Cyber Resilience | KPMG | IE
close
Share with your friends
Cyber Resilience

Cyber Resilience

Cyber Resilience

“Why would anyone want to attack us, we are an aviation leasing company?”

Your perception of cyber security is very different the day after an incident than the day before and this is why I have been asked this question when sitting opposite clients in the aftermath.

Globally, just over two in five CEOs say they feel prepared for a cyber event. With spending on cyber security products expected to top the US$113bn mark by 2020 and reports of data loss making the headlines almost daily, why in the age of mature cyber security products do large scale breaches continue to happen?

Cyber criminals are employing tools of an increasing complexity and deploying them in an ever more sophisticated manner, using the same enterprise levels of organisation, artificial intelligence and machine learning solutions that security professionals aspire to possess.

The emergence of super strength encryption on readily available communication apps and the layered security model of the “dark web,” hosting online stores for criminal goods and services means that the potential for detection has decreased dramatically.

Cybercrime has now overtaken “traditional” crime as the key enabler of fraud, and with the value of financial transactions in the aviation leasing industry this makes it a lucrative target for cyber criminals.

The prevalence of point and click cyber weapons, loaded with an array of ransomware, phishing and compromised networks used to deploy denial of service attacks, are easily and cheaply obtained on the dark web. The means to effect those attacks is becoming easier and in many cases free of charge to the attacker.

A Distributed Denial of Service (DDoS) attack can be hired for as little as US$7 per hour, with the costs of mitigation estimated at over $100,000 per hour, incredibly this makes the cost of performing an attack similar to that of going to see a movie.

This has created a lucrative “gun for hire” marketplace on the internet. Distance, time of day or innocence of the target has no relevance, if the price is right and a return on investment can be realised. Making money is the real motivation behind current cyber-criminal activity and answers the question, “why us?”

Cyber security as an essential business operation

According to Verizon, which analysed 42,068 incidents and 1,935 breaches from 65 organizations in 84 countries; 51 percent of breaches involved organised criminal groups.

Attacks can be focused, where you are of interest to an attacker because of the value of your business transactions, or simply you could be the victim of a “scatter gun” approach where you are the consumer of an IT product or service that has been compromised due to poor security design, or is reaching end of life and can no longer be supported.

The cost of defence has escalated over time, usually as a reaction to a high profile event. Typically spending on Cyber Security now outpaces operational IT at a ratio of seven to one, an unsustainable strategy.

Firms are coming under pressure to contain their burgeoning cyber security budgets, and there is an opportunity to look at the business holistically. Doing so would ensure that expenditure is focused on the true risks posed to their digital assets, rather than procuring multiple layered technical solutions (which ultimately no one entirely understands) to plug perceived security gaps.

Embracing emerging technology, and adopting maturing services such as Cloud, allows us to innovate and transform our business but requires the consideration of cyber security as an essential business operation.

The challenge is transforming our cyber security position from a basic one, to a more mature model whilst doing so in a timeframe that avoids obsolescence. As the aviation industry increasingly delivers and receives services via digital channels, Cyber Security by design and by default is a requirement. This is a core concept in transforming business in a rapidly changing environment.

Cyber resilience

In the 2018 KPMG CEO Outlook report ‘Disrupt and Grow,’ almost half of the CEOs consulted (56 percent), believe they need to do more to combat cyber security ‘fatigue’ in their organisation.

The apparent failure to explicitly identify and manage risks around cyber security, whilst noting the need to embrace emerging technology, might suggest a potential misdirection of effort, and resources, when dealing with the risks and opportunities around the application of technology within the business environment.

It is possible that the current approach to securing our technology has not fully lived up to expectations and that no magic bullet or box exists to solve the end to end multidirectional attack vectors employed with ever more efficiency and effectiveness by the modern cyber-criminal.

Cyber security professionals have repeated the “defence in depth” mantra for well over a decade, and the current theme is focussed on the people, process and technology aspects within the cyber ecosystem.

Evolving from those traditional models is a different way of considering the overall approach to securing our assets, designed to reduce the risk of a “hit” whichever direction it comes from - this approach is called Cyber Resilience.

Cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events online. Cyber security is a key element resilience, but cyber resilient organisations recognise that operating safely in a digital environment goes far beyond just purely technical measures. By building an end to end understanding of cyber risks and threats, and aligning them to business objectives, they are able to take the appropriate measures to protect their digital assets and maximise the opportunities available online.

Cyber Resilience also creates opportunities to increase the security awareness of staff, management and the board to reduce their riskier behavioural elements; creating a clear line of sight between business objectives, and Digital Strategy and Cyber Security implementation.

The questions lessors have asked is how can I implement cyber resilience in practice?

In practice

Cyber resilience is a process of continual refinement and relies on organisations understanding the quantity, sensitivity and location of the assets to protect. The new General Data Protection Regulation (GDPR), effective from 25th May 2018, has mandated this approach to information asset management on EU Citizens personal information. Our experience with aviation leasing clients in implementing processes to support GDPR highlighted the effort required to meet basic compliance; but the result, a much stronger position with regard to their data management and protection of information assets. A similar approach to cyber resilience is required.

The process for achieving cyber resilience is framework containing five pillars: identify, protect, detect, respond, and recover. You evaluate each pillar against your organisation’s cyber security strategy to reduce the risk of adopting a static security posture in an ever evolving threat landscape; and ensure that business rules continue to be applied in the way they were designed, via the use of technology.

By evaluating the risk posed by each weakness and which are the most critical, you should be able to improve your preparedness for an attack, including managing and focusing spending on protecting ‘crown jewels.’ With each scheduled cycle of assessments, the security strategy is re-evaluated, and since every organisation has unique systems and different security needs, the results of each series of assessments is measured against the current threat environment and the acceptable risk level for the organisation, rather than a relatively generic series of standards and checklists.

