cybersecurity & privacy...• the eu general data protection regulation (gdpr) represents the...

CYBERSECURITY & PRIVACY

Dave HartleyNovember 14, 2018

The Intersection of Cybersecurity & Privacy in 2018: An Analysis of the Forces Impacting 2019 Priorities, Investment and Risk

An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved

ABOUT ME

David Hartley• UHY – Virtual CIO• Former CIO – Arch Coal• Big 4 (EY, Andersen, Protiviti)• CPA since early 1990s• ISACA STL President 1999-2000• MOCPA Outstanding Visionary 2018

[email protected]://www.linkedin.com/in/davehartley/

2

https://www.linkedin.com/in/davehartley/


ABOUT UHY LLP & UHY ADVISORS

UHY is a network of independent accounting and consulting firms with offices in over 325 major business centers across more than 98 countries Top 20 Global

Professional Services Firm Top 10 Fastest

Growing U.S. Firms

3

325

98COUNTRIES

8025PROFESSIONALS WITHIN OUR NETWORK

MEMBER FIRMS


TODAY’S OBJECTIVES

4

• Recap 2018 key events involving privacy and cybersecurity

• Understand privacy principles and the requirements in the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

• Recognize how privacy will impact your cyber future and how to get ahead of the curve in integrating privacy leading practices into your cybersecurity program.


FORCES DRIVING CYBER & PRIVACY?

5

What are the 2018 developments in cybersecurity and privacy that will impact

companies in 2019 and beyond?

PRIVACYCYBER


TODAY’S TAKEAWAY

6

• Privacy leading practices represent a new set of requirements companies must design into their product, processes and program.

• Implementing these leading practices is essential at the design stage rather than attempting to retrofit at a later stage (substantially more complex and expensive). GDPR refers to this as “Data protections by Design and by Default.”

• Both companies and consumers are growing increasingly demanding regarding Trust and Transparency regarding cybersecurity and privacy.


2018 HAS BEEN A BUSY YEAR

7


January 2018

THE STORY OF 2018


2017 DATA BREACH STATISTICS

9

Source: Gemalto Summary Infographic, https://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2017-Gemalto-1500.jpg


WORST BREACH OF THE YEAR 2017

10


WHY IS EQUIFAX RATED A 10?

11

SIZE: 145.5 million records + SCOPE: everything you need to create a new identity – and many things you cannot change…• Names• Social Security numbers• Birth dates• Addresses• Driver’s license numbers• Credit dispute documents with personal identifying

information Future: DNA? Thumbprints? Retinal scans?

147.9 as of March 1, 2018


March 2018

THE STORY OF 2018


WHAT HAPPENED?

13

• Facebook admitted that Cambridge Analytica collected personally identifiable information (PII) of up to 87 million Facebook users since 2014.

• Cambridge Analytica collected the data via an app called thisisyourdigitallife. Several hundred thousand users agreed to complete a survey for academic use only. Facebook’s design allowed the app to collect info from that user and their entire Facebook social network of contacts.

• The data was allegedly used to attempt to influence voter opinion on behalf of politicians who hired Cambridge Analytica.

• Following the discovery, Facebook apologized amid public outcry and falling stock prices.


WHAT NEXT?

14

Senator Richard J. Durbin, Democrat of Illinois: “I think that may be what this is all about. Your right to privacy. The

limits of your right to privacy. And how much you give away in modern America in the name of, quote, connecting people around the world.”


THE IMPACT ON PRIVACY REGULATION

15

Quote from Senator John Thune, Republican of South Dakota: “After more than a decade of promises to do better, how is today’s apology different and why should we trust Facebook to make the

necessary changes to ensure user privacy and give people a clearer picture of your privacy policies?”

“In the past, many of my colleagues on both sides of the aisle have been willing to defer to tech companies’ efforts to regulate themselves. But

this may be changing.”

The arrival of privacy regulation (similar to GDPR) in the United States was likely accelerated by many years due to

the Facebook Cambridge Analytica scandal.

