Cyber security it’s not just about technology

Recommendations

Info

02The five most common cybersecurity mistakesTo many, cyber security is a bit of a mystery. This lack of understanding has createdmany misconceptions among management about how to approach cyber security.From our years of experience, we have seen the following five cyber securitymistakes repeated over and over – often with drastic results.1Mistake: “We have to achieve100 percent security”Reality: 100 percent security is neitherfeasible nor the appropriate goalAlmost every airline company claims thatflight safety is its highest priority whilerecognizing that there is an inherent risk inflying. The same applies to cyber security.Whether it remains private or is madepublic, almost every large, well-knownorganization will unfortunately experienceinformation theft.Developing the awareness that100 percent protection against cyber crimeis neither a feasible nor an appropriategoal is already an important step towardsa more effective policy, because it allowsyou to make choices about your defensiveposture. A good defensive postureis based on understanding the threat(i.e., the criminal) relative to organizationalvulnerability (prevention), establishingmechanisms to detect an imminent oractual breach (detection) and establishinga capability that immediately deals withincidents (response) to minimize loss.In practice, the emphasis is oftenskewed towards prevention – theequivalent to building impenetrablewalls to keep the intruders out. Onceyou understand that perfect securityis an illusion and that cyber securityis “business as usual,” you alsounderstand that more emphasis must beplaced on detection and response. Aftera cyber crime incident, which may varyfrom theft of information to a disruptiveattack on core systems, an organizationmust be able to minimize losses andresolve vulnerabilities.2Mistake: “When we invest in bestof-classtechnical tools, we are safe”Reality: Effective cyber security is lessdependent on technologythan you thinkThe world of cyber security is dominatedby specialist suppliers that sell technicalproducts, such as products that enablerapid detection of intruders. These toolsare essential for basic security, andmust be integrated into the technologyarchitecture, but they are not the basis ofa holistic and robust cyber security policyand strategy. The investment in technicaltools should be the output, not the driver,of cyber security strategy. Good securitystarts with developing a robust cyberdefense capability. Although this isgenerally led by the IT department, theknowledge and awareness of the enduser is critical. The human factor is andremains, for both IT professionals andthe end user, the weakest link in relationto security. Investment in the best toolswill only deliver the return when peopleunderstand their responsibilities to keeptheir networks safe. Social engineering,in which hackers manipulate employeesto gain access to systems, is still one ofthe main risks that organizations face.Technology cannot help in this regardand it is essential that managers takeownership of dealing with this challenge.They have to show genuine interest andbe willing to study how best to engagewith the workforce to educate staff andbuild awareness of the threat from cyberattack. This is often about changing theculture such that employees are alertto the risks and are proactive in raisingconcerns with supervisors.5 | Cyber security: it’s not just about technology© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522
3Mistake: “Our weapons have to bebetter than those of the hackers”Reality: The security policy shouldprimarily be determined by yourgoals, not those of your attackersThe fight against cyber crime is anexample of an unwinnable race.The attackers keep developing newmethods and technology and thedefense is always one step behind.So is it useful to keep investing inincreasingly sophisticated tools toprevent attack?While it is important to keep up to dateand to obtain insights into the intentionof attackers and their methods, it iscritical for managers to adopt a flexible,proactive and strategic approach tocyber security. Given the immeasurablevalue of a company’s information assets,and the severe implication of any losson the core business, cyber securitypolicies need to prioritize investment intocritical asset protection, rather the latesttechnology or system to detect everyniche threat.First and foremost, managers needto understand what kinds of attackerstheir business attracts and why.An organization may perceive the valueof its assets differently than a criminal.How willing are you to accept risksto certain assets over others? Whichsystems and people store your keyassets, keeping in mind that businessand technology have developed as chainsand are therefore codependent on eachother’s security?4Mistake: “Cyber security complianceis all about effective monitoring”Reality: The ability to learn is just asimportant as the ability to monitorReality shows that cyber security isvery much driven by compliance. Thisis understandable, because manyorganizations have to accommodatea range of laws and legislation.However, it is counterproductive toview compliance as the ultimate goal ofcyber security policy.Only an organization that is capable ofunderstanding external developmentsand incident trends and using this insightto inform policy and strategy will besuccessful in combating cyber crimein the long term. Therefore, effectivecyber security policy and strategyshould be based on continuous learningand improvement.• Organizations need to understandhow threats evolve and how toanticipate them. This approach isultimately more cost-effective in thelong term than developing ever-highersecurity “walls.” This goes beyondthe monitoring of infrastructure:it is about smart analysis of externaland internal patterns in order tounderstand the reality of the threatand the short-, medium- and long-termrisk implications. This insight shouldenable organizations to make sensiblesecurity investment choices, includinginvesting to save. Unfortunately, inpractice, many organizations do nottake a strategic approach and donot collect and use the internal dataavailable to them.• Organizations need to ensure thatincidents are evaluated in such away that lessons can be learned.In practice, however, actions aredriven by real-time incidents andoften are not recorded or evaluated.This destroys the ability of theorganization to learn and put bettersecurity arrangements in place inthe future.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registeredtrademarks or trademarks of KPMG International. NDPPS 264522Cyber security: it’s not just about technology | 6
Page 1 and 2: Cyber security:it’s not just abou
Page 3 and 4: ContentsPreface 101 Understanding t
Page 5: What is cyber crime and who is carr
Page 11: 8 | Telelens op de toekomst03The ke
Page 14: 05Are you ready for action?Cyber se

Cyber security it’s not just about technology

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?