It's more than just a technological challenge.
Protecting an organization from cyber attacks is more than just a technological challenge. Commitment from the top, instilling the right culture and identifying your weak spots are all essential.
The way manufacturers and retailers think about cyber security is changing – and it needed to. It is becoming increasingly clear in boardrooms across the globe that cyber protection isn’t just a matter of controlling business/financial risk. Breaches could have serious long-term implications for customer trust, with reverberations that could be felt long after the initial fallout and financial clear-up have been dealt with.
A single but devastating incident in which customer details, payment information, quality or continuity of service are compromised, could prove a traumatic test of customer confidence.
Cyber attacks used to be something that banks and sensitive government organizations worried about. Yet, as more retailers and consumer brands movetheir activities online, and connect up their IT systems and other infrastructure over networks, the opportunity for attackers has multiplied – gone viral, if you will. The more difficult financial and national defense organizations make it for cyber criminals, the greater the temptation for hackers to look for weaknesses elsewhere.
Customer loyalty programs, detailed marketing databases, online payment information – all are highly prized assets in the wrong hands. Tales of costly breaches are in generous supply. One of the most expensive in the last decadewas the attack on a major US retail group which, in 2007, revealed that more than 45 million of its customers’ credit and debit card numbers had been stolen over an 18-month period. The fallout from this event cost the business US$250m. Only two years ago another major American retailer suffered an attack of similar magnitude and cost. In its 2014 publication, data security provider Trustwave reported that retailers were the target of 35% of the cyber attacks they monitored, while food and drinks companies were victims of 18% of breaches.
That such vast breaches are still happening indicates how sophisticated the attackers are. As quickly as new tools and techniques have been brought out, threats have morphed into something else and found a new way in. Indeed, despite the security industry’s best efforts, the number of breaches is increasing exponentially year on year. Attempts can take many forms, from Trojan attacks to distributed denial-of-service (DDoS) events – and the more systems and information that travel across digital networks, the more ‘treasure’ there is to lure the criminally minded.
The size and wealth of a company seem to have little bearing on how secure its defenses are. In 2013, a US retailer was attacked using malware that hacked into a server where payment details were stored, despite its use of security systems that met PCI (Payment Card Industry) standards. A well-known online payment company was also compromised recently, with 233 million personal records affected. Beyond the immediate impact was a fear customers would lose confidence in buying online; having to contact millions of them to re-set passwords was alogistical headache.
If it’s becoming increasingly impossible to stay ahead of attackers, how can organizations protect themselves from the impact of cyber breaches?
The first step in developing a new approach to the problem is to understand that it is more than just a technology issue, despite the digital form of these attacks. “Cyber security is a business issue and a conversation that has made its way to the boardroom,” says Tony Buffomante, Advisory Principal at KPMG in the US.
That’s because the stakes are now so high – and because the best measures inthe world won’t automatically guard against negligent internal processes or shortcuts/workarounds by impatient employees. The direct costs of website downtime and lost revenues, added to the need to contact and reassure customers, the costs of lawsuits, any drop in shareholder value and reputational damage all provide motivation for the C-suite to make cyber security a priority.
Another driver of board-level involvement are the hefty fines which could soon be issued to organizations succumbing to security breaches. In the interest of building consumer confidence – and making companies more accountable for their cyber defenses – the EU is currently finalizing plans to introduce eye-watering penalties for organizations whose customer or employee data hasbeen compromised. “Companies may find they have to pay a fine of between two and five per cent of its affected global turnover,” says Ken Hall, Partner at KPMG in the UK.
Does all this mean that the Board should write a blank check for new cyber security measures? Buffomante suggests not, warning that there is no such thing as 100 per cent guaranteed protection. “If organizations try to go down that road, it will be too costly. Instead, they should try to understand what’s the most sensitive data that they’re trying to protect, and what strategies and objectives may need reviewing.”
Hall echoes that view. “The key is to prioritize. Decision-support methodologies and tools can help quantify and rank cyber risks. This is what insurers use, and they can help assess the risks so companies can focus spending wisely.” Hackers are continually active in their scanning of organizations’ systems and there are many different areas of vulnerability that companies may be exposed to. Third-party suppliers or vendors are a big risk – data processors or marketing support, for example.
