1 FORENSIC Central and Eastern European Data Theft Survey 2012 kpmg.com/cee KPMG in Central and Eastern Europe
2 Ever had the feeling that your competitors seem to be in the know about your strategic plans and other confidential information? How many times have you lost the element of surprise on your promotional campaigns? How about the time you had to battle it out with your competitor for the same spot of land or real estate that you were planning to secure for your next location? Think about this scenario: A mid-level manager at a consumer markets company is at odds with his boss and grows more disgruntled by the day. While trawling through the company file server he identifies a draft version of the 3-year business plan as well as some product development materials. He downloads these to a USB stick, which he takes with him when he goes home. Within a month he resigns his post, and within two months he starts working for a major competitor. How probable do you think this scenario is at your company? Do you have the right measures in place to combat this sort of data theft? KPMG in Central and Eastern Europe has surveyed a select number of companies across the region operating in the consumer markets and retail industry to better understand how they perceive the risk of data theft and what they are doing to address it. In summary, the results of the survey indicate that: The vast majority (84%) of respondents perceived data theft as a significant risk to their business. Furthermore, more than half (52%) of respondents thought that the risk of data theft would increase over the next three years. Employees (64%) were generally seen as the most likely perpetrators of data theft, with mid-level management posing the greatest perceived risk. The use of removable media such as USB sticks was recognised as a significant risk by many (61%) respondents, yet very few (16%) indicated that they had measures in place to deal with the threat posed by their use. The data perceived to be most at risk was data related to strategy and planning (80%). Most respondents (59%) assessed the risk of data theft to their organisations on an informal basis and 50% did so only occasionally, meaning that there will be time lags in the recognition and proper assessment of emerging data theft risks. About our respondents Our respondents were employees with responsibility for Information Technology and Security at 44 companies operating in the consumer markets and retail industries; mainly the retail, consumer goods, food and beverages segments in nine countries across Central and Eastern Europe ( CEE ). The companies surveyed represent market leaders in their sector in the particular CEE country and included global, regional and local companies. The majority of responses (in excess of 90%) were collected through personal interviews. Overall perception of risk and susceptibility The vast majority (84%) of respondents perceived data theft as a significant risk to their business. Furthermore, it is not a risk that they perceive to be diminishing: 39% thought that the risk of data theft had increased over the last three years (only 14% thought it had decreased); and 52% thought that the risk of data theft would increase over the next three years (only 9% thought it would decrease). Relatively few of our respondents reported being victims of data theft: only 9% indicated that they were aware of confirmed cases and only 18% indicated that they were aware of suspected cases of data theft during the last three years. The relatively low number of reported breaches may reflect that respondents were reluctant to admit such breaches; it is also possible that respondent companies had suffered data thefts that were not detected, or that were not recognised as data thefts. Irrespective of the number of actual occurrences, it is evident from the responses that the risk was perceived to be high. Source of the threat Whereas most coverage of data theft focuses on the risks presented by external attackers, our respondents generally considered employees to be the most likely perpetrators of data theft (64%). Employees inevitably have access to company data in the normal course of business, and we believe that this plays an important role in their high risk rating KPMG Central and Eastern Europe Ltd., a limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved.
3 Figure 1. Likely perpetrators of data theft Employees/Former Employees 64 Competitors 45 Unknown External Parties (e.g. thieves, anonymous hackers) Suppliers 9 Customers 9 Note: Table shows percentage of respondents indicating listed types of perpetrator as 4 or 5 on a 5 point likelihood scale (1 = Very Unlikely 5 = Very Likely) Respondents in the beverages sector clearly flagged mid-level managers as the most likely category (47%). This may reflect that such employees typically have broader access to high value data than lower level employees. Our respondents pointed out competitors as the second most likely perpetrator of data theft (45%). We consider that this is also related to the threat posed by employees. Companies might be tempted to obtain confidential information from their competitors in order to edge the competitors out and position themselves better in the market. Such information can be related to products, marketing plans, pricing and promotional campaigns, production specifications, supplier and customer data, and business plans and strategies. This information is usually accessible by employees during the normal course of business and can therefore be the subject of corporate espionage attempts by competitors colluding with company employees and managers. Managing the threat of data theft by insiders requires a more nuanced approach than might be appropriate for other potential sources of threat. There will always be a tension between providing employees with access to the information they need to do their jobs effectively and protecting that information against misuse. The same cannot be said for the risk of unauthorised access by external attackers: invariably an event that all organisations would wish to avoid. However, the risk of misuse from within must be considered as part of broader information risk management planning and mitigated accordingly. The challenge of removable media Taking away data on removable media was widely seen by respondents as a likely mode of data theft (61%). Despite 16 this, only 45% of respondents employed endpoint protection software to limit the use of removable media and only 16% monitored the use of removable media. The high risk of data theft using removable media is partly reflective of the absence in many companies of comprehensive measures to control their use. The vast majority of respondents indicated that their companies employed measures to protect against external threats firewalls, anti-virus and anti-malware solutions were almost ubiquitous yet this predominantly internal threat is not sufficiently addressed. Figure 2. Tools and technologies used to minimise the risk of data theft Firewall systems (appliance or software) Anti-virus software 98 Anti-malware software 93 System-specific access rights restrictions filters 82 Network monitoring systems (appliance or software) Internet activity filters 75 Encryption technologies 73 Intrusion detection / prevention systems (appliance or software) Endpoint protection software (e.g. restricting or monitoring the use of user devices and removable storage) Multi-factor authentication technologies Data leak detection / prevention systems Biometric measures Figure 3. Monitoring measures employed by respondents User access to User access at an item systems and reports or folder-level to holding high value data material on internal document management systems Use of web-based or file sharing websites s with attachments sent to web-based addresses 16 Use of removable medias such as removable disks, USB sticks, etc KPMG Central and Eastern Europe Ltd., a limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved.
