the cpas role in maintaining security and promoting data ... cpas role i… · tips to protect...
TRANSCRIPT
The CPAs role in maintaining security and promoting data privacy
CPAs 2.0: Keeping Pace with the Business Transformation
14 June 2019
Isla Lipana & Co., PwC
Q&A
The CPAs role in maintaining security and promoting data privacy
Cybersecurity Incidents
Impact of
Cybersecurity
Breaches
Tips to Protect
Oneself from
Cyber Threats
Role of CPAs
in Mitigating
Cyber Attacks
Contents
Isla Lipana & Co., PwC
11Cybersecurity Incidents
Isla Lipana & Co., PwC
Cyber attacks are headline news everywhere…
4
14 June 2019The CPAs role in maintaining security and promoting data privacy
Isla Lipana & Co., PwC
Cyber attacks are headline news everywhere…
5
14 June 2019The CPAs role in maintaining security and promoting data privacy
Isla Lipana & Co., PwC
Cyber attacks are headline news everywhere…
6
14 June 2019The CPAs role in maintaining security and promoting data privacy
Isla Lipana & Co., PwC
Ten biggest breach incidents reported, August 2018
7
14 June 2019The CPAs role in maintaining security and promoting data privacy
Company/Organization Number of Records Stolen Date of Breach
Yahoo 3 billion August 2013
Equifax 145.5 million July 2017
eBay 145 million May 2014
Heartland Payment Systems 134 million March 2008
Target 110 million December 2013
TJX Companies 94 million December 2006
JP Morgan & Chase83 million (76 million households and 7
million small businesses)July 2014
Uber 57 million November 2017
U.S. Office of Personnel
Management (OPM)22 million Between 2012 and 2014
Timehop 21 million July 2018
Isla Lipana & Co., PwC
What types of data are usually stolen?
8
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: https://www.trendmicro.com/vinfo/be/security/news/cyber-attacks/data-breach-101
Business Medical/Healthcare
Banking/Credit/Financial
Reddit (June 2018)
Content Aggregator
Hackers gained access to an old database of
users
Equifax (July 2017)
Information Solutions Provider
Affected 143 million consumers in the U.S.
Data exposed: Names, Social Security numbers,
birth dates, and addresses
SingHealth (July 2018)
Medical/Healthcare Service Provider
Nonmedical personal data of 1.5 million
patients reportedly accessed and copied.
Includes national ID, address, and birth
date and the outpatient medical data of
160,000 patients.
Hong Kong Department of Health (July 2018)
Federal Agency
Ransomware attack that rendered its systems
inaccessible for two weeks starting 15 July.
JP Morgan Chase & Co. (October 2014)
Credit Service Provider
Estimated 76 million households and 7 million small businesses was compromised
Included names, addresses, phone numbers, email addresses, and others.
Isla Lipana & Co., PwC
Data Privacy Law in the Philippines
9
14 June 2019The CPAs role in maintaining security and promoting data privacy
An act protecting individual personal
information in information and
communications systems in the
government and private sector
Raymund Enriquez Liboro
Privacy Commissioner and Chairman https://www.privacy.gov.ph
Isla Lipana & Co., PwC
12Impact of Cybersecurity Breaches
Isla Lipana & Co., PwC
Data breaches by the numbers
11
14 June 2019The CPAs role in maintaining security and promoting data privacy
Approximately
24,000MALICIOUS
mobile apps are
blocked everyday Internet of Things
attacks are up
600%in 2017
Ransomware attacks
are growing more than
0
Percent
Annually
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
Isla Lipana & Co., PwC
Where do Cyber Attacks Come From?
12
14 June 2019The CPAs role in maintaining security and promoting data privacy
6Percent
11Percent
of cyber attacks begin
with spear-phishing
e-mails
Microsoft Office formats
such as Word,
Powerpoint and Excel
make up
of MALICIOUS FILE
EXTENSIONS
38%
Sources of cyber
attacks in 2017
20Percent
71%
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
Isla Lipana & Co., PwC
Who are affected by these data breaches?
13
14 June 2019The CPAs role in maintaining security and promoting data privacy
18.2%
Attacks on the healthcare
Industry are expected to
QUADRUPLEby 2020
of breach victims in 2017
were businesses with
under 1,000 employees
61Percent
The United States
ranks highest with
of all RANSOMWARE
attacks
RANSOMWARE
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
Isla Lipana & Co., PwC
Who are affected by these data breaches?
14
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
It costs the
average business
The
FINANCIAL SERVICES INDUSTRY
sees the highest
cost of cyber
crime.
$18.3MILLION
sees the highest
cost of cyber
crime.
Isla Lipana & Co., PwC
Who are affected by these data breaches?
15
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
How often are Phishing e-mails clicked?
All successful phishing
emails are clicked on within
one hour of being sent
Clicks occurred within
five minutes
Clicks occurred within
one minute
52%
25%
11%
Isla Lipana & Co., PwC
What is the cost of data breach?
