate and where reasonable, kept up to
date. 5. Storage Limitation. Data must be kept for no longer then necessary
to accomplish the stated purpose.6. Integrity and Confidentiality. Processing must be done in a way to
protect the data from unauthorized and unlawful processing.7. Accountability. Data Controller must be able to demonstrate
protections and compliance with all principles8. Data protections by Design and by Default (privacy by design).
Applies to IT systems, business processes, etc.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
GDPR FINES ARE SIGNIFICANT
Source: Imperva
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHO ARE GDPR’S LIKELY TARGETS?
29
US-based technology companies that collect and mine massive amounts of personal data on EU citizens
Prior to GDPR Google was hit with a $2.7 billion antitrust fine by the EU in June 2017 for steering consumers to its own shopping platform via Google search
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
THAT DIDN’T TAKE LONG
30
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
June 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
CCPACalifornia Consumer Privacy Act of 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHAT IS CCPA?
33
• The California Consumer Privacy Act (CCPA or AB 375) signed into law on June 28, 2018
• Hastily drafted in 7 days to avoid a ballot initiative; amendments prior to implementation are probable
• Requires additional transparency from companies regarding how they utilize the personal information of consumers
• Similar but different from GDPR• Effective date January 1, 2020 (14 months to prepare) –
however, the previous 12 months of records are covered under the rule, leading to a January 1, 2019 date
• First in a myriad of individual state laws? Or are we heading towards a federal standard via congress?
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
CCPA’S FOUR BASIC RIGHTS
34
CCPA gives “consumers” (i.e., California residents) four basic rights regarding their personal information:1. the right to know, through a general privacy policy and with
more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
2. the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
3. the right to have a business delete their personal information, with some exceptions; and
4. the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
Who owns the data? Consumers or Companies?
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
CCPA FINES & PENALTIES
35
Progressive penalties outlined in the CCPA:1. Starts with referring intentional violations not
resolved in a satisfactory time frame to the Attorney General ($7,500/per violation).
2. Limited class settlements in the case of data breach ranging from $100-750 per incident, following a grace period in which the CaliforniaAttorney General could take action first.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHO IS IMPACTED
36
• Only companies with (1) revenues > $25M, or (2) receive or disclose info on 50,000 California residents, or (3) 50% or more of revenues from selling California residents’ personal information
• Companies that generate revenue from targeted advertising (e.g., Facebook, Twitter, Google)?
• Data brokers that gather shopping info on consumers (e.g, Acxiom, Epsilon)?
• ISPs who collect web browsing data to generate behavioral profiles for digital advertising?
• Loyalty programs offering discounts to members?• Businesses that purchase highly targeted advertising on
digital platforms
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
July 2018
THE STORY OF 2018
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
“The number of records compromised in Q1 and Q2 2018 has already surpassed the total
number of breached records for all of 2017.”
2018 DATA BREACH STATISTICS
Source: Barkly, https://blog.barkly.com/biggest-data-breaches-2018-so-far
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
WHAT’S NEXT?
$655M Possible Fine Under GDPR?
Source: https://www.forbes.com/sites/bishopjordan/2018/09/09/british-airways-hacked/#322aafb367ae
THE STORY OF 2018 - SEPTEMBER
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
Source: November 2, 2018 - https://www.databreaches.net/hsbc-bank-notifies-customers-after-hacking-incident/
THE STORY OF 2018 - NOVEMBER
Credential Stuffing
Highlights the danger of reusing
the same passwords
What did HSBC do wrong? No 2FA?
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved41
Training Tip - How do we get people to care about
cybersecurity and privacy?
