Cyber Security, a theme for the boardroom

Transcription

1 IT ADVISORY Cyber Security, a theme for the boardroom

2 TABLE OF CONTENTS 1 Cyber security, a theme for the boardroom 3 2 What is cyber security? 4 3 Relevance to the boardroom 6 4 Attention must be paid to cyber security but with the proper nuance in line with an organisation s risk profile 7 5 Measures to be adopted in line with an organisation s risk appetite 11 6 Areas of concern within cyber risk management 13 7 And you, as a leader? 15 2 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 3

3 1 CYBER SECURITY, A THEME FOR THE BOARDROOM Cyber security has been under the spotlight for the past few years. Due to the number and seriousness of cyber incidents, the media s focus on such incidents, and the importance of tackling cyber issues in the extensive digitisation of most organisations, this area requires the attention of directors and managers everywhere. But it needs to be tackled in the appropriate way and with the required subtlety, as a component of integral risk management. Introduction The fact that cyber security is important to every organisation needs no further explanation. Almost on a daily basis, various incidents demonstrate how great the risks are and that individual hackers and professionallyorganised cyber criminals are extremely active. The heads of organisations need to ensure that their organisations have set the proper priorities. To many, however, this is not a simple task because the world of cyber security tends to be elusive due to its specialist character and the technical jargon used. Generalists have difficulty grasping the complexities. In addition, it is difficult to distinguish between primary and secondary issues, while media coverage contributes to a culture of fear leading to the idea that almost every organisation is helpless prey to malevolent forces. Almost no distinction is made between imposters on E-bay, hackers who crash websites and organised criminal gangs using a systematic strategy to try to steal company secrets (or crown jewels ). Such distinctions are extremely important because not all organisations are equally attractive to the different types of cyber criminals. Partly due to the fact that concepts are often interwoven, cyber security remains a troublesome theme to many organisation leaders. Nevertheless, this cannot be an excuse to devolve the issue to specialist professionals. It is truly essential that heads of organisations themselves actively lead the crusade for cyber security. Within the complexity of the area, leaders need to consider the relevant issues soundly and, at the very least, pose the right questions. But how should this be done? This article provides certain guidelines for the task, and brings cyber security back to basics. 4 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 5

4 2 WHAT IS CYBER SECURITY? Most relevant IT / cyber threats that may impact your organisation External Cyber security is the endeavour to prevent damage by disruption, outage or misuse of IT and, if damage does occur, the repair of this damage. The damage may consist of: impairment of the reliability of IT, restriction of its availability, and the breach of confidentiality and/or the integrity of information stored in the IT system 1. These disruptions, outages and/or misuse may be caused by various actors and have their cause in the entire supply chain. Threat Actors Third party Social engeneering Internet/ comms blackout Denial of service Hacking Political instability Espionage Malware Cloud Brand abuse Social media 1 Organised crime Worldwide, difficult to trace and prosecute Stable Power failure Identity theft Phishing IP theft Changing 2 States Cyber espionage and cyber warfare Data leakage 3 Hacktivists Hacking inspired by ideology IT complexity 4 5 The Insider Discontentment due to change and uncertainty Journalists Oriented to research journalism How to interpret the radar The size of the circle illustrates the frequency with which the threat is reported in our source information. Figure 2. IT risk radar. Internal Figure 1. Threat Actors 1 (source: National Cyber Security Strategy ). 6 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 7

