clarity on cyber security

Cyber SecuritySwiss Survey towards understanding the cyber risk

Media Conference

6 May 2015

1© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.

Agenda

10:00 Welcome Andreas HammerHead of Corporate Communications, KPMG Switzerland

10:05 Introduction Gerben SchreursPartner Forensic, KPMG Switzerland

Study Results Matthias BossardtHead of Cyber Security, KPMG Switzerland

11:00 Questions & Answers

11:30 Lunch

Introduction

Gerben SchreursPartner ForensicKPMG Switzerland


Why this study?

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies

Most news articles contain fear, uncertainty and doubt Most studies are global and do not take local culture into account Focus specifically on Switzerland

The world's most innovative economy is an attractive target for cyber

attacks. Are Swiss company's prepared to

defend themselves?

A better understanding of

the cyber risk is the first step away from a reactive towards a

predictive cyber defense strategy.


Methodology of the Survey

• Online survey with 30 questions

• 64 participants from C-Level

• 27 working for large enterprises (> 5,000 FTEs)

• 37 from small and mid-size companies

• Personal interviews were conducted with four Swiss business representatives of large companies

• Evaluation of the results was carried out by a KPMG cyber security team of experts.

• The content of the study results is enriched with the experience of the KPMG consulting practice.



Distribution by sector

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Cross sector, however largest response from FS sector 42% from large enterprises, 58% small and medium size

Study Results

Matthias BossardtHead of Cyber SecurityKPMG Switzerland


Tackling cyber threats – how relevant is it?

76% believe that cyber security is NOT

a hype that will subside

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Cyber security is here to stay Given the potential impact on companies it rightfully resides on the board level agenda

63% consider themselves as an attractive target

69% of the Executive Boards considers cyber

security an operational risk

95% state they cannot defend themselves in isolation

71% have annually increased their budget for cyber security over the past 5 years


Structure of our results

From reactive to predictive

Understand the cyber risk

More than technology


Understand the cyber risk – the lack of insights

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Lack of understanding the risk – what is at stake for the company Communication gap to the board – how to provide jargon free insights

44% of the respondent state that the Executive Board is sufficiently aware of the risks of cyber-crime

44% say that the Executive Board considers cyber security a technical issue

46% state that the Executive Board does not have any method to measure the cyber risk to the business

50% of the large companies have no insights in the damage


Understand the cyber risk – reporting

58% say that “security” doesn`t report to the executive board directly

54% say that “security” is communicating effectively and using the right jargon

For the strategic topic of cyber not always the right audience (executives) is addressed Using the right language to discuss the cyber risk on board level remains a challenge for many companies


Understand the cyber risk – third parties and outsourcing

59% not convinced/do not know whether their providers understand how to defend against cyber attacks

15% of Non-Financial Institutions and;

25% of Financial Institutions feel that their understanding, visibility and control over cyber security has worsened after outsourcing

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Blurred perimeters between companies due to increased connectivity More insight and transparency is required in relation to the cyber security capabilities of third parties



Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies 61% state that the primary focus for cyber security is too technical 36% believe employees are sufficiently aware of the cyber risk

Pla

nn

ing

an

dC

on

tro

l

Risk Management

Portfolio, Programme and Project Management Vendor & Supplier Management

Imp

lem

enta

tio

n

TechnologyPeople Processes

Fou

nd

atio

ns Governance

Funding & Sponsorship

PolicyOwnership Accountability

Un

der

stan

din

g

Business Strategy & Goals

Assets Intelligence Regulatory Environment


More than technology – need for a plan

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies 51% believes that cyber attacks cannot be prevented completely 53% believes they would recognize an attack and have the skills to respond adequately


More than technology – response planning


45% of all respondents say there is no incident response plan Only 14% of the existing plans are being tested 7.7% of the companies have a response plan and test it

CYBERCRIME DEFENSE FRAMEWORK

PREVENT DETECT RESPOND

PEOPLE Risk awareness and technology understanding training

Corporate attitude programs

Security operations centre

Crisis organisation

Communications

PROCESSES Compliance monitoring

Vulnerability monitoring

Security testing

Patch management

Incident preparedness training

Incident monitoring

Emergency hotline

Attack mitigation procedures

High-value asset isolation procedures

TECHNOLOGY Segmentation

Endpoint and perimeter protection

Security baselines

Logging and alarming

Incident dashboards

Data Collection and Preservation

Forensic analysis

Data Recovery

45% has no response plan in place• 32% Large enterprises• 52% Financial institutions• 53% SMEs


Cycle of complacency

53% believe their organization is able to detect ongoing cyber attacks

45% have no response plan to cyber incidents

7% didn’t take any measure after a cyber attack

79% made no changes to their response plans in the last 12 months

The vicious cycle of

complacency


Managing third party service providers

Important to be able to convert the threats into opportunities Focus on what your best at and the build-up of proactive strategies Many successful attacks nowadays exploit third party vulnerabilities

36% include cyber security measures in their contracts with third parties 14% review and test whether third parties on comply with contractually

agreed cyber security measures


From Reactive to Predictive


55% say their organization is rather compliance driven than security driven 51% say attackers will always win eventually; successful cyber attacks cannot be prevented 95 % state they cannot defend themselves in isolation

Reactive (Ad-hoc)

Structured

Integrated

Predictive

75% agree that a main reason for intensifying controls is the occurrence of an incident

Most companies are here: mostly reactive, some structures for

compliance

The most advanced companies currently work

towards a integrated security capability

Key conclusions


Key conclusions


Given the strategic relevance of cyber security, a reactive approach to managing the cyber risk is no

longer sustainable. The attention of the board presents an ideal momentum to develop an insight based, risk focused, and predictive management of cyber risk.


Whilst cyber security is on top of many board agendas, companies struggle to properly assess, measure and

communicate to what extent the resilience of their business is at risk. This understanding is paramount in

order to tackle cyber risk effectively.


Whereas cyber crime has a strong connotation with “technology”, fighting it effectively requires an integrated

and balanced approach involving both people and processes as well as technologies.


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.

clarity on cyber security

Technology

kpmg agsa

subsidiary of kpmg

kpmg switzerland10

kpmg switzerland11

kpmg consulting practice

swiss corporation

swiss legal entity

swiss companys