Make it personal!(self, family, friends)
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
YOUR PERSONAL TOP 5 CYBER ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
TODAY’S HANDOUT
43
Written version of Your Personal
Top 5 Cyber Action Plan
Feel free to share with your
family and friends
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
YOUR PERSONAL 5 STEP ACTION PLAN
44
1. Limit impact of stolen passwords by turning on Two-Factor Authentication (2FA)
2. Stop reusing passwords: instead use a Password Manager
3. Establish a process to review bank & credit card activity (protect your authorized accounts)
4. Establish a process for reviewing your credit reports (prevent unauthorized accounts)
5. Consider credit freezes
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 45
1. Passwords are No Longer Enough - Enable Two-Factor Authentication (2FA)
https://www.pcmag.com/article2/0,2817,2456400,00.asp
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 46
Two-Factor Authentication
Password Mobile Phone
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
Two-Factor Authentication
Source: dzone.com
5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 48
Most banks, ecommerce
retailers, and cloud services have enabled
two-factor authentication
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
2ND FACTOR - SOMETHING YOU HAVE
49
Enter the code to prove you
have the mobile phone
‘Something You Have’ 2nd Factor
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 50
How to get started with 2FA?• Make a list of your most critical accounts
(banks, credit cards, email)• Find out if they support 2FA by either 1)
googling the name + “two-factor authentication” or 2) looking them up on www.twofactorauth.org
• Start with the most critical accounts first to enable two-factor authentication
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 51
2. Use a Password Manager instead of reusing the same passwords
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 52
HIGH RISK! 55% of
consumers use less than 4
passwords!
Source: https://www.netsparker.com/blog/news/consumers-web-applications-most-risk-hacked/
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 53
Where do YOU store your passwords?• Excel spreadsheet (often with
password in the name of the file)• Handwritten list• Post-It Notes• Note on your phone• Note in the cloud (e.g., Evernote)
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
Source: https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/
130
254YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
https://www.pcmag.com/article2/0,2817,2407168,00.asp
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
DASHLANE – HOW IT WORKS
56
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
DASHLANE – HOW IT WORKS
57
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 58
Getting started with password managers• Select one of the leading password
managers• Enter your 5 most commonly used
accounts – email, bank, credit card• As you surf the password manager
will prompt you – “Would you like to add this to your vault?”
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 59
3. Establish a process to review bank & credit card activity• Inventory your accounts• Establish online access• Create a calendar reminder every
1-2 weeks to login and check your accounts
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 60
4. Establish a process for reviewing your credit reports
• One free credit report every year from each of the three major credit agencies via www.annualcreditreport.com
• Create calendar reminders to request and review a report every 4 months
TRANSUNION EXPERIAN EQUIFAX
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 61
5. Consider credit freezes• Now FREE as of September
21, 2018• Available online - not just
phone - from the 3 credit agencies
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 62
How to freeze your credit?• Equifax | 1-800-685-1111 |
www.freeze.equifax.com• Experian | 1-888-397-3742 |
www.experian.com/freeze/center.html• TransUnion | 1-888-909-8872 |
www.transunion.com/securityfreeze• Innovis | 1-800-540-2505 |
www.innovis.com/personal/securityfreeze
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 63
1. Limit impact of stolen passwords by turning on Two-Factor Authentication (2FA)
2. Stop reusing passwords: instead use a Password Manager
3. Establish a process to review bank & credit card activity (protect your authorized accounts)
4. Establish a process for reviewing your credit reports (prevent unauthorized accounts)
5. Consider credit freezes
YOUR PERSONAL 5 STEP ACTION PLAN
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
2018 HAS BEEN A BUSY YEAR
64
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved
TODAY’S TAKEAWAY
65
• Privacy leading practices represent a new set of requirements companies must design into their product, processes and program.
• Implementing these leading practices is essential at the design stage rather than attempting to retrofit at a later stage (substantially more complex and expensive). GDPR refers to this as “Data protections by Design and by Default.”
• Both companies and consumers are growing increasingly demanding regarding Trust and Transparency regarding cybersecurity and privacy.
An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 66
Dave HartleySt. Louis, MO
Connect with me on LinkedInhttps://www.linkedin.com/in/davehartley/
Contact us to assist with your professional services needs –
• SOC 1/SOC 2, • cybersecurity,• internal controls,• privacy/GDPR/CCPA,• Virtual CIO,• audit, tax, • valuation, M&A, etc.