5 3 RELEVANCE TO THE BOARDROOM The first question a reader might wish to ask is why this theme is relevant to the boardroom, boards of management and/or supervisory boards. After all, cyber security is nothing new. However, the rising number of incidents, as shown by the figures of the Dutch National Cyber Security Centre (NCSC), and the gravity of these, have increased to the extent that cyber security can form a substantial risk to almost any organisation. After all, organisations run not only a financial risk relating to fraud and loss of income, but also a risk with regard to reputational damage, as well as control over their intellectual property. In addition, in view of the far-reaching digitisation of many organisations, safeguarding an organisation s most important information (its crown jewels ) is also of great strategic importance. An organisation simply cannot allow itself to lose intellectual property, for example, which might bring it a market advantage. In addition, as a consequence of the rapidly growing number of widely-reported incidents, cyber security has attracted the attention of clients, the media and official supervisory bodies. Clients are rightly worried about the Number of incidents dealt with by the NCSC (10Q4 13Q1) rising number of incidents and wonder if their information is really being adequately protected. The mounting number of incidents has also been widely reported by the media, which is quick to publish information on such incidents and publicly demand organisations to account for the degree of protection given to client data, for example. Official supervisors, such as De Nederlandsche Bank for instance, are becoming involved in this issue by requiring that organisational leaders be held accountable, and by performing thematic research into the cyber security measures organisations can take. 4 ATTENTION MUST BE PAID TO CYBER SECURITY BUT WITH THE PROPER NUANCE IN LINE WITH AN ORGANISATION S RISK PROFILE The seriousness of the risks means that cyber security does require boardroom attention but in the appropriate context. Organisations need to avoid panicked responses which have not been thought through. The media regularly paint a dramatic picture of cyber security as if numerous organisations are helpless victims of cyber criminals. Moreover, all types of crime are lumped together, causing anxiety among organisations that is not based on the facts. A small or medium-size enterprise has a completely different profile than a multinational, and an SME need have few worries about many of the incidents reported in the media. The truth is more nuanced than the picture presented by the media. The risks are certainly controllable. Cyber criminals are not invincible geniuses, and the government and enterprises have significant knowledge of how to fight cybercrime. But we need to realise that 100% security is an illusion and that the pursuit of total security will lead not only to frustration but also possibly to a false sense of Key security. International requests for help Private incidents In fact, we ought to start considering cyber security as Government incidents business as usual, as a theme that deserves attention in much the same way as the risk of fire or fraud. These are themes that are tackled by management in a structural way, from a risk-management perspective, with the defences and responses therefore not founded on the idea of building a system that is completely watertight. We believe that many organisations need to examine cyber security differently. They should not take decisions on the basis of fear of what is happening outside, but reason from the standpoint of their own strengths, from an awareness of the risks run by their own organisation, in accordance with the risk profile of the organisation and its specific nature. The starting point of the exploration of an organisation s cyber risk is the determination of that organisation s risk profile. Questions that are relevant in determining this risk profile include: How interesting is the organisation to potential cyber criminals?, How dependent is the organisation on the services of other organisations and How much risk is the organisation willing to accept? Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1 Figure 3. Number of incidents dealt with by the NCSC (source: NCSC). 8 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 9

6 5 Legislation 1 Business environment Cyber risk profile 2 Threats In order to determine an organisation s risk profile, we need to use a model that covers the following five aspects: 1. What is the organisation s business environment? In which markets is the organisation active? To what extent is the organisation dependent on the digitisation of the organisation s service provision? To what extent is the organisation linked to another organisation that could form an additional risk in this framework? 2. To which group of cyber criminals, and why, is the organisation an attractive target (threats)? Which resources could the attacker deploy? 4. What could be relevant targets within the organisation, and also within the chain in which the organisation is active? 5. What are the legislative requirements with regard to cyber security that pertain to the organisation? In this framework, new regulations are being developed both inside and outside the Netherlands, and these may be highly relevant to the organisation. 4 Intended targets 3 Vulnerabilities 3. Which vulnerabilities in the organisation could cyber criminals exploit? This concerns not only technical vulnerabilities but also human actions. Figure 4. Important aspects when determining a cyber risk profile. On the basis of an analysis of the five aspects mentioned above, an organisation is able to determine its risk profile as well the amount of risk it is willing to accept (its risk appetite ) and to implement the appropriate set of cyber security measures. As stated previously, it will never be possible to achieve 100% security, so there is no point in pursuing such an aim! 10 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 11

7 Intended targets Relevance to organisations 1 Organised crime Financial data Personal data including financial transactions Particularly banks and large multinationals (e.g. the energy sector) have been targets for some time and are reasonably prepared A shift to other organisations has recently been seen as a result 2 States Intellectual property Strategic, operational plans M&A activities Critical, vital infrastructures (for cyber warfare) Attacks go further than diplomatic, military targets, oriented at obtaining economic advantage Exceptional attention on M&A pricing data, specifically directed at members of the board of management. 3 Hacktivists Reputation public and media perception Publications websites Services disruptions Oriented towards organisations that provide services in the following areas, invest in obtaining raw materials (oil, gas etc.), perform animal testing or are active in other controversial areas themselves Anti-capitalist attacks 4 The Insider Client data Strategic plans, methods and techniques, process descriptions Worsening economic situation leads to data theft Cost-saving initiatives reducing the workforce can lead to unhappy personnel and consequently sabotage Confidential information through data leaks and hacking Undercover journalists investigate how organisations handle client information) 5 Journalists Figure 5. Overview of relevant actors, targets and relevance to organisations. 12 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 13

