Organisations are keenly aware they need technical mechanisms in place to protect themselves from cyber security threats. As a result, most organisations have heavily invested in cyber security technologies.
However, this often fails to take account of two factors:
It only takes one slip up, such as an inadvertent click on an infected email, the accidental emailing of a spreadsheet with customer data or the slow application of a security patch to bypass the technology investment.
"Cyber security is not a conversation about technical controls – it is a business conversation focused on the information assets and systems that are valuable to your organisation, the threats to these assets and mechanisms to manage the risk."
Partner, Technology Risk
An essential part of thwarting cyber attacks is broadening the definition of what security means to an organisation. Cyber security cannot be seen as separate from your core business processes. Organisations need to ensure their key business processes like marketing, customer management, merger, acquisition and divestment processes, in addition to user access management, risk, change, incident, program management and others take account of cyber security. These processes need to operate together to adequately protect your organisation.
Organisations are often overwhelmed by the sheer size of the task when it comes to cyber security. However, they are beginning to understand that protection is not about a blanket solution.
In fact security efforts should be focused on the threats to your organisation’s information assets and network connected physical assets, such as industrial control systems and building management systems. Questions you should be able to answer include:
Answering these questions will not necessarily lead to additional technical controls being required. In some organisations, anyone who accesses the IT environment has to undergo a two-stage authentication process. That can represent a disproportionately high cost if the environment contains assets of minimal value.
Instead, it should be a matter of protecting the information assets that really matter. This calls for targeted protection mechanisms – both from a technology perspective and from an awareness and process perspective. This is ultimately more effective than a blanket control, and could be considerably less expensive.
Cyber security is a long standing risk and while financial institutions and the defence and intelligence community are high on the security maturity curve, most organisations have some way to go.
It is only through understanding your assets, the corresponding threats and your desired risk profile, that you can determine your cyber security maturity level. Once you have established that baseline, you can develop a holistic approach to improve your overall cyber security maturity relating to people, processes and technology. This, in turn, provides your organisation with a strong cyber security foundation to allow your business to grow, transform and expand.
© 2017 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.