Source: https://www.nytimes.com/2018/04/10/us/politics/mark-zuckerberg-testimony.html


OTHER POSSIBLE IMPACTS?

16

• Consumers may rethink their online behavior and begin to value their privacy

• Marketing to consumers may become substantially more difficult and costly (customer acquisition cost)

• Transparency and trust will become increasingly important

• Will convenience still be preferred over privacy?• Will others follow Facebook’s lead and roll out GDPR-

compliant privacy policies around the globe (including the US, not just EU)?


April 2018

THE STORY OF 2018

An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved 18

Dilbert Explains Phishing

PHISHING IS NOT NEW


2018 VERIZON DATA BREACH INVESTIGATIONS REPORT

Source: Verizon 2018 DBIR, https://www.verizonenterprise.com/verizon-insights-lab/dbir/

Published April 2018

https://www.verizonenterprise.com/verizon-insights-lab/dbir/


PHISHING IS INCREDIBLY EFFECTIVE

20Source: Verizon 2018 DBIR, https://www.verizonenterprise.com/verizon-insights-lab/dbir/

Most Prevalent Scenarios?

1. Finance/Accounting –Wire Transfer, Phony Invoices, Instructions from CEO (Business Email Compromise, or BEC)

2. Human Resources (HR) – W-2 Fraud for Filing Fraudulent Tax Returns (3x increase in 2017)

Top PriorityStop Phishing Emails!

https://www.verizonenterprise.com/verizon-insights-lab/dbir/


IF IT CAN HAPPEN TO THEM…

21

Source: https://www.sec.gov/litigation/investreport/34-84429.pdf

https://www.sec.gov/litigation/investreport/34-84429.pdf


WHO IS GETTING BREACHED?

22

58 percent of data breach victims are small businesses• Despite cybersecurity being a growing priority for

organizations of all sizes, it's still unfortunately something that often breaks down into categories of haves and have-nots.

• The have-nots are getting breached significantly more often than their larger counterparts.

• This isn’t a huge surprise, since SMBs are both the largest group and the ones most resource constrained in their cybersecurity efforts.

Source: 5-Minute Highlights from Verizon's 2018 Data Breach Investigations Report, https://blog.barkly.com/verizon-dbir-2018-highlights

https://blog.barkly.com/verizon-dbir-2018-highlights


May 2018

THE STORY OF 2018


GDPREuropean Union (EU) General Data

Protection Regulation


WHAT IS GDPR?

25

• The EU General Data Protection Regulation (GDPR) represents the most significant update to privacy regulations in 20 years

• Historically the EU has always been well ahead of the US regarding privacy as a right of its citizens

• GDPR supersedes the 1995 EU Directive on Data Protection (95/46/EC)

• GDPR dramatically strengthens the privacy protections for the personal data of EU citizens

• Creates a single set of rules for all EU member states• Passed by EU in April 2016; enforceable since May 25, 2018


DOES GDPR APPLY TO MY COMPANY?

26

Yes, you must comply with GDPR if you…• transport data on EU residents (known as

data subjects) from EU to the US, or• collect and process EU resident personal

data, or• target or profile residents of the EU, or• have employees that are EU citizens.


GDPR GUIDING PRINCIPLES

27

1. Processing must be lawful, fair, and transparent to the data subject. 2. Purpose Limitation. Process only for the stated purposes for which

the data subject gave consent. 3. Data Minimization. Process only the minimum necessary to

accomplish the stated purpose.4. Accuracy. Data must be accurate and where reasonable, kept up to

date. 5. Storage Limitation. Data must be kept for no longer then necessary

to accomplish the stated purpose.6. Integrity and Confidentiality. Processing must be done in a way to

protect the data from unauthorized and unlawful processing.7. Accountability. Data Controller must be able to demonstrate

protections and compliance with all principles8. Data protections by Design and by Default (privacy by design).

Applies to IT systems, business processes, etc.


