Preface

We know that cyber security is an important concern for every organization. Daily occurrences demonstrate the risk posed by cyber attackers—from individual, opportunistic hackers, to professional and organized groups of cyber criminals with strategies for systematically stealing intellectual property and disrupting business.

The management of any organization faces the task of ensuring that its organization understands the risks and sets the right priorities. This is no easy task in light of the technical jargon involved and the pace of change.

Focusing on technology alone to address these issues is not enough. Effectively managing cyber risk means putting in place the right governance and the right supporting processes, along with the right enabling technology.

This complexity, however, cannot be an excuse for company management to divest responsibility to technical “experts.” It is essential that leaders take control of allocating resources to deal with cyber security, actively manage governance and decision-making over cyber security, and build an informed and knowledgeable organizational culture.

What is cyber crime and who is carrying it out?

Cyber crime is a range of illegal digital activities targeted at organizations to cause harm. The term applies to a range of targets and attack methods.

Understanding the “actor,” i.e. the person or organization that is sponsoring or conducting the attacks, is essential for effective defense.

Introduction – Cyber Security: The things you probably already know

The amount of data continues to grow exponentially as does the rate at which organisations share data through online networks. The Internet of Things – in which billions of machines, from tablets and smartphones to ATM machines, security installations, oil fields, environmental control systems and thermostats, are linked together – has left the realm of science fiction and is becoming reality.

Thus in heavily networked societies, inter-dependencies increase. Organisations increasingly open their IT systems to a range of (mobile) machines and – by definition – lose direct control of data security. Furthermore, business continuity, both in society and within companies, becomes increasingly dependent on IT. Disruption to these core processes can have a major impact on service availability.

Criminals are, of course, also aware of these vulnerabilities. Attacks on governments’ and companies’ networks have increased in volume and severity. The motives of cyber criminals are various, from pure financial gain, to espionage or terrorism. Organisations need to protect themselves against cyber attacks and ensure that appropriate responses can be provided. Organizations can reduce the risks to their business by building up capabilities in three critical areas – prevention, detection and response (see table below).

PreventionDetectionResponse
Management and organizationAppointing cyber crime responsibilitiesEnsuring a 24/7 stand-by (crisis) organizationUsing forensic analysis skills
ProcessesCyber crime response tests (simulations)Periodic scans and penetration testsProcedures for follow-up of incidentsCyber crime response plan
TechnologyEnsuring adequate desktop security

Ensuring network segmentation

Implementing logging of critical processes

Implementing central monitoring of security incidents

Deactivating or discontinuing IT services under attack

The five most common cyber security mistakes

To many, cyber security is a bit of a mystery. This lack of understanding has created many misconceptions among management about how to approach cyber security. The following five cyber security mistakes are repeated over and over – often with drastic results.

  1. Mistake: “We have toachieve 100 percent security”
    • Reality: 100 percent security is neither feasible nor the appropriate goal
  2. Mistake: “When we invest in best-of-class technical tools, we are safe”
    • Reality: Effective cyber security is less dependent on technology than you think
  3. Mistake: “Our weapons haveto be better than those of the hackers”
    • Reality: The security policy should primarily be determined by your goals, not those of your attackers
  4. Mistake: “Cyber security compliance is all about effective monitoring”
    • Reality: The ability to learn is just as important as the ability to monitor
  5. Mistake: “We need to recruit the best professionals to defend ourselves from cyber crime”
    • Reality: Cyber security is not a department, but an attitude

Customizing your approach

The risks of cyber crime for a local entrepreneur compared to a globally operating multinational are vast. The former may not have the resources or expertise to adequately detect or prevent cyber crime. But the latter is a more attractive target to criminals: it is more visible, more dependent on IT, and has far more valuable assets.

Both types of businesses need to adopt a customized approach to cyber security, based on the character of the organization, its risk appetite and the knowledge available.

cyber securityAs a manager, how do you assess the cyber capability of your organization

As management, you want to know whether your organization has an adequate  approach to cyber security. At KPMG  we consider six key dimensions that together provide a comprehensive and in-depth view of an organization’s cyber maturity.

Are you ready for action?

Cyber security must be on your agenda. Your management, boards, shareholders and clients all expect you to pay sufficient attention to this problem.

But just because you recognize the problem doesn’t mean you are ready for action.

Developing a strategic, customized and comprehensive cyber security program, driven from the top, will help you avoid five common cyber security mistakes:

  1. “We have to achieve 100 percent security”
  2. “When we invest in best-of-class technical tools, we are safe”
  3. “Our weapons have to be better than those of the hackers”
  4. “Cyber security compliance is all about effective monitoring”
  5. “We need to recruit the best professionals to defend ourselves from cyber crime”

If you have taken a holistic view of cyber security and can answer the following questions about your approach, you are ready for action!

  1. How big is the risk for your organization and the organizations you do business with?
  2. Do governance processes and the organizational culture enable effective risk management?
  3. How large should your cyber security budget be and how should you spend it?

This publication is based on the KPMG Thought Leadership White Paper Cyber Security: It’s not just about technology a joint work prepared by: Peter Kornelisse, Koos Wolters, Dennis van Ham, Ronald Heil, Harald Oymans, Stan Hegt and Tamara Kipp.

About the Author

Ian Wood
Ian Wood -

IT Advisory, KPMG