Cyber security it’s not just about technology

Cyber security:it’s not just abouttechnologyThe five most common mistakeskpmg.com

| Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522

ContentsPreface 101 Understanding the cyber risk 302 The five most common cyber 5security mistakes03 The key is customization 804 The six dimensions of cyber maturity 905 Are you ready for action? 11© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarksof KPMG International. NDPPS 264522

PrefaceCyber security is an important concern for every organization. Daily occurrencesdemonstrate the risk posed by cyber attackers—from individual, opportunistichackers, to professional and organized groups of cyber criminals with strategiesfor systematically stealing intellectual property and disrupting business.The management of any organization faces the task of ensuring that itsorganization understands the risks and sets the right priorities. This is no easytask in light of the technical jargon involved and the pace of change.Focusing on technology alone to address these issues is not enough.Effectively managing cyber risk means putting in place the right governanceand the right supporting processes, along with the right enabling technology.This complexity, however, cannot be an excuse for company managementto divest responsibility to technical “experts.” It is essential that leaders takecontrol of allocating resources to deal with cyber security, actively managegovernance and decision making over cyber security, and build an informed andknowledgeable organizational culture.This white paper provides essential insights for management to get the basicsright. We’ll cover the world of cyber crime today, explore five common cybersecurity mistakes, explain the importance of customizing cyber security policies,outline the critical dimensions of a strong cyber security model, and look at keyquestions to help you navigate the “new normal” of cyber security.Steve BarlockPrincipal, AdvisoryInformation Protection andBusiness ResilienceT: 415-963-7025E: sbarlock@kpmg.comTony BuffomantePrincipal, AdvisoryInformation Protection andBusiness ResilienceT: 312-665-1748E: abuffomante@kpmg.comFred RicaPrincipal, AdvisoryInformation Protection andBusiness ResilienceT: 973-912-4524E: frica@kpmg.com1 | Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522

What is cyber crime and who is carrying it out?Cyber crime is a range of illegal digital activities targeted atorganizations in order to cause harm. The term applies to awide range of targets and attack methods.Understanding the “actor,” i.e. the person or organizationthat is sponsoring or conducting the attacks, is essential foreffective defense.Actors can be divided into four categories:1. An individual hacker, generally acting alone and motivatedby being able to show what he/she can do2. The activist, focused on raising the profile of an ideology orpolitical viewpoint, often by creating fear and disruption3. Organized crime, focused solely on financial gain througha variety of mechanisms, from phishing to selling stolencompany data4. Governments, focused on improving their geopoliticalposition and/or commercial interestsAttacks by these different actors have a number of differentcharacteristics, such as the type of target, the attackmethods and scale of impact.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522Cyber security: it’s not just about technology | 2

02The five most common cybersecurity mistakesTo many, cyber security is a bit of a mystery. This lack of understanding has createdmany misconceptions among management about how to approach cyber security.From our years of experience, we have seen the following five cyber securitymistakes repeated over and over – often with drastic results.1Mistake: “We have to achieve100 percent security”Reality: 100 percent security is neitherfeasible nor the appropriate goalAlmost every airline company claims thatflight safety is its highest priority whilerecognizing that there is an inherent risk inflying. The same applies to cyber security.Whether it remains private or is madepublic, almost every large, well-knownorganization will unfortunately experienceinformation theft.Developing the awareness that100 percent protection against cyber crimeis neither a feasible nor an appropriategoal is already an important step towardsa more effective policy, because it allowsyou to make choices about your defensiveposture. A good defensive postureis based on understanding the threat(i.e., the criminal) relative to organizationalvulnerability (prevention), establishingmechanisms to detect an imminent oractual breach (detection) and establishinga capability that immediately deals withincidents (response) to minimize loss.In practice, the emphasis is oftenskewed towards prevention – theequivalent to building impenetrablewalls to keep the intruders out. Onceyou understand that perfect securityis an illusion and that cyber securityis “business as usual,” you alsounderstand that more emphasis must beplaced on detection and response. Aftera cyber crime incident, which may varyfrom theft of information to a disruptiveattack on core systems, an organizationmust be able to minimize losses andresolve vulnerabilities.2Mistake: “When we invest in bestof-classtechnical tools, we are safe”Reality: Effective cyber security is lessdependent on technologythan you thinkThe world of cyber security is dominatedby specialist suppliers that sell technicalproducts, such as products that enablerapid detection of intruders. These toolsare essential for basic security, andmust be integrated into the technologyarchitecture, but they are not the basis ofa holistic and robust cyber security policyand strategy. The investment in technicaltools should be the output, not the driver,of cyber security strategy. Good securitystarts with developing a robust cyberdefense capability. Although this isgenerally led by the IT department, theknowledge and awareness of the enduser is critical. The human factor is andremains, for both IT professionals andthe end user, the weakest link in relationto security. Investment in the best toolswill only deliver the return when peopleunderstand their responsibilities to keeptheir networks safe. Social engineering,in which hackers manipulate employeesto gain access to systems, is still one ofthe main risks that organizations face.Technology cannot help in this regardand it is essential that managers takeownership of dealing with this challenge.They have to show genuine interest andbe willing to study how best to engagewith the workforce to educate staff andbuild awareness of the threat from cyberattack. This is often about changing theculture such that employees are alertto the risks and are proactive in raisingconcerns with supervisors.5 | Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522

