Cybersecurity & data

privacy – risks and

opportunities

CPA Mustapha Bernabas Mugisa CFE, CEH

www.summitcl.com

be transformed
3/15/2023
Agenda
1. The cost of cybercrime & data breach
2. Cyber security maturity framework
3. Data security objectives
4. Building effective cyber defense

be transformed
3/15/2023 2
 Top 4 broad risk areas of concern

Enterprise Incident & ERM

Cybersecurity Fraud &
Objectives
risks compliance Crisis mgt Strategy
at risk (BCP)
risks

be transformed
How safe are you?
How much do you estimate your
organisation loses annually to
(i) data breaches?
(ii) cybercrime?

be transformed
3/15/2023 4
The global cost of cybercrime…

be transformed
3/15/2023 5
 Cost of cybercrime (Uganda Police Report)

Cyber loss 2019 99% Recovered 0.4% 0.4%

Ugx.11.4 Bn Ugx. 51 Mn
248 of the reported A lot of money is invested in
cybercrime cases led to a trying to recover the big sums of
loss of 11.4B lost money which is not on record

99.6%

Our frontline projects Recovered Confidential

Ugx. 171.1 Bn Ugx. *

450 clients, cyber crime costed Classified Information
them over 13.4 billion
be transformed
Source: Project Frontline Uganda 2020
published by www.summitcl.com
 Av. cost
of data
breach

be transformed
3/15/2023 7
 How long does it
take to identify and
contain
cyberbreach?

be transformed
3/15/2023 8
High value data for hackers
1. Protected Health Information (PHI)
• First responders, Ambulatory Services, Intensive Care Records, Personal Medical records

2. Personal Identifiable Information (PII)

• Citizen records, Utility & water records
• Criminal records

3. Credit card numbers

• Property tax payments
• Utility bills, water, power
• Vehicle registration
• Home addresses given through home delivery meal orders eg Jumia, SafeBoda, CJ, etc

4. Bank account / payroll information, etc

be transformed
Regulatory compliance & best practices…
1. Data Protection and Privacy Act, 2019 Laws of Uganda
2. Payment Card Industry (PCI) DSS – and several Bank of Uganda prudential
guidelines for financial institutions
3. ISO/IEC 27001: best practices for information security management systems (ISMS).
4. National Institute of Standards and Technology (NIST) Cybersecurity Framework
5. The Health Insurance Portability and Accountability Act (HIPAA)
6. The General Data Protection Regulation (GDPR)
7. The Federal Information Security Management Act (FISMA)
8. The Sarbanes-Oxley Act (SOX) is a US federal law that requires companies to
establish internal controls and reporting measures to prevent fraud
be transformed
Common cyber threats and attack vectors
A Weak and or compromised credentials

46%
B Misconfiguration

38% 38% 38% 39% C Trust relationships

D Missing or poor encryption

29%
Technical vulnerabilities including zero-day exploits,
21% 21% E trojans, cross-site scripting, session high jacking, and man-
in-the-middle
F Ransomware

G Malicious insiders and or former employees and service

providers
A B C D E F G H
H Social engineering including phishing
Source: Project Frontline Uganda 2021
be transformed
published by www.summitcl.com Forensic. Advisory.
11 Security
 Is this familiar
to you?

be transformed
3/15/2023 12
 Cyber assurance: A comprehensive framework* - key controls to watch

Cybersecurity Governance
• Program governance • Organizational model • Steering committee structure • Tone at the top • Regulatory and legal landscape • Cybersecurity strategy

Secure
Program management Data protection Identity and access management Infrastructure security
a) Policies, standards, baselines, guidelines, a) Data classification a) Account provisioning a) Hardening standards
and procedures b) Data security strategy b) Privileged user management b) Security design/architecture
b) Talent and Budget management c) Information records management c) Access certification c) Configuration management
c) Asset management d) Enterprise content management d) Access management and d) Network defense
d) Change management e) Data quality management governance e) Security operations management
e) Program reporting f) Data loss prevention e) Generic account management
f) Risk and compliance management

Software security Cloud security Third-party management Workforce management

a) Secure build and testing a) Cloud strategy a) Evaluation and selection a) Physical security
b) Secure coding guidelines b) Cloud risk identification b) Contract and service initiation b) Phishing exercises
c) Application role design/access c) Cloud provider inventory c) Ongoing monitoring c) Security training and awareness
d) Development lifecycle d) Minimum controls baseline d) Service termination
e) Patch Management e) Cloud controls compliance

Vigilant Resilient
Threat and vulnerability management Monitoring Crisis management Enterprise resiliency
a) Threat modeling and intelligence a) Security Log Management (SLM) a) Response planning a) Business Impact Analysis (BIA)
b) Penetration testing b) Security Information and Event b) Tabletop exercises b) Business Continuity Planning
c) Vulnerability management Management (SIEM) c) War game exercises (BCP)
d) Emerging threats (e.g., mobile c) Cyber risk analytics d) Incident response and forensics c) Disaster Recovery Planning (DRP)
devices) d) Metrics and reporting e) Crisis communication plan
f) Third-party responsibilities be transformed

*The summitSECURITY cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.
 Cyber assurance risk assessment for improved governance Risk Assessment

Client Industry

Initial Developing Established Advanced Leading

Cybersecurity domains colored by risk 1 2 3 4 5
Governance

Program Management

Data Protection

Identity and access management Where do

you fall?
Infrastructure Security
Secure

When did the

Software Security
board last
Cloud Security read this kind
Third-party management of report?
Workforce management

Threat and vulnerability management

Vigilant

Monitoring

Initial Observed Maturity

Crisis management
Resilient

Current Maturity

Enterprise Resiliency Target Maturity

be transformed
NIST Cybersecurity Framework…
Function Category
Asset Management
What processes and Business Environment
assets need Governance
Identify Risk Assessment
protection?
Risk Management Strategy
Supply Chain Risk Management1.1
Identity Management, Authentication and
Access Control1.1
Awareness and Training
What safeguards are Data Security
Protect
available? Information Protection Processes &
Procedures
Maintenance
Protective Technology
Anomalies and Events
What techniques can
Detect Security Continuous Monitoring
identify incidents? Detection Processes
Response Planning
What techniques can Communications
contain impacts of Respond Analysis
Mitigation
incidents?
Improvements
Recovery Planning
What techniques can be transformed
Recover Improvements
restore capabilities? Communications 15
Cybersecurity objectives…

Confidentiality – restrict access

to authorized individuals
Integrity – data has not been
altered in an unauthorized
manner
Availability – information can
be accessed and modified by
authorized individuals in an
appropriate timeframe

Availability

be transformed
Payment Card Industry (PCI)
1. Anyone who stores, process, or transmits credit card
data must be PCI compliant
2. Common PCI validation requirements
▪ Report on Compliance (ROC)
▪ Self-Assessment Questionnaire (SAQ)
▪ Letter of Attestation
▪ Quarterly PCI scans
3. Sample PCI Data Security Standards Requirements
▪ Annual Penetration Testing (DSS 11.3)
▪ Security Awareness Training (DSS 12.6)
▪ Quarterly PCI scans (DSS 11.2)

These are best practices….

be transformed
The cyber insurance opportunity…

be transformed
3/15/2023 18
 People are not the
weakest link - they are
the primary attack vector.

be transformed
be transformed
Questions & Answers

Q&A
Mustapha B Mugisa, Mr Strategy
strategy@summitcl.com

be transformed
 Cybersecurity & data
privacy – risks and
opportunities

CPA Mustapha Bernabas Mugisa CFE, CEH

www.summitcl.com

be transformed
3/15/2023