First Appeared in TODAY’S Accountant The Magazine for The Institute of Certified Public Accountants of Uganda (ICPAU) ISSUE 19, AUGUST 2019 pg.44
He posted a WhatsApp message to a lady friend: “Here is the company’s payroll. Treat as confidential. Love you!” The lady immediately forwarded to another friend. “These guys are ripping us off. UGX 50m net for one person monthly. We went to the wrong schools. The payroll attached may make you dizzy, read while seated. Xoxo.” Within a month, the payroll, one of the documents classified as “confidential” was a subject of an article in an online publication. All payroll details were now available in the public domain. The discontent that story spread through this organization started a snowball of resignations that they are still trying to recover from. It created an even wider gap between top management and the lower ranks. And that organization has learned the value of cybersecurity.
Although cyber-crimes come in many forms and schemes, all attack vectors are based on one idea: accessing and abusing organizational data.
For that reason, cybersecurity objectives focus on three things summarized as CIA – Confidentiality (no disclosure of confidential or privileged data), Integrity (no modifications or changes to company data and information) and Availability (ensure 100% system up-time).
What is data?
All reports, facts, records, and details on your phone, computer and company server is data – the most valuable resource. Do you use a company computer on which you have configured your cloud email (email@example.com, etc)? In the normal course of your work, you will access the internet and open social media accounts like Facebook, LinkedIn, and Twitter. You will post your personal information like mobile phone, date of birth, location and type of computer or phone you use.
You will access your Institute of Certified Public Accountants of Uganda (ICPAU) member portal and update personal records such as email and mobile phone. And then log into company systems including core banking application, from which you may export sensitive client records as part of your reporting requirements from the core system and save on your computer hard drive in CSV file or MS Excel. In over a year or two, you will have a lot of personal and company information on your computer and mobile phone.
At the central bank level, the core banking application in use contains detailed confidential data about different financial institutions and accounts of different companies and individuals. This data is extremely confidential. The National Social Security Fund system holds data about working-class Ugandan savers including date of birth, place of work, salary amount and next of kin of different individuals – data that must be kept in strict confidence. At the National Identification and Registration Authority (NIRA), the national database has all personal details about all registered Ugandan nationals including contact details and location details. If one accessed the database of NIRA, they could map out who lives in which house! That could have a huge impact on national security integrity.
At a law firm, they keep details of different clients, case facts and testimonials – which could make or break a case. Most importantly, they process the clients’ wills and keep a record knowingly or unknowingly in their computers. Such records in the hands of wrong people could be a disaster. And you have seen a proliferation of so many clinics, pharmacies, and hospitals. The medical information systems keep very sensitive personal data – medical records of clients. If one gained access to a given Institution’s database with say email and phone contacts of customers, it is sold at an auction on the black market on the deep web or dark web, depending on the country or value attached to the data. A NIRA database dump could attract as much as the US $20m, depending on the confirmed accuracy of the database. A small bank’s database could not qualify for an auction, but it could fetch the US $200,000 on a black market on the normal web by the cyber syndicate groups.
These could later use the information for espionage (to breach national security in case a government institution was hacked into) or sending phishing and spam emails for online marketers and hackers. As an Accountant or Chief Financial Officer (CFO), you must attach value to your data so that you justify the case for securing it.
Daily, an average company collects, stores, processes and analyses lots of data into information. The competitor would like to gain access to such information and if they did, it could lead to the demise of your entity. To this end, on the 25th of February 2019, the President of the Republic of Uganda assented to the Data Protection and Privacy Act, 2019. This law requires under section 3, 1 (g) that a data collector, processor or controller or any person who collects, processes, holds or uses personal data should “observe security safeguards in respect of the data.” Section 20 of the same Act provides for security of collected data, thus “a data controller, data collector or data processor shall secure the integrity of personal data in the possession or control of a data controller, data processor or data collector by adopting appropriate, reasonable, technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to or unauthorised processing of the personal data.”
As a CFO or accountant, you must read and understand the Data Protection and Privacy Act, 2019 to ensure compliance enterprise through investing in appropriate technologies to protect the data.
How to secure data
As a CFO, you are the custodian of the company assets. The finance team keeps the enterprise asset register. Data in the computer systems is one of the key tangible assets for any business. The asset register details both physical and digital assets with the objective of effective management over the asset’s life cycle. For physical assets, the CFO keeps the asset register up to date with respect to the asset user, department, unique asset number, date of purchase, cost, depreciation rate, and net present value. The value of digital assets, on the other hand, keeps on appreciating and a strategic CFO takes a proactive approach to manage the digital assets register well to play a bigger role in business transformation.
When it comes to asset management to deliver the corporate strategy, an average CFO focuses on the physical assets register. A CFO of the future puts more attention on the digital asset register, which includes key application systems and data that is the lifeblood of the business. One of the areas of focus is investing in the right threat intelligence and cybersecurity capabilities to anticipate and manage threats to the entities’ digital assets.
Whereas a traditional CFO is preoccupied with: the electric fence around the company perimeter walls, security guards, tagging physical assets, CCTV camera installation and asset depreciation computations, the CFO of the future puts more focus on enterprise Business Impact Analysis (BIA) to classify and rank assets based on criticality and rationalize security spending decisions. Once critical assets are ranked, strong security controls can then be applied using the approach of defense in depth – keep the critical resources furthest from danger!
To secure confidential data and avoid potential legal liabilities arising from Data Privacy and Protection Act 2019 breaches, the finance team must champion three interventions – real-time threat intelligence, user training, and cyber forensics assurance.
One of the recommended enterprise security practices is Realtime threat intelligence and monitoring – a 360 degrees visibility of the entire network, databases, and resources. You want to know which traffic hits your network security devices in terms of origin, intention, and frequency, among others. It is like checking your security camera at home to see who came to your main gate and peeped inside and left. Such information is critical to profile possible threats to your home.
CFOs must work closely with ICT security officers to implement threat and business intelligence solutions in real-time including providing notifications when someone tries to access critical database tables at odd hours.
As they say, the only patch to human stupidity is education. All users must be continuously trained about basic security hygiene
practices like the use of secure passwords that are more than ten characters long.
No system is breach-proof. Management must have confidence that in case a cyber incident occurred, there are tools and technology to investigate the matter from inception to disposition by identifying culprits and holding them to account. This calls for advanced cyber forensics. Live back-up of firewall logs, active directory logs and database logs in real-time to an exclusive off-site location that is not accessible by the internal IT staff is critical. The finance department must make cybersecurity management a priority in the budget.
This delivers more value in the long run.
CPA Mustapha Barnabas Mugisa, Mr. Strategy
Director at the Institute of Forensics and ICT Security