3Mistake: “Our weapons have to bebetter than those of the hackers”Reality: The security policy shouldprimarily be determined by yourgoals, not those of your attackersThe fight against cyber crime is anexample of an unwinnable race.The attackers keep developing newmethods and technology and thedefense is always one step behind.So is it useful to keep investing inincreasingly sophisticated tools toprevent attack?While it is important to keep up to dateand to obtain insights into the intentionof attackers and their methods, it iscritical for managers to adopt a flexible,proactive and strategic approach tocyber security. Given the immeasurablevalue of a company’s information assets,and the severe implication of any losson the core business, cyber securitypolicies need to prioritize investment intocritical asset protection, rather the latesttechnology or system to detect everyniche threat.First and foremost, managers needto understand what kinds of attackerstheir business attracts and why.An organization may perceive the valueof its assets differently than a criminal.How willing are you to accept risksto certain assets over others? Whichsystems and people store your keyassets, keeping in mind that businessand technology have developed as chainsand are therefore codependent on eachother’s security?4Mistake: “Cyber security complianceis all about effective monitoring”Reality: The ability to learn is just asimportant as the ability to monitorReality shows that cyber security isvery much driven by compliance. Thisis understandable, because manyorganizations have to accommodatea range of laws and legislation.However, it is counterproductive toview compliance as the ultimate goal ofcyber security policy.Only an organization that is capable ofunderstanding external developmentsand incident trends and using this insightto inform policy and strategy will besuccessful in combating cyber crimein the long term. Therefore, effectivecyber security policy and strategyshould be based on continuous learningand improvement.• Organizations need to understandhow threats evolve and how toanticipate them. This approach isultimately more cost-effective in thelong term than developing ever-highersecurity “walls.” This goes beyondthe monitoring of infrastructure:it is about smart analysis of externaland internal patterns in order tounderstand the reality of the threatand the short-, medium- and long-termrisk implications. This insight shouldenable organizations to make sensiblesecurity investment choices, includinginvesting to save. Unfortunately, inpractice, many organizations do nottake a strategic approach and donot collect and use the internal dataavailable to them.• Organizations need to ensure thatincidents are evaluated in such away that lessons can be learned.In practice, however, actions aredriven by real-time incidents andoften are not recorded or evaluated.This destroys the ability of theorganization to learn and put bettersecurity arrangements in place inthe future.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522Cyber security: it’s not just about technology | 6

• The same applies to monitoringattacks. In many cases, organizationshave certain monitoring capabilities,but the findings are not shared withthe wider organization. No lessons, orinsufficient lessons, are learned fromthe information received. Furthermore,monitoring needs to be underpinnedby an intelligence requirement. Onlyif you understand what you want tomonitor does monitoring become aneffective tool to detect attacks.• Organizations need to develop anenterprise-wide method for assessingand reporting cyber security risks.This requires protocols to determinerisk levels and escalations, andmethods for equipping the board withinsight into strategic cyber risks andthe impacts to core business.5Mistake: “We need to recruit the bestprofessionals to defend ourselvesfrom cyber crime”Reality: Cyber security is not adepartment, but an attitudeCyber security is often seen as theresponsibility of a department ofspecialist professionals. This mindsetmay result in a false sense of securityand lead to the wider organization nottaking responsibility.The real challenge is to make cybersecurity a mainstream approach.This means, for example, that cybersecurity should become part of HRpolicy, even in some cases linked toremuneration. It also means that cybersecurity should have a central placewhen developing new IT systems,and not, as is often the case, be givenattention only at the end of such projects.7 | Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522

