Data Privacy/Cyber Security9th November 2016
With you today . . .
Sourabh SharmaDirector, Cyber Security, EY Kuwait
Role: Kuwait Cyber Security Leader and IS Governance MENA champion
AgendaIntroduction to cyber security
Cyber Security Attacks
MENA context
Mitigation steps and best practices
1234
Introduction to Data privacy5Need of privacy6Global landscape and regulation7Approach to implement privacy8
Is Cyber Security a real issue?
Source: Global Risks Perception Survey 2014
Economic risks
Geopolitical risks
Environmental risks
Societal risks
Technological risksMen made environmental
catastrophes
Average4.56
State collapse
Oil price shock
Organized crime and illicit trade
Chronic diseases
3.5 4.0 4.5 5.0 5.5
Decline of importance of US$ Mismanaged urbanization
Corruption
Economic and resource nationalization
Failure of critical infrastructure
Terrorist attack
Interstate conflict
Liquidity crises Antibiotic-resistant bacteria
Global governance failure
Natural catastrophes
Failure of financial mechanism or institution
Cyber attacksIncome disparity
Unemployment and underemployment
Climate changeFiscal crises
Water crises
Biodiversity loss and ecosystem collapseCritical information
infrastructure breakdown
Weapon of mass destruction
Political and social instability
PandemicFood crises
4.0
4.5
5.0Im
pact
Likelihood Plotted area
Extreme weather events
Data fraud/theft
4.31Average
What we hear from you…
36% of Global
Information Security Survey conducted by EY in 2015 respondents say that it is “unlikely” or “highly unlikely” that their organization would be able to detect a sophisticated attack.
69% say their information security
budget needs to rise by up to 50% to protect the company in line with management’s risk tolerance.
57% of organizations say that lack of skilled
resources is one of the main obstacles that challenge their information security.
18% do not have an Identity and Access Management program while in 2014, this figure was 12% — this represents a serious drop.
36% of respondents do not have a threat intelligence program
88% of respondents do not believe their information security fully meets the organization’s needs
47% of organizations do not have a Security Operations Centre
FY2015 FY2016
56% of respondents have identified data leakage/ data loss prevention as a high priority requirement over next 12 months
Some major cyber attacks
Some major cyber attacks contd..
► The US carrier was hacked in 2011, but said no account information was exposed. ► They warned one million customers about the security breach. ► Money stolen from hacked business accounts was used by a group related to Al Qaeda to fund
terrorist attacks in Asia. According to reports, refunding costumers cost AT&T almost $2 million
$2 million – AT&T
► Hacked in April to June 2011, Sony is by far the most famous recent security attack. ► Sony reportedly lost almost $171 million, after its Playstation network was shut down by LulzSec► Hack affected 77 million accounts and is still considered the worst gaming community data
breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, purchase history, and credit card numbers
$171 million – Sony
► Hacked in June 2011, hackers exploited a basic online vulnerability and stole account information from 200,000 clients. Because of the hacking, Citigroup lost $2.7 million.
► Just a few months before the attack, the company was affected by another security breach. ► It started at Epsilon, an email marketing provider for 2,500 large companies including Citigroup. ► Specialists estimated that Epsilon breach affected millions of people and caused overall $4 billion loss.
$2.7 million – Citigroup
► Anonymous members hacked the US research group and published confidential information from 4,000 clients, threatening they could also give details about 90,000 credit card accounts.
► Hackers stated that Stratfor was “clueless…when it comes to database security”. ► According to the criminal complaint, the hack cost Stratfor $2 million.
$2 million – Stratfor
► Oman-based Bank of Muscat lost US$40-million and United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) lost US$5-million in the global heist
► US and German authorities have so far arrested nine — seven in the US and two in Germany — for their alleged involvement in the $45 million pre-paid travel card fraud
► Global criminal organisation members hacked into two outsourced credit card processors and used stolen data to make more than 40,500 withdrawals in 27 countries
$39 million: Bank Muscat$4.7 million: RAKBANK
Where does MENA stand- GCI
Channels of attack► Social engineering
has moved onto social networks, including Facebook and LinkedIn.
► Attackers use social engineering, which goes beyond calling targeted employees and trying to trick them into giving up information.
► Some of the most dangerous attacks originate within the organization
► These attacks can be the most devastating, due to the amount of damage, a privileged user can do and the data they can access.
► Expect cybercriminals to spend a lot of time perfecting what they know best, such as making sure their botnets have high availability and are distributed.
Soci
al e
ngin
eerin
g
Inte
rnal
thre
ats
Bot
nets
► Issue of trust comes into play in the mobile world as well; with many businesses struggling to come up with the right mix of technologies and policies to hop aboard the BYOD trend.
