Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com
1 Cyber security: Are consumer companies up to the challenge? Cyber security: It s not just about technology Technology has truly empowered the customer and is rapidly changing the consumer industry. While all digital channels, as well as brick and mortar, are being integrated to provide a seamless brand and shopping experience, the technological advances making this possible are also making companies increasingly vulnerable. Threats from cyber criminals and hacktivists are growing in scale and sophistication. Customers, investors, and regulators are all demanding stepped-up efforts when it comes to cyber security, and organizations are subject to increasing amounts of legislative, corporate, and regulatory requirements. From profit, customer, and data loss to operations disruption and reputation damage, cyber crime has enormous implications to any business. Organizations need to take action to reduce the risk of a data breach. And when a breach occurs, they need to act quickly and efficiently to manage and resolve the issue with as little damage as possible. Focusing on technology alone to address these issues is not enough. In April 2014, KPMG held a webcast entitled Cyber security: It s not just about technology, which focused on assessing and effectively managing cyber risk. Participants were provided with a concrete model they can use to assess their organization s cyber maturity and to implement sustainable cyber security practices. Our conversation covered: Evolving cyber threats what is new? The cyber landscape how consumer organizations are responding The Cyber Maturity Assessment how to find answers to, Are we prepared? and, How safe are we? Immediate action items 10 key questions to determine next steps To view a replay of the webcast, go to: www.kpmg.com/us/cswebcast During KPMG s cyber security webcast, more than 100 professionals from the retail and food, drink, and consumer goods industry responded to survey questions about their organizations and cyber security. The results reveal that despite the fact that cyber threats have received much attention from the media and industry organizations, the majority of consumer companies have a long way to go to effectively mitigate cyber risk and manage evolving threats. Explore our findings and the perspectives of our cyber security specialists to learn how your organization compares to those surveyed in such areas as cyber readiness, and how you can effectively address the complex challenge of cyber security. Effectively managing cyber risk means putting in place the right governance and the right supporting processes, along with the right enabling technology.
Cyber security: Are consumer companies up to the challenge? 2 Cyber security is front and center In the last six months, more than 86 percent of survey participants organizations have increased their focus on cyber security. Survey question 1 Please select the statement below that best describes your organization in the last six months. There has been a significant increase in our focus on cyber security 44 86% increased their focus There has been some increase in our focus on cyber security 42 There has been no change in our focus on cyber security 8 Don t know 4 There has been less focus on cyber security 2 {Respondents: 107} KPMG insights: Cyber security is an important concern for every organization, and consumer businesses are ideal targets for hackers trying to capture cardholder data and steal customer identities. Clearly, the recent cyber breaches were a wakeup call for the industry. The majority of retailers and consumer packaged goods companies have elevated cyber security to the top of their agendas. Daily occurrences demonstrate the risk posed by cyber attackers from individual, opportunistic hackers, to professional and organized groups of cyber criminals with strategies for systematically stealing intellectual property and disrupting business. The management of any organization faces the task of ensuring that its organization understands the risks and sets the right priorities. While this is no easy task, it is essential that leaders take control of allocating resources to deal with cyber security, actively manage governance and decision making over cyber security, and build an informed and knowledgeable organizational culture.
3 Cyber security: Are consumer companies up to the challenge? Innovation and transformation: rewards worth the risk Participants indicate that business model and operational changes along with new technologies are having a significant impact on their organizations. Survey question 2 Which of the trends listed below is having the most impact on your organization? Change in the way business is conducted: Cloud computing, big data, social media, consumerization, BYOD, mobile banking 46 External threats: Organized crime, nation-states, cyber espionage, hacktivism, insider threats 27 Regulatory compliance: Data loss, privacy, records management 18 Rapid technology change: Critical national infrastructure, smart/metering, Internet of all things 9 Don t know 6 Changing market and client needs: Strategic shift, situational awareness, intelligence sharing, cyber response 4 None of the above 1 {Respondents: 111} KPMG insights: Most consumer companies are not being driven by fear, uncertainty, or doubt. They see the potential that rapidly advancing technology has and continue to explore new ways of doing business, new ways of running a business, and new ways to better understand and engage with consumers. However, technology does not come without challenges. Companies must balance a relentless pursuit of innovation with assessing and effectively managing risk. Cyber crime risks can be controlled. The key is to embed security and risk management processes in technology and related initiatives right from the get-go. By treating cyber security as business as usual and balancing investment between risks and potential impacts, an organization can be well-prepared to combat cyber crime.
Cyber security: Are consumer companies up to the challenge? 4 Unprepared for a data breach Only 36 percent of survey participants indicated that their organization has a formal cyber incident response plan. Survey question 3 Does your organization have a formal cyber incident response plan? 20 16 36 Yes Not yet, but in the process of defining the plan No Don t know 33 {Respondents: 105} KPMG insights: The majority of consumer companies are not yet considering how they will respond to a data breach before it occurs. When companies do not have a formal cyber incident response plan now considered a standard of care across industries they are forced to rely on the ad hoc action of their people, leaving the outcome unpredictable and unreliable. Mishandling an incident is a major liability potentially costing billions of dollars and having the potential to destroy a brand virtually overnight. In some cases, not having a plan may even be perceived as negligence and become a legal liability. Additionally, should an incident occur, organizations need to ensure that they are evaluated in such a way that lessons can be learned. In practice, however, actions are driven by real-time incidents and often are not recorded or evaluated. This destroys the ability of the organization to learn and put better security arrangements in place in the future. Organizations can reduce the risks to their business by building up capabilities in three critical areas prevention, detection, and response. Prevention Prevention begins with governance and organization. It is about installing fundamental measures, including placing responsibility for dealing with cyber crime within the organization and developing awareness training for key staff. Detection Through monitoring of critical events and incidents, an organization can strengthen its technological detection measures. Monitoring and data mining together form an excellent instrument to detect strange patterns in data traffic, to find the location on which the attacks focus, and to observe system performance. Response Response refers to activating a wellrehearsed plan as soon as evidence of a possible attack occurs. During an attack, the organization should be able to directly deactivate all technology affected. When developing a response and recovery plan, an organization should perceive cyber security as a continuous process and not as a one-off solution.