8 | Telelens op de toekomst03The key is customizationThe risks of cyber crime for a local entrepreneur compared to a globally operatingmultinational are vast. The former may not have the resources or expertise toadequately detect or prevent cyber crime. But the latter is a more attractive target tocriminals: it is more visible, more dependent on IT, and has far more valuable assets.It is clear that both businesses need to adopt a customized approach to cyber security,based on the character of the organization, its risk appetite and the knowledgeavailable. Consider how a jeweler arrives at the proper level of security through astrategic, realistic and customized approach to protecting its assets. Then compare it tothe current common corporate approach to cyber security.Jeweler’s perspective on theft securityI know which assets to protect and have set up theappropriate measures.I perceive theft as a risk in the business and know thatrealistically I can’t be in business if I want 100 percent security.I focus on measures that prevent a person from leaving withvaluable goods.I do not let security suppliers spook me and I make my ownpurchasing decisions.When it goes wrong or almost goes wrong, I learn a lesson.Corporate perspective on cyber securityI take measures without a having a clear idea of the assetsit is essential to protect.I see cyber crime as something exotic and strive to achieve100 percent security.I focus on measures that prevent a person from enteringand forget to take measures that prevent a person fromtaking away information.My security policy depends on the tools available in themarketplace, without knowing exactly what I need.When it goes wrong or almost goes wrong, I panic.I train employees in how to reduce the risk of theft and talkto them when they make mistakes.I invest in tools because they assist the continuity ofmy business.I view cyber security as mainly a matter for specialistprofessionals and don’t want to burden the rest of theorganization with it.I invest in tools because it is mandatory and because themedia reports on incidents every day.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522Cyber security: it’s not just about technology | 8

Business ContinuityHave we made preparations for asecurity event and the ability to preventor minimize the impact throughsuccessful crisis and stakeholdermanagement?Operations and TechnologyWhat is the level of control measuresimplemented to address identified risksand minimize the impact of compromise?Legal and ComplianceAre we complying with relevantregulatory and international certificationstandards?Addressing all six of these keydimensions can lead to a holistic cybersecurity model, providing the followingadvantages to any organization:• Minimizing the risk of an attack onan organization by an outside cybercriminal, as well as limiting the impactof successful attacks• Better information on cyber crimetrends and incidents to facilitatedecision making• Clearer communication on the themeof cyber security, enabling everyoneto know his or her responsibilitiesand what needs to be done when anincident has occurred or is suspected• Improved reputation, as anorganization that is well prepared andhas given careful consideration toits cyber security is better placed toreassure its stakeholders• Increased knowledge of competence inrelation to cyber security• Benchmarking the organizationin relation to peers in the field ofcyber security•© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522Cyber security: it’s not just about technology | 10

05Are you ready for action?Cyber security must be on your agenda. Your management, boards,shareholders and clients all expect you to pay sufficient attention tothis problem.But just because you recognize the problem doesn’t mean you are ready for action.Developing a strategic, customized and comprehensive cyber security program,driven from the top, will help you avoid five common cyber security mistakes:1. “We have to achieve 100 percent security”2. “When we invest in best-of-class technical tools, we are safe”3. “Our weapons have to be better than those of the hackers”4. “Cyber security compliance is all about effective monitoring”5. “We need to recruit the best professionals to defend ourselves from cyber crime”If you have taken a holistic view of cyber security and can answer the followingquestions about your approach, you are ready for action!1. How big is the risk for your organizationand the organizations you dobusiness with?• How attractive is your organizationto potential cyber criminals?• How dependent is your organizationon the services of partners,suppliers and other organizations,and how integrated are thecorresponding IT processes?• Do you know which processes and/or systems represent the greatestassets from a cyber securityperspective?• Have you considered how much riskyou are willing to take in relation tothese processes and/or systems,since there is no such thing as100 percent security?• Do your partners have the samerisk appetite and cyber securitymeasures as you do?• Have you developed clear businesscases for your cyber securityinvestments?11 | Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522

For more information on the cyber maturity assessment, incidentresponse or KPMG’s cyber security services, please visit us atwww.kpmg.com/US/informationprotection or contact one of ourInformation Protection and Business Resilience team leaders:Steve BarlockPrincipal, AdvisoryInformation Protection and Business ResilienceT: 415-963-7025E: sbarlock@kpmg.comTony BuffomantePrincipal, AdvisoryInformation Protection and Business ResilienceT: 312-665-1748E: abuffomante@kpmg.comFred RicaPrincipal, AdvisoryInformation Protection and Business ResilienceT: 973-912-4524E: frica@kpmg.comkpmg.comThis document is a revision of The five most common cyber security mistakes: Management’s perspective on cyber security.Authored by John Hermans, and Gerben Schreurs, KPMG Netherlands.The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual orentity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate asof the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriateprofessional advice after a thorough examination of the particular situation.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firmsaffiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMGname, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. NDPPS 264522