BYO
D a
nd M
obile
s► With more
companies putting more information in public cloud services, those services become tempting targets, and can represent a single point of failure for the enterprise.
► Even with an increasing attention being paid to HTML5 security, the newness of it means that developers are bound to make mistakes as they use it, and attackers will look to take advantage
Clo
ud s
ecur
ity
HTM
L5
► Attackers are learning from the steps researchers are taking to analyse their malware, and are designing malware that will fail to execute correctly on any environment other than the one originally targeted.
Prec
isio
nTa
rget
ed M
alw
are
► Application vulnerabilities are another channel or reason because of which the cyber attack could happen
App
licat
ion
Vuln
erab
ilitie
s
What is driving the trend
Increasing cyber attacks threatening ICT security
MENA Geo-political scene
Global / regional compliance
National InformationSecurity Strategy
Maturity/ Competenceof state agencies to adopt the NIA
Reporting , Monitoring and Management of Risk
Legal and Regulatory Compliance
OCERT
QCERT
NESA
Oman
Qatar
UAE
NCSC
KSA
Government/Private Entities CAIT
KUWAIT
GCC- National level Cyber Initiatives
Regional Cyber Security InitiativesQatar UAE Saudi Arabia Oman Kuwait
National Strategy ✔ ✔ wip wip ✖
IS Standard ✔ ✔ ✖ ✔eGOV ✖
ICS Standard ✔ ✖ ✖ ✖ ✖
Dedicated Gov. Agency ✔ ✔ ✔ ✔ ✔
Vetting labs 2018 wip ✖ ✖ wip
Compliance Road Map ✔ ✔ ✖✔
eGOV ✖
National Cyber Risk Framework ✔ wip wip ‐ ✔KNIGF
Cyber Risk Mitigation
Protect the crown jewels
Being attacked is unavoidable, so how prepared are you?Can you answer “yes” to these five key questions?
1. Do you know what you have that
others may want?
3. Do you understand how these assets could
be accessed or disrupted?
2. Do you know how yourbusiness plans could make
these assets more vulnerable?
Valued assets
Intellectual property
People information
Financial information
Business information(strategy
performancetransactions)
4. Would you know if you werebeing attacked and if the assets
have been compromised?
5. Do you have a plan toreact to an attack and minimize
the harm caused?
Embrace Cyber security
Internal audit and risk management
Legal and regulatory
FinanceCustomer
Board and executive leadership
Information technology
Governance, risk and controls
Supply chain
► All cyber services► Table-tops
► Cyber intelligence► Cyber insurance
► Cyber economic Intelligence► Cyber-identity services
► Secure mobile services► Bring Your Own Device (BYOD)
► Cyber controls with supplier and vendor alignment
► Vendor risk management (VRM)
► IT strategy services► Big data security► Securing disruptive
technologies
Cyber -Security
► Securing infrastructure and application platforms
► Data integrity► Risk detection and
response► Controls compliance
► Governance► Risk management► Performance metrics
Data Privacy
Introduction to PrivacyPrivacy is the ability to control how you are identified, contacted, and located.
Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information
Generally Accepted Privacy Principles
from AICPA
Privacy requires control of
information
Professional information
Customer information
Financial information
• Name• Home or email address• Identification number• Physical characteristics• Sexual orientation
General
• Employment history• Employee relations• Compensation/remuneratio
n related matters• Background investigation
reports• Health & safety
Employee / third party
• Account numbers• Credit card / bank details• Calling details• Income• Credit information• Details collected during
customer acquisition (for KYC purposes)
Customers
AICPA: American Institute of Certified Public Accountants
Privacy in IS Context
PrivacyThe rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.
ConfidentialityInformation designated as confidential is protected as committed or agreed.
IntegritySystem processing is complete, accurate, timely, and authorized.
AvailabilityThe system is available for operationand use as committed or agreed.
Data subjectsA data subject is an individual who is the subject of certain personal information. Data subjects can be:
► Applicants► Employees (current, former, retired)► Multiple contract employees► Expatriates► Contractors► Vendors/consultants► Dependents and beneficiaries► Retirement plan participants► Prospective clients► Consumers and customers ► Investors
► Professionals related to the industry► Patients► Business contacts, service providers,
agents, contractors, and suppliers► Market research participants► Opinion leaders (influential scientists,
academics, leading industry players, public officials, etc.)
► Activists► Visitors
Need of privacy
Privacy is multifaceted. It is a personal issue, a social issue, a legal issue, and a business issue. Organizations are challenged to effectively manage compliance, expectations, and risk across increasingly complex and geographically diverse enterprises.
