The Head of Cyber Security services at KPMG in Greece gives commentary on related issues and advises businessess. The interview was published in FORTUNE magazine, July 2016
Cyber crime is all illegal digital actions intended to cause damage to businesses or individuals. The term is used to denote a wide range of attack methods and those who support or perform them are divided into four broad categories:
In the same manner that we can protect ourselves against more well-known and traditional forms of attacks (e.g. theft), so too we can protect ourselves against cyber attacks. Integrated protection covers four areas: we must prepare and protect ourselves, while also detecting/identifying and properly responding to the attacks when they occur. Preparation means that each company should know what kind of attacks it is exposed to and what assets are the most vital to protect. Protection includes technological measures, processes, organization and awareness, through adequate and continuous briefing of the company’s employees. Detection refers to the continuous monitoring and checking for signs of possible attacks, and their identification as soon as possible and while they are still in progress. Finally, response requires an action plan that will help the company minimize the impact of a cyber attack when it happens. Based on KPMG’s experience, the majority of organizations limit themselves to protection only and especially on the technological aspect.
Yes, it can be estimated to a significant extent through IT risk assessment. There are specific methodologies that we use in order to assess risk and its consequences. This assessment, though based on preset standards, is specific to each company and requires the active participation of the company’s personnel; this is the first step of response to attacks.
Based on KPMG’s experience, investment in cyber security ranges between 3% and 5% of IT’s annual budget. As stated above, the evaluation of information risks and their business impact constitutes best practice when it comes to determine the necessary level of security investment. In any case, investment in cyber security should be reviewed on an annual basis. Moreover, investment should not be limited to the technological dimension or the mitigation of past problems, it should also concern the integration of security in the developing information systems (security by design). Still, investing in safe technology is not sufficient in itself. Without proper governance, effective processes, and the adoption of an appropriate culture and attitudes, technological solutions will not be worth the money spent. Let us not forget that programs are implemented, processes are adhered to, and technologies are operated and maintained by the people in the organizations.
The scale of cyber attacks in recent years and the visibility that they enjoy by the media have now awakened many Greek businesses. Traditionally, the sectors governed by a strict regulatory or legislative framework (e.g. financial institutions, telecommunications) have made significant investments to address cybercrime. We do however, see companies from other sectors taking steps to protect themselves.
The first step is to identify the risks to which the company is exposed and what it wishes to protect more, and then to assess whether the existing security mechanisms adequately protect the organization against these risks. This differs in scope and complexity, depending on the size, activity and operating model of the company. In any case, the cyber security strategy should be an item on the management’s agenda, and not regarded as a matter for the IT to handle alone. This is the only way to keep the organization alert and ensures protection from cyber attacks and becomes part of corporate culture.
An important evaluation criterion is successful security breaches that were detected. Organizations however, should not be complacent in this respect. According to KPMG’s model of intelligent management of cyber risks, the success of security violations is based on the following dimensions: expertise, resources, motives, and the time available to cyber criminals. These dimensions vary continuously and are strongly influenced by the profile of the organization. In addition, the recording of these events by the organization may not be complete nor objective. Organizations should perform penetration tests regularly. These tests should be carried out by independent companies in the field, without the organization’s employees’ prior knowledge, and should simulate the attackers’ profile for each new dimension (know-how, resources, motives, and time).
KPMG, having recognized this need of businesses has made cyber security one of its six growth initiatives, strengthening and deepening the scope of the relevant services through significant investment in R&D and acquisitions of companies specializing in cyber security. As a result, we have been recognized as a leader in this area Forrester’s new report titled ‘The Forrester WaveTM: Information Security Consulting Services, Q1 2016’.
© 2017 KPMG Advisors AE, a Greek Societe Anonyme and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.