16
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
$2.4MILLION
The average cost of a
malware attack on a
company is
$141.00
The average cost of
per individual is
LOST/STOLEN
RECORDS Information loss
represents
of costs
43 Percent
$6ANNUALLY BY 2021
Trillion
Damage related to
cybercrime is
projected to hit
Isla Lipana & Co., PwC
Is Your Company at Risk?
17
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
41%
of companies have
74%
OVER 1,000 STALE
SENSITIVE FILES
of companies have
21%of all files are
NOT
PROTECTED
in any way
of companies have
over 1,000 sensitive
files including credit
card numbers and
health records
LEFT UNPROTECTED
Isla Lipana & Co., PwC
Is Your Company at Risk?
18
14 June 2019The CPAs role in maintaining security and promoting data privacy
Source: *Facts and figures obtained from varonis.com/blog/cybersecurity-statistics
of companies have over
500 users who are
NEVER PROMPTED TO
CHANGE THEIR
PASSWORDS
65%
Isla Lipana & Co., PwC
Data security threats
19
14 June 2019The CPAs role in maintaining security and promoting data privacy
External
Threats
Social
Engineering
Corporate
Espionage
(Internal Threats)
Personal Habits
Accountants
Isla Lipana & Co., PwC
A short video…
20
14 June 2019The CPAs role in maintaining security and promoting data privacy
Isla Lipana & Co., PwC
Data security threat
21
14 June 2019The CPAs role in maintaining security and promoting data privacy
%
E-mail Security
Email is the biggest security
threat for most companies.
According to Digital
Guardian, 91% of cyber
attacks start with a phishing
email, making it the number
one threat to your business.
Isla Lipana & Co., PwC
Data security threat
22
14 June 2019The CPAs role in maintaining security and promoting data privacy
Recognizing Social Engineering
1 Playing with your emotions
Phishing emails and malicious websites often
dangle a financial reward, or threaten negative
consequences, often with a fast-approaching
deadline. If something that seems too good to
be true, it probably is.
2 Bad GrammarPoorly constructed sentences, spelling
mistakes, and an unusual tone are all signs that
an email isn’t from who you think it is.
3 Embedded linksRoll your mouse pointer over the link without clicking and
check out the web address that appears before you click it.
4 Strange sendersHover your mouse pointer over the email sender’s name to
double check the sender’s email address
5 Suspicious attachmentsTake care when an attachment comes from someone you
don’t know, weren’t expecting the file, or if posted on a
questionable website. Take particular care with file types
.exe, .zip, .docm, .bat and .xlsm.
Isla Lipana & Co., PwC
Data security threat
23
14 June 2019The CPAs role in maintaining security and promoting data privacy
6 Getting personal
On email, genuine companies won’t ask for
personal details such as your bank accounts,
password or PIN via email. If in doubt, contact
the organization directly.
7 Payment diversion fraud
When an email or website invites you to re-
route company payments, or to set up
unexpected new payments, always double
check.
Recognizing Social Engineering
Isla Lipana & Co., PwC
Data security threat
24
The CPAs role in maintaining security and promoting data privacy 14 June 2019
If anyone asks for confidential information,
ALWAYS be suspicious.
If they’re a malicious person and get the information they need, the company could be at serious risk.
3
3
Never disclose confidential information to an unknown source, or give out more information than seems necessary
Don’t be afraid to ask questions or ask for ID if you have suspicions
Watch out for people looking over your shoulder at information on your screen or desk
If you’re suspicious, consult concerned department or personnel before providing information.
3
3
Isla Lipana & Co., PwC
Data security threat
25
The CPAs role in maintaining security and promoting data privacy
Cite mobile device
exploitation as the cause of
the security incident
overtaking phishing attacks
as the top threat vector
Business leaders understand new
risks tied to emerging technologies
Source: PwC, CIO and CSO, The Global State of
Information Security® Survey 2018, October 18,
2017
Key findings from The Global
State of Information Security
Survey 2018
14 June 2019
Isla Lipana & Co., PwC
A short video…
26
The CPAs role in maintaining security and promoting data privacy 14 June 2019
Isla Lipana & Co., PwC
13Role of CPAs in Mitigating Cyber Attacks
Isla Lipana & Co., PwC
Accountants and other financial institutions are particularly attractive to cyber criminals. In fact, PwC estimate that financial institutions are over 30% more likely to be targeted than other companies.
Association of Chartered Certified Accountants (ACCA) Global
https://www.accaglobal.com/ie/en/student/sa/features/cyber.html
14 June 2019The CPAs role in maintaining security and promoting data privacy
28
Isla Lipana & Co., PwC
Sectors and Data Related to Accountants
29
14 June 2019The CPAs role in maintaining security and promoting data privacy
Government
Private Institutions
Public Practice
Academe
Client Data
Student Data
Citizen
Information
Financial
Statements
Isla Lipana & Co., PwC
The “Three Lines of Defense”
30
14 June 2019The CPAs role in maintaining security and promoting data privacy
Who is
responsible for
security?
In 2012, IIA introduced
the concept of three
lines of defense to help
organizations manage
business risk. Widely
differing opinions about
who plays what role in
which process.