8 5 MEASURES TO BE ADOPTED IN LINE WITH AN ORGANISATION S RISK APPETITE In this framework, a number of considerations are relevant: 1. Focus on your crown jewels In view of the fact that it is impossible to protect everything, cyber security requires special attention regarding the protection of the organisation s most valued information. It is therefore vital that an organisation specify its crown jewels that need to be protected. The cyber risks can and must be mitigated by applying the necessary measures and by reacting effectively when an organisation is subjected to cyber attack. But how does one select the proper set of measures? 2. Humans remain the weakest link It is essential to have technical systems to protect, to identify intruders and to respond to an attack, but human beings are actually the weakest link in many organisations. However, humans may also be the best asset in the organisation s defence, if they are properly informed and trained. 2 3 Humans remain the weakest link, unless 1 Protect your crown jewels Shift from preventative to detective measures 3. Shift from preventative measures to detective measures Whereas organisations once primarily relied on preventative measures to avoid cyber security incidents, attention is increasingly being paid to the detection of attacks, in order to enable the organisation to react immediately and appropriately. We see a growing use of technical monitoring facilities in many organisations, to detect and analyse alien traffic. 4. Focus on an organisation s capacity to respond As mentioned previously, we believe it is unfortunately only a question of time before an organisation becomes a victim of a cyber incident. Instead of being a helpless victim, an organisation can prepare for a serious attack. As such, it is vital for organisations to include the processing of cyber incidents in their crisis plans. An important part of this is the formulation of a protocol to be used in communications during a cyber incident. 5 Cooperation needed (sectorial, NCSC, (IT) partners) Figure 6. Considerations when determining appropriate cyber security measures. 4 How to react if it happens in any case (and it will happen) 5. Cooperation is essential Besides being able to respond to incidents, it is crucial for organisations to remain up-to-date and informed of emerging threats, and to learn from other organisations how best to react to incidents. To facilitate this, there are organisations at various levels whose aim is to help other organisations in this area: at national level (the National Cyber Security Centre for example), at sector level in various International Sharing and Analysis Centres (ISACs), and occasionally there are informal cooperative associations, such as a group of chief information security officers (CISOs) who work together to combat cyber security incidents within a particular industry. With the objective of generating a proactive approach to cyber security, it is vital to promote the active participation of organisations in such networks, which will help the organisation to improve its own resilience. We must not forget, after all, that an incident at another organisation is also a potential threat to one s own organisation. 14 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 15

9 6 AREAS OF CONCERN WITHIN CYBER RISK MANAGEMENT In our view, this kind of integral approach to cyber risk management needs to include the following aspects: Technology alone is not the answer to cyber security issues. The answer lies in an integral approach to cyber security, focusing on both the softer elements such as governance, culture and behaviour, and the harder ones such as technology. Leadership and governance Human behaviour Leadership and governance An organisation s leaders need to demonstrate, in word and deed, that they regard themselves as the owners of cyber security, and show that they intend to manage the associated risks adequately. Human behaviour Cyber security involves not only the appropriate technical measures, but also the creation of a culture in which people are alert to, and aware of, ways in which they can contribute to security. Information Risk management An adequate approach to all-embracing and effective risk management with regard to information provision, also in relation to partner organisations. The application of a holistic model incorporating all the above elements brings the following benefits: The minimisation of the risk that the organisation will be hit by a cyber attack from outside and the minimisation of any consequences of a successful attack. Better decisions in the field of cyber security: the provision of information on measures, patterns of attack and incidents is thus optimised. Clear lines of communication on the theme of cyber security. Everyone knows his or her responsibilities and what must be done if incidents (or suspected incidents) occur. Cyber risk management Information Risk management Business continuity and crisis management Operations and technology Legislation Business continuity and crisis management Good preparation for possible incidents and the ability to minimise the impact of these incidents. This involves crisis and stakeholder management, among other aspects. Operations and technology The implementation of checks and control measures in the organisation in order to identify the cyber security risks and to minimise the impact of incidents. A contribution to a better reputation. An organisation that is well prepared and has seriously considered the theme of cyber security is able to communicate on this theme in a way that inspires confidence. The enhancement of knowledge and competences regarding cyber security. The benchmarking of the organisation in the field of cyber security in relation to its peers. Figure 7. Areas of concern within cyber risk management. Legislation Complying with legislation with regard to information protection. 16 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 17