• Compliance with laws, regulations, contracts and other agreements
• Managing financial risks• Countering identity theft and fraud• Managing other business risks to
brand and reputation
• Meeting customer expectations• Outsourcing, off-shoring, and
extended global enterprises• Evolving technologies, such as:• Internet-based services• Enterprise resource planning systems• Customer relationship management• Process harmonization, cost
reduction
Main Drivers Other Drivers
Where Privacy can be of interest...
• Face-to-face interaction• Forms and data entry
Manual Processes
• Devices and user equipment
• Front office• Back office• Infrastructure• Web
Systems
• Customer interfacing• Infrastructure• Business partner
Third Parties
A process that handles personal information can get segregated into different components. For each of these, we may have different interests. Consider the lifecycle of personal information, including its:
• Collection• Use and secondary use• Retention and storage• Transfer and disclosure• Disposal
What could go wrong...
Considering what could go wrong is important for understanding what needs to be done to effectively manage and protect personal information. These challenges are often tactical in nature and symptoms of broader issues.
Com
mon
Cha
lleng
es
Lost or stolen media
Over-sharing of personal information
Good intentions but misused data
Third party service provider control deficiency
Web site leakage
Hackers (inside and outside)
Unwanted marketing communications (telephone, email, SMS)
Fraudulent transactions
Social engineering, including phishing
Could result in...
Risk(s)
Identity theft
Brand and reputation damage
Litigation
Regulatory action
Direct financial
loss
Loss of market value
Loss of customer
and business
Becoming the example
of what could go wrong
Global Privacy landscape
LEGEND
National privacy or data protection law in place
Other significant privacy laws in place
Emerging privacy or data protection laws
Key data privacy and protection laws
► Federal Act Concerning the Protection of Personal DataAustria
► Danish Act on Processing of Personal Data
► French Data Protection Act
► Federal Data Protection Act
► Personal Data Act
Denmark
Finland
France
Germany
► Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interests
► Personal Data Protection CodeItaly
► Personal Data Protection Act
► Protection of Personal Information Bill (“Proposed Bill”)
► Organic Act 15/1999 on personal data protection
Poland
South Africa
Spain
Hungary
► Hellenic Data Protection LawGreece
Key data privacy and protection laws contd.
► The Swedish Personal Data ActSweden
► Federal Act on Data Protection of 19 June 1992
► Patchwork of federal and state law
► Personal Data Protection Act
► Data Protection Act 1998
Switzerland
UK
US
Netherlands
► Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interests
Russian Federation
Leading practices…
Perform Service Organization Control (SOC) 2examination
Implement Information Privacy framework
EY Perspective
SOC 2
Privacy standard (ISO 29100, BS 10012, GAPP
etc)
Privacy framework implementation
• Privacy governance structure.
• Business strategy to identify, collect, process, protect and share personal information.
• Risk assessment and gap analysis of controls and procedures.
• Design, and implementation of privacy initiatives.
• Sustaining and managing privacy processes
Data
Pro
tect
ion
Requ
irem
ents
Prin
cipl
es &
sta
ndar
d us
ed to
ass
ess
and
defin
e pr
ivac
y st
ruct
ure
Generally Accepted Privacy Principles
(GAPP)
Leading frameworks(ISO29100, BS10012)
Maturity Assessment
Privacy Procedures &
Controls
Identify maturity of data protection processes in the scale of
• Ad-hoc• Repeatable• Defined• Managed• Optimized
Define Data Protection framework to implement relevant controls for protecting sensitive/ critical/ confidential information
Privacy framework implementation
Identify Diagnose Design Deliver Sustain
•Document Personal Identifiable Information (‘PII’)Ac
tivity •Implement the
privacy framework
•Training•Awareness campaign
What to protect?Where is it stored?Who has access to it?Ob
ject
ive Evaluate existing
initiatives/ mitigation strategies
Co-develop mitigation strategies to address gaps
Implement mitigation strategies across the enterprise
Sustain momentum by creating awareness amongst stakeholders
•PII Modeling & Mapping
•Define Privacy Framework
•Conduct Privacy RISK Assessment (‘PRA’)
• Address• Date of birth• Financial
information• Medical details• Sexual orientation
• Regulatory & contractual requirements
• Financial, technical, reputational risk assessment
• Personal and sensitive personal information
• Policies & procedures
• Process alignment• IT system upgrade• Information
lifecycle management
• Awareness to customers, employees & third parties
• Training on data handling
Thank youEmail id: [email protected]
Phone number:+96594002430