clarity on cyber security
TRANSCRIPT
1© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Agenda
10:00 Welcome Andreas HammerHead of Corporate Communications, KPMG Switzerland
10:05 Introduction Gerben SchreursPartner Forensic, KPMG Switzerland
Study Results Matthias BossardtHead of Cyber Security, KPMG Switzerland
11:00 Questions & Answers
11:30 Lunch
3© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Why this study?
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies
Most news articles contain fear, uncertainty and doubt Most studies are global and do not take local culture into account Focus specifically on Switzerland
The world's most innovative economy is an attractive target for cyber
attacks. Are Swiss company's prepared to
defend themselves?
A better understanding of
the cyber risk is the first step away from a reactive towards a
predictive cyber defense strategy.
4© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Methodology of the Survey
• Online survey with 30 questions
• 64 participants from C-Level
• 27 working for large enterprises (> 5,000 FTEs)
• 37 from small and mid-size companies
• Personal interviews were conducted with four Swiss business representatives of large companies
• Evaluation of the results was carried out by a KPMG cyber security team of experts.
• The content of the study results is enriched with the experience of the KPMG consulting practice.
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies
5© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Distribution by sector
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Cross sector, however largest response from FS sector 42% from large enterprises, 58% small and medium size
7© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Tackling cyber threats – how relevant is it?
76% believe that cyber security is NOT
a hype that will subside
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Cyber security is here to stay Given the potential impact on companies it rightfully resides on the board level agenda
63% consider themselves as an attractive target
69% of the Executive Boards considers cyber
security an operational risk
95% state they cannot defend themselves in isolation
71% have annually increased their budget for cyber security over the past 5 years
8© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Structure of our results
From reactive to predictive
Understand the cyber risk
More than technology
10© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Understand the cyber risk – the lack of insights
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Lack of understanding the risk – what is at stake for the company Communication gap to the board – how to provide jargon free insights
44% of the respondent state that the Executive Board is sufficiently aware of the risks of cyber-crime
44% say that the Executive Board considers cyber security a technical issue
46% state that the Executive Board does not have any method to measure the cyber risk to the business
50% of the large companies have no insights in the damage
11© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Understand the cyber risk – reporting
58% say that “security” doesn`t report to the executive board directly
54% say that “security” is communicating effectively and using the right jargon
For the strategic topic of cyber not always the right audience (executives) is addressed Using the right language to discuss the cyber risk on board level remains a challenge for many companies
12© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Understand the cyber risk – third parties and outsourcing
59% not convinced/do not know whether their providers understand how to defend against cyber attacks
15% of Non-Financial Institutions and;
25% of Financial Institutions feel that their understanding, visibility and control over cyber security has worsened after outsourcing
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Blurred perimeters between companies due to increased connectivity More insight and transparency is required in relation to the cyber security capabilities of third parties
14© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
More than technology
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies 61% state that the primary focus for cyber security is too technical 36% believe employees are sufficiently aware of the cyber risk
Pla
nn
ing
an
dC
on
tro
l
Risk Management
Portfolio, Programme and Project Management Vendor & Supplier Management
Imp
lem
enta
tio
n
TechnologyPeople Processes
Fou
nd
atio
ns Governance
Funding & Sponsorship
PolicyOwnership Accountability
Un
der
stan
din
g
Business Strategy & Goals
Assets Intelligence Regulatory Environment
15© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
More than technology – need for a plan
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies 51% believes that cyber attacks cannot be prevented completely 53% believes they would recognize an attack and have the skills to respond adequately
16© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
More than technology – response planning
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies
45% of all respondents say there is no incident response plan Only 14% of the existing plans are being tested 7.7% of the companies have a response plan and test it
CYBERCRIME DEFENSE FRAMEWORK
PREVENT DETECT RESPOND
PEOPLE Risk awareness and technology understanding training
Corporate attitude programs
Security operations centre
Crisis organisation
Communications
PROCESSES Compliance monitoring
Vulnerability monitoring
Security testing
Patch management
Incident preparedness training
Incident monitoring
Emergency hotline
Attack mitigation procedures
High-value asset isolation procedures
TECHNOLOGY Segmentation
Endpoint and perimeter protection
Security baselines
Logging and alarming
Incident dashboards
Data Collection and Preservation
Forensic analysis
Data Recovery
45% has no response plan in place• 32% Large enterprises• 52% Financial institutions• 53% SMEs
17© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Cycle of complacency
53% believe their organization is able to detect ongoing cyber attacks
45% have no response plan to cyber incidents
7% didn’t take any measure after a cyber attack
79% made no changes to their response plans in the last 12 months
The vicious cycle of
complacency
18© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Managing third party service providers
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Many successful attacks nowadays exploit third party vulnerabilities
36% include cyber security measures in their contracts with third parties 14% review and test whether third parties on comply with contractually
agreed cyber security measures
20© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
From Reactive to Predictive
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies
55% say their organization is rather compliance driven than security driven 51% say attackers will always win eventually; successful cyber attacks cannot be prevented 95 % state they cannot defend themselves in isolation
Reactive (Ad-hoc)
Structured
Integrated
Predictive
75% agree that a main reason for intensifying controls is the occurrence of an incident
Most companies are here: mostly reactive, some structures for
compliance
The most advanced companies currently work
towards a integrated security capability
22© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.
Key conclusions
Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies
Given the strategic relevance of cyber security, a reactive approach to managing the cyber risk is no
longer sustainable. The attention of the board presents an ideal momentum to develop an insight based, risk focused, and predictive management of cyber risk.
From reactive to predictive
Whilst cyber security is on top of many board agendas, companies struggle to properly assess, measure and
communicate to what extent the resilience of their business is at risk. This understanding is paramount in
order to tackle cyber risk effectively.
Understand the cyber risk
Whereas cyber crime has a strong connotation with “technology”, fighting it effectively requires an integrated
and balanced approach involving both people and processes as well as technologies.
More than technology
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.