With the unprecedented increase in cyber-attacks it’s not a matter of if, but when will your business, regardless of size, be targeted.
IT investment tops the agenda at many companies. From digital to data, and machine learning to robotics, technology is hoovering up funds. But there is one IT-related area that people often wish would go away: cyber security. This has been on the tech risk radar for so long that a sense of cyber fatigue has set in. And yet companies should be investing more time and energy in cyber protection and resilience, not less. The involvement of organised crime means that cyber attacks now cost the global economy an estimated $450 billion a year – and rising.
The changing nature of these attacks mean that no business which operates online is completely safe. Every organisation needs to consider the cyber risks it faces and the impact an attack might have. Only then can an organisation assess what a cyber threat might mean to its business – and perhaps its very survival.
This requires a radical rethink on the part of internal audit. IA generally focuses on mapping control networks as a way of preventing cyber crime. The problem is that this does not always mirror how the crimes are committed.
It’s time for a different approach. Our advice is: Think like a criminal. Cyber criminals are rational businesspeople, who are looking for a return on their investment in the tactics and tools they use to steal, to commit fraud and to extort money. One thing they do not do is think in is organisational silo structures – and so neither should the IA team.
Even though the cyber threat is continually changing, the basic controls and governance over cyber are much the same as they were 20 years ago, with a combination of technological and behavioural controls within a strong but agile governance framework being the best.
However, many organisations are still failing to get the basics right or to apply their controls and governance consistently. The key is to concentrate on operational resilience – focusing on the threats, assessing what the organisation is trying to defend against, and then aligning the objectives of its distinct levels of controls.
Building up true resilience relies on understanding just how interconnected and interdependent different segments of the organisation are, as well as the third parties they rely on. Only by gaining an holistic view of the entire business can those charged with keeping it secure form a true picture of its weak spots and vulnerabilities. By understanding the adversarial nature of cyber threats and the cascade of consequences after cyber strikes, organisations can prepare for a swift and agile response to attacks – the mark of a properly resilient organisation.
Start by asking: what stage is our organisation at in our management of cyber risk?
Too many companies either deny it is a problem for them or have false confidence in their processes. At the other end of the scale, there are business worriers who want as much security as possible – without realising the impact on day-to-day business. None of these extreme positions is helpful.
This is why we suggest organisations get the threats they face in perspective, by considering what cyber criminals might be after and how they could get it. Use credible attack scenarios to test the adequacy and integration of controls. Build buy-in from the organisation’s leaders for controls to apply in a proportionate way across all areas of the business. Think about what your organisation needs to do to survive and rebuild after a major cyber attack. Your future could depend on this.
© 2018 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.