GDPR FINES ARE SIGNIFICANT

Source: Imperva


WHO ARE GDPR’S LIKELY TARGETS?

29

US-based technology companies that collect and mine massive amounts of personal data on EU citizens

Prior to GDPR Google was hit with a $2.7 billion antitrust fine by the EU in June 2017 for steering consumers to its own shopping platform via Google search


THAT DIDN’T TAKE LONG

30


June 2018

THE STORY OF 2018


CCPACalifornia Consumer Privacy Act of 2018


WHAT IS CCPA?

33

• The California Consumer Privacy Act (CCPA or AB 375) signed into law on June 28, 2018

• Hastily drafted in 7 days to avoid a ballot initiative; amendments prior to implementation are probable

• Requires additional transparency from companies regarding how they utilize the personal information of consumers

• Similar but different from GDPR• Effective date January 1, 2020 (14 months to prepare) –

however, the previous 12 months of records are covered under the rule, leading to a January 1, 2019 date

• First in a myriad of individual state laws? Or are we heading towards a federal standard via congress?


CCPA’S FOUR BASIC RIGHTS

34

CCPA gives “consumers” (i.e., California residents) four basic rights regarding their personal information:1. the right to know, through a general privacy policy and with

more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

2. the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);

3. the right to have a business delete their personal information, with some exceptions; and

4. the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

Who owns the data? Consumers or Companies?


CCPA FINES & PENALTIES

35

Progressive penalties outlined in the CCPA:1. Starts with referring intentional violations not

resolved in a satisfactory time frame to the Attorney General ($7,500/per violation).

2. Limited class settlements in the case of data breach ranging from $100-750 per incident, following a grace period in which the CaliforniaAttorney General could take action first.


WHO IS IMPACTED

36

• Only companies with (1) revenues > $25M, or (2) receive or disclose info on 50,000 California residents, or (3) 50% or more of revenues from selling California residents’ personal information

• Companies that generate revenue from targeted advertising (e.g., Facebook, Twitter, Google)?

• Data brokers that gather shopping info on consumers (e.g, Acxiom, Epsilon)?

• ISPs who collect web browsing data to generate behavioral profiles for digital advertising?

• Loyalty programs offering discounts to members?• Businesses that purchase highly targeted advertising on

digital platforms


July 2018

THE STORY OF 2018


“The number of records compromised in Q1 and Q2 2018 has already surpassed the total

number of breached records for all of 2017.”

2018 DATA BREACH STATISTICS

Source: Barkly, https://blog.barkly.com/biggest-data-breaches-2018-so-far


WHAT’S NEXT?

$655M Possible Fine Under GDPR?

Source: https://www.forbes.com/sites/bishopjordan/2018/09/09/british-airways-hacked/#322aafb367ae

THE STORY OF 2018 - SEPTEMBER


Source: November 2, 2018 - https://www.databreaches.net/hsbc-bank-notifies-customers-after-hacking-incident/

THE STORY OF 2018 - NOVEMBER

Credential Stuffing

Highlights the danger of reusing

the same passwords

What did HSBC do wrong? No 2FA?

An independent member of UHY International© UHY Advisors, Inc. 2018 All Rights Reserved41

Training Tip - How do we get people to care about

cybersecurity and privacy?

Make it personal!(self, family, friends)


YOUR PERSONAL TOP 5 CYBER ACTION PLAN


TODAY’S HANDOUT

43

Written version of Your Personal

Top 5 Cyber Action Plan

Feel free to share with your

family and friends


YOUR PERSONAL 5 STEP ACTION PLAN

44

1. Limit impact of stolen passwords by turning on Two-Factor Authentication (2FA)

2. Stop reusing passwords: instead use a Password Manager

3. Establish a process to review bank & credit card activity (protect your authorized accounts)

4. Establish a process for reviewing your credit reports (prevent unauthorized accounts)

5. Consider credit freezes


1. Passwords are No Longer Enough - Enable Two-Factor Authentication (2FA)

https://www.pcmag.com/article2/0,2817,2456400,00.asp




Two-Factor Authentication

Password Mobile Phone



Two-Factor Authentication

Source: dzone.com

5 STEP ACTION PLAN


Most banks, ecommerce

retailers, and cloud services have enabled

two-factor authentication


2ND FACTOR - SOMETHING YOU HAVE

49

Enter the code to prove you

have the mobile phone

‘Something You Have’ 2nd Factor


How to get started with 2FA?• Make a list of your most critical accounts

(banks, credit cards, email)• Find out if they support 2FA by either 1)