Other areas are less obvious. Overlooked weak links may include: remotely accessible services that are often unneeded for business activities but which provide an avenue of attack to compromise an organization; wireless access points to gain entry into an organization’s internal network and steal sensitive information; and inactive user accounts left by temporary workers, contractors, and former employees (who may include the actual attackers).
Once the organization has a clearer idea of where its main areas of vulnerability lie, it can begin to look not only at how to protect itself as much as possible, but also how to be ready to respond if the worst happens.
“Achieving a state of readiness means that companies can minimize any damage in the event of an unforeseen attack,” Hall says. “If a ‘black swan’ [extraordinary/left-field attack] does come along and do significant damage, at least companies can show the insurer or regulator how vigilant they’ve been, and that they did their best to protect the business and its data.”
Assuming data is the only target for criminals is a mistake. There may be other vulnerabilities that brands and retailers are less aware of. “For example, a retailer may manage a lot of its appliances digitally, such as the refrigerators and freezers storing food products,” Hall says. “If a hacker took control via the network – turning the temperature up overnight then back down again before morning, so that products thaw and then refreeze – the result could be a food poisoning crisis.”
Attacks can also happen because of gaps in security at different links in the supply chain. When 2,240 emails and passwords were stolen from a leading UK supermarket chain’s loyalty card scheme website in 2014, the damage was exponentially greater than such modest numbers suggested. The loyalty scheme had many different participating players, sharing a lot of data. One breach in the supply chain was enough to put each of these parties (and their customers) atserious risk.
Dangers are not only external; internal threats are also rife. Current and former employees are often to blame for security breaches. Although not all incidents are intentional, the issue highlights the need for organizations to consider weaknesses inside as well as beyond company boundaries.
As cyber security comes into the boardroom, it ceases to be an IT-only problem and becomes the responsibility of every member of staff. Creating a shared responsibility culture, where each individual understands the part they play, is the foundation for any effective modern cyber strategy.
This doesn’t mean the IT team are the only ones who need to be vigilant. Organizations increasingly realize that chief information officers and chief information security officers have a crucial role in developing strategies that are tightly linked to business drivers and innovation strategies.
One increasingly popular strategy is to set up ‘hunting teams’ of experts who build up a proactive, network-centric view of the business, which they can then monitor for unusual activity. Having access to filtered, relevant and timely threat intelligence information can help guide teams like this in terms of what to look out for.
Where rogue activity is identified, organizations should establish a ‘first response’ approach and plan, mirroring what happens when an accident occurs and urgent, early intervention is required. This first response might be outsourced,managed internally, or a combination of the two. Remaining vigilant also means keeping connected to peers and expert sources, who may have detected new threats on the way. In the UK, the Government Cyber Security Information Sharing Partnership (CISP) – part of CERT-UK – is a joint industry-government initiative set up to share information about cyber threats and vulnerability. Equivalent groups exist in most developed countries. “Groups of like-minded organizations need to share intelligence about the issues affecting their industry, and threats they have detected,” Hall says. “There’s no competitive compromise by sharing what you’ve learned, and you could gain a lot in return.”
As well as being vigilant at a network level, organizations need to embed security into their cultures and everyday practices. “Cyber security needs to bebehavior that’s as instinctive as locking the office doors at the end of the day – it needs to be part of business as usual,” Buffomante says.
Maintaining a pan-organization awareness of cyber security threats will pay dividends as employees seek more freedom in the devices they use for work. The last thing employers want to do is clamp down on productivity and demotivate staff by taking away devices and tools that help people do their jobs, so the best solution is to educate them.
The same goes for extending new channels and means of payment to digital-savvy consumers. The need to innovate should not clash with the need to maintain optimum levels of security. Achieving a pragmatic balance is preferable. “The best approach here may be to control the risk such as placing a limit on the value of transactions,” Hall says. “By focusing on what people should be able to do rather than what they shouldn’t, organizations will retainthe ability to be ambitious and creative, which is critical to their competitive edge and to maintaining the customer – and employee – experience.”
© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.