He posted a WhatsApp message to a lady friend “Here is the company’s payroll. Treat as confidential. Love you!” The lady immediately forwarded to another friend, “These guys are ripping us. Ugx. 50m net for one person monthly. We went to the wrong schools. The payroll attached may make you dizzy, read while seated. Xoxo.”
Within a month, the payroll, one of the documents classified as “confidential” was a subject of an article in an online publication. All payroll details were now available in the public domain. Although cyber-crimes come in many forms and schemes, all attack vectors are based on one idea: accessing organizational data and abusing it. For that reason, cybersecurity objectives focus on three things summarized as CIA – Confidentiality (no disclosure of confidential or privileged data), Integrity (no modifications or changes to company data and information) and Availability (ensure 100% system up-time).
What is data?
All reports, facts, records, and details on your phone, computer and company server is data – the most valuable resource. Do you use a company computer on which you have configured your personal cloud email ([email protected], etc)? In the normal course of your work, you will access the Internet and open social media accounts like Facebook, LinkedIn, and Twitter. You will post your personal information like mobile phone, date of birth, location and type of computer or phone you use. You will access your ICPAU member portal and update personal records like email and mobile phone. And then log into company systems including core banking application, from which you may export sensitive client records as part of your reporting requirements from the core system and save on your computer hard drive in .csv file or MS Excel. Over a year or two, you will have a lot of personal and company information on your computer and mobile phone. At the central bank level, the core banking application in use contains detailed confidential data about different financial institutions and accounts of different companies and individuals. This data is very confidential. At NSSF for example, the system holds data about working-class Ugandan savers including date of birth, place of work, money salary, next of kin of different individuals – data that must be kept in strict confidence. At NIRA, the national database all personal details about ALL registered Ugandan nationals including contact details and location details. If one accessed the database of NIRA, they could map out who lives in which house! That could have a huge impact on national security integrity. At a law firm, they keep details of different clients, case facts and testimonials – which could make or break a case. Most important, they process the client’s Wills and keep a record knowingly or unknowingly in their computers. Such records in the hands of wrong people could be a disaster! And you have seen a proliferation of so many clinics, pharmacies, and hospitals. The medical information systems keep very sensitive personal data – medical records of clients. If one gained access to a given Institution’s database with say email and phone contacts of customers, it is sold at an auction in the black market on the deep web or dark web, depending on the country or value attached on the data. A NIRA database dump could attract as much as the US $20m, depending on confirmed accuracy of the database. A small bank’s database could not qualify for an auction, but it could fetch the US $200,000 on a black market on the normal web by the cyber syndicate group. These later could use the information for espionage (to breach national security in case a government institution was hacked into) or sending phishing and spam emails for on-line marketers and hackers. As an Accountant or CFO, you must attach value to your data so that you justify the case for securing it.
The Data Protection and Privacy Act, 2019 laws of Uganda
On a daily basis, an average company collects, stores, processes and analyses lots of data into information. The competitor would like to gain access to such information and if they did could lead to the demise of your entity. To this end, on the 25th February 2019, the President of the Republic of Uganda assented to the Data Protection and Privacy Act, 2019. This law requires under section 3, 1 (g) that a data collector, processor or controller or any person who collects, processes, holds or uses personal data to “observe security safeguards in respect of the data.” And section 20 of the same Act provides for security of collected data, thus “A data controller, data collector or data processor shall secure the integrity of personal data in the possession or control of a data controller, data processor or data collector by adopting appropriate, reasonable, technical and organisational measures to prevent loss, damage , or unauthorised destruction and unlawful access to or unauthorised processing of the personal data.”
As a CFO or accountant, you must read and understand the Data Protection and Privacy Act, 2019 to ensure compliance enterprise through investing in appropriate technologies to protect the data.
How to secure data
As a CFO, you are the custodian of the company assets. The finance team keeps the enterprise asset register. Data in the computer systems is one of the key tangible assets for any business. The asset register details both physical and digital assets with the objective of effective management over the asset’s life cycle. For physical assets, the CFO keeps the asset register up to date in respect to the asset user, department, unique asset number, date of purchase, cost, depreciation rate, and net present value. For digital assets, on the other hand, their value keeps on appreciating and a strategic CFO takes a proactive approach to manage the digital assets to register as well so as to play a bigger role in business transformation.
When it comes to asset management to deliver the corporate strategy, an average CFO focuses on the physical assets register. A CFO of the future puts more attention on the digital asset register, which includes key application systems and data that is the lifeblood of the business. One of the areas of focus is investing in the right threat intelligence and cybersecurity capabilities to anticipate and manage threats to the entities’ digital assets.
Whereas a traditional CFO is busy spending a lot of time discussing about electric fence around the company perimeter walls, security guards, tagging physical assets, CCTV camera installation and asset depreciation computations, the CFO of the future puts more focus on enterprise business impact analysis (BIA) to classify and rank assets based on criticality and rationalize security spending decisions. Once critical assets are ranked, strong security controls can then be applied using the approach of defense in depth – keep the critical resources furthest from danger!
To secure confidential data and avoid potential legal liabilities arising from Data Privacy and Protection Act 2019 breaches, the finance team must champion three interventions – real-time threat intelligence, user training, and cyber forensics assurance.
One of the recommended enterprise security practices is real-time threat intelligence and monitoring – a 360 degrees visibility of the entire network, databases, and resources. You want to know which traffic hits your network security devices in terms of origin, intention, and frequency, among others. It is like checking your security camera at home to see who came to your main gate and peeped inside and left. Such information is critical to profile possible threats to your home! CFOs must work closely with ICT security officers to implement threat and business intelligence solutions in real-time including providing notifications when someone tries to access critical database tables at odd hours like at 2 am.
As they say, the only patch to human stupidity is education. All users must be continuously trained about basic security hygiene practices like the use of secure passwords that are more than ten characters long.
No system is breach-proof. Management must have confidence that in case a cyber incident occurred, there are tools and technology to investigate the matter from inception to disposition by identifying culprits and holding them to account. This calls for advanced cyber forensics. Live back-up of firewall logs, active directory logs and database logs in real-time to an exclusive off-site location that is not accessible by the internal IT staff is critical. The finance department must make cybersecurity management a priority in the budget.
This delivers more value in the long run.
Mustapha B Mugisa is Director at the Institute of Forensics and ICT Security (www.forensicsinstitute.org) a National Council of Higher Education approved training institute for Diploma in Cyber Security and Diploma in Risk Management. To contact, [email protected].