ddos and building business resilience presentation to ...isaca.or.ke/resources2017/cybersecurity...

Cyber Security

It’s not just about technology

May 2017

Introduction

3© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked.

- World Economic Forum Global Risk Report



Cyber risk: Why is it topical now?

This is not a new threat, hackers have been infiltrating sensitive government and institutional systems since the early 1990’s, however, the Cyber Security market is erupting due to many high profile and highly disruptive/damaging security breaches threatening financial and physical damage across critical national and corporate infrastructures.

Source: 2017 the WEF Global Risks Landscape 2017



How perverse are Cyber Risks?


This has caught the attention of governments and policy makers, intelligence services, the media and increasingly also board-level executives across the globe. Cyber security has become an Executive driven issue.



Cyberattacks prevalence, rank…




The Fourth Industrial Revolution is here…

Klaus Schwab, founder and executive chairman of the World Economic Forum (WEF) believes that we are at the beginning of the fourth industrial revolution




Global CEO Outlook – East Africa

Source: KPMG 2016 CEO Outlook Survey



Cyber Incidents are the new normal…

Source: Cyber Crime Survey, 2015, KPMG India



Organisations are able to

46% Remediate only

if legitimate alerts received

44% Of operations managers

See more than 5000 security alerts per day

22% Of breached organisations lost customers

29% Of breached organisations lost revenue

23% Of breached organisations lost business

opportunitiesSource: Cisco 2017 Annual Cyber Security Report

Cyber Security Data Analytics



Is the traditional approach effective?

No of incidents identified by internal IT teams < 6%

Time taken from infection to detection > 150 days

Post detection to reaction & Reaction to remediation –?



Cyber Security – Traditional Approach



Limitation with Traditional Approach

Trends and Lessons Learnt



Trends Accelerating The Cyber Threat

External threats

1

Organized crime, nation-states, cyber espionage, hacktivism,

insider threats.

Change in the

way business is

conducted

2

Cloud computing, big data, social media, consumerization, BYOD,

mobile banking.

Rapid technology

change

3

Critical national infrastructure, smart/metering, internet of

all things.

Changing market

and client needs

Strategic shift, situational awareness, intelligence sharing,

cyber response.

Regulatory

compliance

4

Data loss, privacy, records management.

5

15



Some considerations…

16

Considerations Factors to consider

Configuration management

•Is there a database of configuration items (CMDB)?•Has a security standard been implemented (list of secure settings applied on the platform)?

User access•Access creation, modification, deletion and review•Is access integrated across platforms (e.g., Windows, MS SQL and AD)?

Privileged access management

•Is privileged access appropriate granted, revoked, reviewed and monitored?

•Is there a segregation between users with privileged access at each level of the access path?

•Is access integrated across platforms - jump servers?



Examples of lessons learnt and top risks

17

Key risks Factors to consider

Securityvulnerabilities

•Are security patches applied (not only OS and DB, also other applications like Adobe, Java etc)?

•Have network controls been implemented (Firewalls, IPS, APT etc.)?•Have appropriate malware controls been implemented?

Inappropriate / unauthorisedactivities

•Logging and monitoring of access (can be native logging or done by a third party tool).

•Is there a process to detect and follow-up on activities identified?•Are logs stored on a different server and access to the logs restricted (to a different set of people that who can access the server)?

3rd party risks

•Have 3rd party risks been assessed?•Are security requirements clearly articulated to 3rd parties?•Do we have a right to audit 3rd parties?•Have are the other key risks addressed with respect to 3rd parties

Where do we start?



Key areas from board governance perspective….

Board Governance

• Roles and responsibilities

• Proactive Approach –identify new threats and risks

• Protect what Matters –Identify Crown Jewels

• Determine key risk indicators

• Socialize to Increase Awareness on Cyber Security across the enterprise

5



Cyber Security: Board Room Questions?



Cyber Security -A Comprehensive Program

21



Proactively identify changing threat environment

22

Thank you

Jared NyarumbaAssociate Director, KPMGRisk consulting

kpmg.com/socialmedia kpmg.com/app

The information contained herein is of a general nature and is not intended to address the circumstances of any

particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no

guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in

the future. No one should act on such information without appropriate professional advice after a thorough

examination of the particular situation.

© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG

network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a

Swiss entity. All rights reserved.

The KPMG name, logo are registered trademarks or trademarks of KPMG International.

ddos and building business resilience presentation to ...isaca.or.ke/resources2017/cybersecurity...

Documents