googling the name + “two-factor authentication” or 2) looking them up on www.twofactorauth.org

• Start with the most critical accounts first to enable two-factor authentication


http://www.twofactorauth.org/


2. Use a Password Manager instead of reusing the same passwords



HIGH RISK! 55% of

consumers use less than 4

passwords!

Source: https://www.netsparker.com/blog/news/consumers-web-applications-most-risk-hacked/


https://www.netsparker.com/blog/news/consumers-web-applications-most-risk-hacked/


Where do YOU store your passwords?• Excel spreadsheet (often with

password in the name of the file)• Handwritten list• Post-It Notes• Note on your phone• Note in the cloud (e.g., Evernote)



Source: https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

130

254YOUR PERSONAL 5 STEP ACTION PLAN

https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/


DASHLANE – HOW IT WORKS

56


DASHLANE – HOW IT WORKS

57


Getting started with password managers• Select one of the leading password

managers• Enter your 5 most commonly used

accounts – email, bank, credit card• As you surf the password manager

will prompt you – “Would you like to add this to your vault?”



3. Establish a process to review bank & credit card activity• Inventory your accounts• Establish online access• Create a calendar reminder every

1-2 weeks to login and check your accounts



4. Establish a process for reviewing your credit reports

• One free credit report every year from each of the three major credit agencies via www.annualcreditreport.com

• Create calendar reminders to request and review a report every 4 months

TRANSUNION EXPERIAN EQUIFAX


http://www.annualcreditreport.com/


5. Consider credit freezes• Now FREE as of September

21, 2018• Available online - not just

phone - from the 3 credit agencies



How to freeze your credit?• Equifax | 1-800-685-1111 |

www.freeze.equifax.com• Experian | 1-888-397-3742 |

www.experian.com/freeze/center.html• TransUnion | 1-888-909-8872 |

www.transunion.com/securityfreeze• Innovis | 1-800-540-2505 |

www.innovis.com/personal/securityfreeze


http://www.freeze.equifax.com/

http://www.experian.com/freeze/center.html

http://www.transunion.com/securityfreeze

http://www.innovis.com/personal/securityfreeze


1. Limit impact of stolen passwords by turning on Two-Factor Authentication (2FA)

2. Stop reusing passwords: instead use a Password Manager

3. Establish a process to review bank & credit card activity (protect your authorized accounts)

4. Establish a process for reviewing your credit reports (prevent unauthorized accounts)

5. Consider credit freezes



2018 HAS BEEN A BUSY YEAR

64


TODAY’S TAKEAWAY

65

• Privacy leading practices represent a new set of requirements companies must design into their product, processes and program.

• Implementing these leading practices is essential at the design stage rather than attempting to retrofit at a later stage (substantially more complex and expensive). GDPR refers to this as “Data protections by Design and by Default.”

• Both companies and consumers are growing increasingly demanding regarding Trust and Transparency regarding cybersecurity and privacy.


Dave HartleySt. Louis, MO

[email protected]

Connect with me on LinkedInhttps://www.linkedin.com/in/davehartley/

Contact us to assist with your professional services needs –

• SOC 1/SOC 2, • cybersecurity,• internal controls,• privacy/GDPR/CCPA,• Virtual CIO,• audit, tax, • valuation, M&A, etc.

mailto:[email protected]

https://www.linkedin.com/in/davehartley/

cybersecurity & privacy...• the eu general data protection regulation (gdpr) represents the...

Documents