10 7 AND YOU, AS A LEADER? Of course, you, as a leader for example, a member of the supervisory board), will wonder what your role should be in this area. The board of directors is responsible for the determination, implementation, monitoring and adjustment (where necessary) of the organisation s general policy regarding risk. And you, as part of the organisation s leadership, ought to be ratifying the risk policy at least once a year, as well as supervising the risk policy executed by the board of directors. In short, you, as a leader, have an important role to play in the determination of your organisation s risk profile and in the determination and supervision of the risk policy applied. This is just as true for cyber risks as for any other risks your organisation may face; after all, these can also be of great strategic significance to your organisation. In order to offer some assistance to help you fulfil this role, set out below is an overview of various points of concern and questions that need to be answered which, in our opinion, will enable you to play your part. How do you determine your organisation s cyber risk appetite and priority structure? How do you determine your organisation s acceptance of the risk of downtime, loss of data and privacy incidents, how do you establish the risk appetite, and how do you monitor this? What are the crown jewels that require the highest level of protection? Which operational processes are crucial to the continued existence of the organisation? How are you organised with regard to cyber security? What is the structure of your first and second lines of defence with regard to cyber security? How are cyber risks reported? How does the coordination between the various company functions take place with regard to cyber security? Is your organisation investing enough in cyber security at present? And are you getting good value for money? What are your planned investments in the field of cyber security for the coming three years? Is this sufficient to be adequately protected against this threat (in line with your risk appetite)? How do your investments relate to the cyber investments of your peers? How secure/resilient is your organisation at this moment? What were the most relevant security and privacyrelated incidents in your organisation (or in those of your peers) in the previous 12 months? What were the lessons learned? What does the organisation do differently now to prevent such incidents recurring? Is the organisation becoming less or more secure? Which KPIs are on your cyber risk dashboard? Is your organisation achieving the cyber risk targets it has formulated? How do the KPIs for cyber risks relate to those of your peers? How do you control the risks with regard to your external suppliers and other chain partners? How do you ensure that your suppliers, and their suppliers and other chain partners, do not expose your organisation to unacceptable cyber risks? How is cyber security embedded in your products and services? In what way is cyber security embedded in: 1. your current products and services? 2. the development of new products and services? 18 / Cyber security / Cyber security, a theme for the boardroom Cyber security, a theme for the boardroom / Cyber security / 19

11 Leaders of organisations can no longer ignore the theme of cyber security. The number and gravity of cyber security incidents, and the media attention in this area, as well as the attention of supervisors and clients, demand that cyber security be one of the themes on most organisations strategic risk agendas. Of course, this needs to be tackled with the proper emphasis, in line with an organisation s risk profile and on the basis of its defined risk appetite. It should be part of the organisation s risk appetite as usual. And isn t minimising risk one of the major aims in the genes of most organisational leaders? About the author John Hermans is a partner at KPMG Advisory NV, and is responsible for KPMG s service provision in the field of cyber security. He leads a team of over 50 professionals. He is also part of KPMG s global leadership in the domain of cyber security. He has worked for a great many organisations in almost all market segments, including financial service provision, oil & gas, energy, the government and other sectors. He has been involved in more than a hundred projects in the field of information security, at national and international level. He has supported client strategies in these projects, as well as building business cases, and carrying out programme management and quality assurance activities. Contact John Hermans Partner Tel: [email protected] kpmg.com/nl/cybersecurity The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation., registered with the trade register in the Netherlands under number , is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The name KPMG, logo and cutting through complexity are registered trademarks of KPMG International