5 Cyber security: Are consumer companies up to the challenge? Cyber security demands attention Less than 20 percent of survey participants have a chief information security officer dedicated to overseeing cyber security at their organization. Survey question 4 At your organization, who is responsible for cyber security? 44% 19% 16% 8% 7% 6% Chief information officer Chief information security officer There is shared responsibility between several departments Other Chief financial officer Don t know {Respondents: 105} KPMG insights: Across the marketplace, we are seeing chief information security officers taking on much more prominent roles. Survey results reveal that consumer companies are moving slower in adopting this approach than other industries. Given the complexity and multidisciplinary nature of the problem, cyber security demands direct management attention. Companies should be evaluating their leadership models to ensure effective oversight of security operations and support of risk and compliance functions. High-profile data breaches of retail and CPG companies exposed the massive drop in shareholder value which can result from ineffective cyber security. In other words, defending against cyber crime became a board problem. As a result, cyber security initiatives in the consumer industry are being driven from the top down. From boards, to audit and risk committees, to CEOs, CFOs, CIOs, and CISOs, leadership is under immense pressure to show progress in securing systems and managing risk and compliance, and they are seizing control of cyber. Have you considered Having an on-call expert forensic team to provide on-demand response, analysis, containment, eradication, and investigation of any threat, concern, or incident? Establishing a relationship with outside counsel to mitigate potential exposure of a data breach?
Cyber security: Are consumer companies up to the challenge? 6 Merely average at cyber security Nearly three-quarters of survey respondents rate their organization s cyber maturity level as average or below. Survey question 5 On a scale where 1 indicates informal and 5 indicates industry leading, where would you rank your organization s cyber maturity level? 50 45 40 30 20 22 22 < 1 1-2 2-3 3-4 4-5 Don't know 10 5 4 9 0 {Respondents: 107} KPMG insights: Cyber security has historically been a neglected area in consumer companies. It s no wonder that only five percent of organizations believe they have industry-leading levels of cyber maturity. With the growth of omni-channel retailing exposing new risks and regulatory watchdogs sharpening their teeth the industry needs to play catch-up. Now is the time to increase the focus on cyber security. At KPMG, we consider six key dimensions that together provide a wide-ranging and in-depth view of an organization s cyber maturity. Leadership and governance Is the board demonstrating due diligence, ownership, and effective management of risk? Human factors What is the level and integration of a security culture that empowers and ensures the right people, skills, culture and knowledge? Information risk management How robust is the approach to achieve comprehensive and effective risk management of information throughout the organization and its delivery and supply partners? Business continuity Have we made preparations for a security event and the ability to prevent or minimize the impact through successful crisis and stakeholder management? Operations and technology What is the level of control measures implemented to address identified risks and minimize the impact of compromise? Legal and compliance Are we complying with relevant regulatory and international certification standards?
About KPMG s cyber security services With award-winning, global cyber security specialists who are at the forefront of the cyber agenda, KPMG helps the world s leading organizations solve the biggest cyber security challenges of today and tomorrow. Our capabilities cut across the entire cyber security spectrum: information protection, privacy, and security; threat intelligence and cyber investigations; business resilience and continuity; risk management and compliance; and governance, strategy, and operations. Through our global network of KPMG member firms, we have the deep consumer industry insight and vast knowledge on the evolving cyber landscape and regulatory environment necessary to help you manage cyber risk across a broad spectrum of evolving threats. Contact us Tony Buffomante Principal Information Protection and Business Resilience E: abuffomante@kpmg.com Tony Buffomante is KPMG s US leader for Cyber Security Assessment and specializes in information security, privacy and business continuity. Over the past 20 years, he has managed and executed Information Technology security strategies, assessments and implementations for some of the largest global organizations. Tony is a recognized industry leader in information protection, frequently speaking at industry conferences and instructing at training seminars both nationally and internationally. Ronald Plesco, Jr., Managing Director Cyber Investigations, Forensic Services E: rplesco@kpmg.com Ron Plesco is an internationally known information security and privacy attorney with 16 years experience in cyber investigations, information assurance, privacy, identity management, computer crime, and emerging cyber threats and technology solutions. Ron is the National Lead of the KPMG Cyber Investigations, Intelligence and Analytics practice. He joined KPMG in 2012 after a distinguished career in the private and public sectors, and is a frequent speaker nationally. Dennis Van Ham Director Information Protection and Business Resilience E: dennisvanham@kpmg.com Dennis Van Ham focuses on transformational projects and on overall strategy and governance in cyber security and threat intelligence. In 2012, he joined KPMG s US firm from the Netherlands office and is currently responsible for the execution and the ongoing development of the firm s Cyber Security Assessment services. In his 15-year tenure, he has acquired deep industry experience in Retail, Oil & Gas, Financial Services and Healthcare. kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS 259750