A few decades ago, no one could have imagined how much information the average person would have access to today, with just a few button clicks or screen taps. But it could have been also impossible to predict how much information about the average person would be available to others.
The Internet has transformed the way we work, play, shop, and interact with each other. And there’s no question that it has made our lives easier in all those areas.
But the digital revolution has also made us vulnerable in ways we’ve never been in the past. In fact, based on PwC’s 2018 Global Investor Survey, cyber threat is among the top concerns. This is the same with Risk in Focus, an annual risk research published recently by seven European institutes of internal auditors. Respondents, who are chief internal auditors, ranked cybersecurity as the top risk faced by organizations, both in private and public sectors. Thus, we now see governments and businesses around the world adopting new rules and practices to try to protect us.
Following recent information breaches that have been reported, the Securities and Exchange Commission’s (SEC) Markets and Securities Regulation Department (MSRD) required the Philippine Stock Exchange (PSE), the Philippine Dealing & Exchange Corp. (PDEx), listed firms, and other market institutions to submit compliance reports within 30 days.
In its Oct. 5, 2018 letter, the PSE issued a memorandum (reference CN – No. 2018-0052) as a reminder on data privacy laws and data protection regulations to all market participants, including all corporations that are grantees of secondary license from SEC (if covered), to comply with the following:
Every company should now include compliance with DPA as part of their business objectives. In every cybersecurity incident, a company must identify the customer whose data are at risk. Then communications effort must clearly inform the customer of the impact, and what actions the company should take.
State regulations may require informing customers or regulators within a certain time. In the Philippines, such was covered in the Breach Reporting Procedures issued by the National Privacy Commission (NPC) in compliance with DPA.
Data breaches may happen anytime, so it is important to stay alert to online scams. Cyber criminals often use stolen data to gather more sensitive information.
After a breach, organizations would then experience an increase in volume of calls from concerned customers. To reduce this pressure, companies could create multi-channel outreach communication campaigns. This can include special web pages to keep public informed of developments, and provide tips and helpful resources. These efforts can help customers take steps without calling customer support teams.
Based on PwC’s 2018 Global Investor Survey, cyber threat is among the top concerns.
Identifying and communicating with affected customers and clients are most critical after a breach happens. To assist companies in lowering the risk of future breaches and their potential damage, here are some steps to consider as preparation:
Encrypt all sensitive, personal customer data, including data “at rest”. If an attacker gain access, any sensitive data cannot easily be accessed and exploited.
Harden and reduce the organization’s vulnerability by moving web applications behind firewalls. Also, restrict access to these applications from external sources.
Enhance identity proofing process and capabilities. Have helpdesk staff call back clients at pre-registered phone numbers. Require the use of Virtual Private Networks (VPNs) for remote access. Install account lockouts after a set number of failed logins.
Watch online behavior to detect strange activity associated with users accessing sensitive data. Examples include user registrations, helpdesk inquiries, password resets, and sensitive business transactions. Establish normal behavior for roles and job functions accessing sensitive information or systems. This can allow the detection of unknown activity targeting an organization’s critical assets.
Always be aware of government regulations requiring businesses to better protect customer data. Examples include the DPA for the Philippines, EU GDPR for Europe, and various data privacy/protection laws in Australia.
Develop coordinated processes and procedures between cybersecurity and fraud teams. This includes a central process for investigations as well as clear authority and communication plans.
Ensure the organization’s password reset services do not rely on data that might be vulnerable to theft.
Train call center staff to take extra steps when verifying customer identities. Criminals may pose as clients to ask for password resets or for other account management activities.
Fortify the onboarding process for new merchant and business accounts. Also, reinforce account update procedures for existing merchant and business accounts.
Put in place an internal communication plan to discuss potential impact to the business and next steps. Develop action plans, control changes, and ways to track whether the systems are working. Also, conduct regular calls or meetings with senior leadership to discuss privacy risk in business.
Security has to be at the center of every business’ data management plan. Managing cyber, privacy, and fraud risks in an integrated way has never been more important. With a ready view of the threat and a coordinated, planned response, companies can boost their cybersecurity.
As 2018 is nearing its end, companies should take the time to revisit some of the above steps as initial checks for potential future breaches and damage to the business before it is too late.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Cecile Marie de Leon
Risk Assurance Director
Tel: +63 (2) 8845 2728 ext. 3331