Often our discussions on Cyber Resilience with our aviation leasing clients are targeted at board level as they ultimately are accountable for managing the risk.

Therefore from a Board perspective, it is important to de-mystify the concept of “cyber security” and how it relates specifically to an aviation leasing client. One size will not fit all, however every client, regardless of size, can take steps to help identify and respond to an incident. Technical support, or software based solutions, are only part of the answer and clients of all sizes seek advice on how to identify and respond to the risks posed to their assets from both cyber criminals and non-malicious actions – specifically centred on people, process and technology.

Our message to clients is that Cyber Security is a number of things executed effectively, so where can I start, or continue the journey to cyber resilience?

Practical steps which a Board can take to help support cyber resilience

As a starting point, Board members should consider the following areas of focus – a number of steps can be taken with minimal incremental cost, beginning with a cyber focused risk assessment:

  1. Identify Critical Assets – both key systems and information assets – It is essential to understand what we are trying to protect and make investment decisions on cyber defence based upon the most critical assets. 
  2. Risk Assessment – a risk assessment will help to understand how the threats to our assets are currently managed and identify / prioritise further mitigating actions, whilst ensuring ongoing focus on the issue at Board level. For key systems and information assets, consider the arrangements in place over access; backup; technical support; business continuity and protection against attack. Consider who might be interested in disrupting these systems, or stealing your data. An informed risk assessment will help build effective defences. Data leakage via hacking, phishing and other social engineering attacks would provide a criminal gang the capability to misrepresent your company; allowing them to change standing financial data such as bank account details thereby redirecting legitimate payments or creating fictional invoices against your assets.
  3. Incident response - consider how critical identified key systems are to your business and, in the event of an attack or disruption, how quickly you would seek to restore them – critical systems should be prioritised. Develop (and test) an incident response plan, which can be enacted in the event of an attack. [This will help to ensure that the appropriate personnel (within the organisation and outsourced technical support) are quickly engaged, and that priority is given to isolation (and restoration) of key systems]. The minutes and hours after an event are critical – be prepared.
  4. Review your own General IT Control environment – from maintaining up to date policies and procedures; through to regularly reviewing access and user rights to the network and key applications. Consider limiting the use of removable media – all laptops and removable media should be encrypted and regularly scanned for malware. 
  5. Staff awareness - staff are a critical element of cyber defence, particularly in relation to attempts at cyber fraud or theft, phishing, data theft or corruption or transmitting malware. Ensure they understand corporate policies covering acceptable and secure use of IT equipment. Encourage them to think twice before opening an unsolicited email attachment, or acting upon unusual requests (even if they appear to be from senior management). 
  6. Network security – seek support from IT specialists to ensure robust network access protocols (including user / device authentication) and defence, such as firewall, antivirus and anti-malware. All systems and networks should be continuously monitored for unusual activity or attempted / actual attacks. 
  7. System updates and security patches – ensure that system software updates and security patches are processed as they become available. These are often issued by software providers to address known vulnerabilities or threats. Cyber attackers often exploit known system vulnerabilities, timely application of system updates is essential. 
  8. Data management – cyber-attacks often target company data, either to corrupt it, steal it, or demand a ransom. The General Data Protection Regulation (‘GDPR’), (effective May 2018), has heightened awareness of the importance of robust data management and places a significant additional burden on companies in relation to any personal data they hold. All companies should take stock of their data management policies, procedures and processes (and indeed, only hold essential data), and reinforce controls to ensure secure data storage. 
  9. Use of cloud based services – many companies are choosing to outsource their systems and data to third parties. Whilst this has many potential benefits, care should be taken to obtain assurance from third party providers (with their obligations being embedded within contracts), particularly with regard to business continuity, security of systems and data, and timely reporting of any attempted security attacks.
     

The five pillar model

The five pillar model is consistent with the EU Directive on Network Information Security (NIS), in the US via the National Institute of Standards and Technology (NIST) and by the UK National Cyber Security Centre (NCSC) in their 10 Steps to Cyber Security approach, employing a number of key building blocks proportionate to all sizes of organisation, with an end to end continual assessment of each activity clearly described.

It is also the approach utilised by KPMG, in delivering Cyber Security Services to our clients.

We define Cyber Resilience in six core interdependent domains;

  • Cyber Governance
  • Privacy Management
  • Asset Management
  • Access Management
  • Technical Control, and
  • Incident Response

With the right governance structures and processes, information and appliance asset management, identity access management for customers and staff, technical measures to protect network boundaries and gateways, and response plans that are effective when needed, an organisation can consider itself to be resilient in the face of cyber risk.  

Summary

  • Aviation leasing companies are a high value target for cyber criminals due to the scale of financial transactions, and the rewards from compromising these transactions (even on a one off basis) are quite lucrative;
  • The internet and dark web is making it easier for non-skilled criminals to carry out cyber-attacks;
  • The typical reaction is to throw money at the problem, unfortunately after an attack;
    • Not the correct approach and should be considered as part of an overall risk based approach
    • It is easier to budget for deterrence, the costs of remediation after an incident are unknown and likely to escalate quickly
  • A lot of good work has been done to implement GDPR and it provides a strong data management policy to build Cyber Resilience upon;
  • Increased delivery of services via digital channels requires security by design and default; and
  • The minutes and hours after an incident are critical. Have a well designed and tested response plan.

Contacts

  • Kieran O’Brien - Head of Aviation Finance & Leasing Advisory, KPMG in Ireland
  • Mike Daughton – Partner, Risk Consulting, KPMG in Ireland
  • Tony Hughes – Associate Director Cyber Security Services, KPMG in Ireland.
     
1000