Isla Lipana & Co., PwC
The “Three Lines of Defense”
31
14 June 2019The CPAs role in maintaining security and promoting data privacy
Responsible for the RISK and CONTROL Area
Manages the day-to-day execution and management of risks
and controls
• Assigning risk and control owners
• Identification and evaluation of risks by risk owners
• Execution of controls by control owners
• Risk enabled decision making
• Addressing gaps by implementing controls to mitigate risks and
keep them at the desired level
• Reporting relevant information to relevant stakeholders
Reinforce first line of defense’
ownership of cyber and privacy risk by
the business
Isla Lipana & Co., PwC
The “Three Lines of Defense”
32
14 June 2019The CPAs role in maintaining security and promoting data privacy
Build an effective second line of
defense model for cyber and data
privacy risk management
It has oversight responsibilities.
Responsibilities:
• Prepare risk assessments
• Perform testing
• Monitor how management addresses identified issues and
findings.
• May own certain compliance risk management initiatives
and controls such as anti-bribery, conflicts of interest or
privacy.
Isla Lipana & Co., PwC
The “Three Lines of Defense”
33
14 June 2019The CPAs role in maintaining security and promoting data privacy
‘The Independent Assurance’
Responsible for reviewing that a company’s
risks are being managed through the
assessment of its internal control
framework.
Isla Lipana & Co., PwC
Successful “Three Lines of Defense”
34
14 June 2019The CPAs role in maintaining security and promoting data privacy
Common definitions and processesThe cornerstone of a
successful three lines of
defense model is the
ability of the organization
to create a central
foundation
Clear delineation of roles and responsibilities
Efficient collaboration and information
sharing across all parties
Isla Lipana & Co., PwC
Considerations to achieve data security
35
14 June 2019The CPAs role in maintaining security and promoting data privacy
Accountability: Own the risk1
Priority: You cannot secure everything2
People: People do matter4
Technology: Fix the basics5
Connections: Their risk is your risk3
5Crisis: It’s not if, but when6
Areas of Focus
Data
Security
Isla Lipana & Co., PwC
Considerations to achieve data security
36
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Data security risk is owned
by leadership and is not
relegated to the IT function.
Periodic information
security briefings are
provided to the Board and
C-Suite.
Accountability: Own the risk1
Areas of Focus
Isla Lipana & Co., PwC
Considerations to achieve data security
37
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Accountability: Own the risk1
Priority: You cannot secure everything2 Leadership prioritizes and
monitors information
security investments.
Investments are made in
new capability, not just
technology.
Crown jewels have been
identified and their
protection prioritized.
Areas of Focus
Isla Lipana & Co., PwC
Considerations to achieve data security
38
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Accountability: Own the risk1
Priority: You cannot secure everything2
Security of the business value
chain including suppliers, third
party providers and high-risk
interconnection points has
been considered.
Adapt to the challenges
of new and emerging
digital business models.
Connections: Their risk is your risk3
Areas of Focus
Isla Lipana & Co., PwC
Considerations to achieve data security
39
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Accountability: Own the risk1
Priority: You cannot secure everything2
Connections: Their risk is your risk3
People: People do matter4 A security culture and
mindset is established
through training,
measurement and evaluation.
Behaviors and capabilities
of the organization are
established and reinforce
the importance of data
security.
Areas of Focus
Isla Lipana & Co., PwC
Considerations to achieve data security
40
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Accountability: Own the risk1
Priority: You cannot secure everything2
Connections: Their risk is your risk3
People: People do matter4
Technology: Fix the basics5
Maintain a good IT security hygiene
Identify and effectively manage data access
Employ security intelligence and analytics
Areas of Focus
Isla Lipana & Co., PwC
Considerations to achieve data security
41
14 June 2019The CPAs role in maintaining security and promoting data privacy
Data
Security
Accountability: Own the risk1
Priority: You cannot secure everything2
Connections: Their risk is your risk3
People: People do matter4
Technology: Fix the basics55
Crisis: It’s not if, but when6 Implement continuous monitoring and detection
Establish and test your crisis management plan
Areas of Focus
Isla Lipana & Co., PwC
14Tips to Protect Oneself from Cyber Threats
Isla Lipana & Co., PwC
A short video…
43
14 June 2019The CPAs role in maintaining security and promoting data privacy
Isla Lipana & Co., PwC
Accountants are well placed to
advise on the steps a business
should take to protect itself – data
security isn't just about technology
and computers: it involves people,
information, systems, processes
and culture too.
John Berriman, Former Board Member and CFO of PwC UK
Isla Lipana & Co., PwC
15Q&A
pwc.com/ph
Thank you
© 2019 Isla Lipana & Co. All rights reserved. Isla Lipana & Co. is a Philippine member firm of the PricewaterhouseCoopers global network.
Not for further distribution without the permission of PwC. In this document, “PwC” refers to the network of member firms of PricewaterhouseCoopers International
Limited, or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any
other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it
control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm
nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.
pwc.com/ph