4 One of the industries that has taken successful strides to address the challenge of removable media is financial services, in particular banks. Measures such as encrypting removable media, disabling CD/DVD drives in desktops and laptops, and restricting network access for smart phones have gone a long way in helping to prevent data theft. Types of information at risk Across all segments details about company strategy and planning were seen to be at high risk of theft. Additionally, in consumer markets, but not among retailers, information about business processes was also perceived to be at risk. The high risk respondents have placed on these types of data may be due to two reasons: such information presents very high value to competitors or partners, and it is often subjected to less stringent control and monitoring than information stored in more structured forms, such as records in a company s ERP system. Consumer markets manufacturers and beverages companies were more concerned about customer-side activity, whereas retailers were more concerned about supplier-side activity. This is consistent with the increased focus of the antitrust authorities across a number of CEE jurisdictions into restrictive trade practices and numerous probes into abuse of dominant market positions. Most respondents did not consider that details about suppliers, customers, or employees are at high risk of theft. This reflects the fact that such sources are typically more tightly controlled than others listed due to data privacy considerations. Figure 4. Types of information at highest risk of data theft Consumer Goods Retailers company strategy and planning supplier-side activity (contracts, total spend, product pricing, discounts etc) 2012 KPMG Central and Eastern Europe Ltd., a limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. business processes customer-side activity (total customers, total spend, product pricing, discounts etc) employees customers designs Note: Percentage of respondents indicating listed types of information as '4' or '5' on a 5 point likelihood scale (1 = Very Unlikely 5 = Very Likely). Split between 'retailers' and 'consumer goods' respondents. 'Consumer goods' covers respondents in the consumer products, food and beverages segments. suppliers
5 Managing the risk While most respondents indicated that they were assessing the risk of data theft it appears that there is room for improvement. Most respondents (59%) assessed the risk informally and 50% did so only occasionally. Very few (11%) reported using external advisors in their assessment efforts, although more reported that they made comprehensive use of independent advisors to perform penetration testing (36%) and to undertake regular audits of security and data protection measures (43%). Figure 5. Assessment of data theft risks Regular audits of the company's security and data protection measures by independent parties Measures to ensure that managers and staff leaving the company do not leak out sensitive information IT measures to secure data interchange with partners Policies regarding data management and security that extend to third parties / business partners Informally Formally Not at all Occasionally Regularly Continuously Not at all Within the company Using external advisors Not at all Note: Respondents could choose all criteria which applied. Some respondents did not answer. The findings seem to reflect the overall underestimation of the issue of data theft. On one hand it is considered to be a high risk, yet it receives little formal attention. There are significant benefits to formal over informal assessment and of regular or continuous assessment over occasional assessment. Formal, regular assessment tends to ensure that risks are reviewed on a systematic basis and that emerging risks are identified quickly. In most organisations the risk of data theft will be one among many responsibilities for the IT department; leveraging external data protection specialists in the assessment process will enable them to draw on a much broader range of experience. Besides the risks presented by removable media, there were various other areas in which respondents indicated that their data protection measures could be stronger. Whilst bolstering some areas may require substantial investment, there are some low hanging fruit: consider the costs of raising awareness among staff, or improving the content data management policies relevant to staff or to third parties. Figure 6. Comprehensiveness of data protection measures IT measures to secure data carried by employees outside company premises Regular notifications to all staff aimed at raising awareness and communicating staff responsibilities about data protection Physical security measures to protect sources of high value data carried by employees outside company premises Regular penetration testing and ethical hacking procedures by independent parties % Respondents 2012 KPMG Central and Eastern Europe Ltd., a limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved Company policies and procedures addressed to employees regarding data management and security IT measures to limit the possibilities for high value data to be removed from inside the network Physical security measures to limit access to premises where high value data is held or can be accessed IT measures to ensure that high value data is secured from external attacks IT measures to restrict access to high value data to relevant users inside the network Note: Graph shows percentage of respondents indicating listed data protection measures as 4 or 5 on a 6 point scale assessing the extent to which the respondent has implemented them (0 = Not Used 5 = Comprehensive Measures) Figure 7. Features of data management policies Indication of employee obligations regarding data security Indication of employee obligations regarding company confidential material Requirement for employee to indicate their agreement with policies Indication that use of company IT equipment and networks is subject to monitoring Indication that personal use of company IT equipment and networks is not permitted The bottom line % of respondents indicated that they were not satisfied with the measures they currently had in place to deal with data theft, amid the increasing risks. How does your organisation compare? KPMG Forensic assists clients in dealing with fraud and misconduct, including investigation into allegations of data theft, digital evidence recovery for legal, criminal and administrative proceedings, proactive data analysis, and reviews of fraud detection systems. KPMG IT Advisory assists clients with detailed reviews of all data management and information security areas, advises on recommendations and provides assistance with the implementation of countermeasures to address identified risks and gaps in these areas
6 For further information about the services offered by KPMG Forensic please contact us: Jimmy Helm Head of Forensic T: Michael Peer Partner, Forensic T: kpmg.com/cee The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International KPMG Central and Eastern Europe Ltd., a limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved.