Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Similar documents
Cyber security: a failure of imagination by CEOs

Cyber threat intelligence and the lessons from law enforcement. kpmg.com.au

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Assessing the strength of your security operating model

Secure by design: taking a strategic approach to cybersecurity

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Exposing the Cybersecurity Cracks: A Global Perspective

Cyber Security: Confronting the Threat

THE HUMAN COMPONENT OF CYBER SECURITY

How To Improve Security In An Organization

Combating a new generation of cybercriminal with in-depth security monitoring

Cybersecurity. Are you prepared?

DATA LOSS BAROMETER. A global insight into lost and stolen information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

How To Protect Your Organization From Insider Threats

Cyber Security: from threat to opportunity

Mitigating and managing cyber risk: ten issues to consider

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Continuous Network Monitoring

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

The promise and pitfalls of cyber insurance January 2016

Who s next after TalkTalk?

Into the cybersecurity breach

ACE European Risk Briefing 2012

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

ORGANIZADOR: APOIANTE PRINCIPAL:

Developing a robust cyber security governance framework 16 April 2015

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Is Your Company Ready for a Big Data Breach?

RETHINKING CYBER SECURITY

Cybersecurity: Mission integration to protect your assets

Italy. EY s Global Information Security Survey 2013

A COMPLETE APPROACH TO SECURITY

Cyber Risk to Help Shape Industry Trends in 2014

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Cybersecurity Delivering Confidence in the Cyber Domain

Seamus Reilly Director EY Information Security Cyber Security

Cyber Security Management

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

The Value of Automated Penetration Testing White Paper

Cyber Governance Preparing for the Inevitable Perimeter Breach

A strategic approach to fraud

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Information Technology in the Automotive Aftermarket

Requirements When Considering a Next- Generation Firewall

Four steps to improving cloud security and compliance

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Cyber Security for audit committees

HEALTH CARE AND CYBER SECURITY:

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Central Asian Information Security Survey Results (2014) Insight into the information security maturity of organisations, with a

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

What s Holding Back the Cloud?

PwC Cybersecurity Briefing

Managing cyber risks with insurance

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Protecting against cyber threats and security breaches

Accenture Technology Consulting. Clearing the Path for Business Growth

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

The SIEM Evaluator s Guide

Cyber Security - What Would a Breach Really Mean for your Business?

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

A NEW APPROACH TO CYBER SECURITY

2015 VORMETRIC INSIDER THREAT REPORT

Third Annual Study: Is Your Company Ready for a Big Data Breach?

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cyber security Building confidence in your digital future

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

RETHINKING CYBER SECURITY Changing the Business Conversation

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

OCC 98-3 OCC BULLETIN

Transcription:

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Cyber attack is one of the biggest threats to Australian businesses, however many Chief Executive Officers (CEOs) admit a lack of preparedness against security breaches. KPMG International s outlook study Cyber security: A failure of imagination by CEOs reveals the vulnerable position many Australian businesses are in as a result. Here we outline the key findings, with advice on what Australian CEOs can do to reduce risk. The facts about Australia: Globally, only half of CEOs are fully prepared for a future cyber-security event, with Australia behind at 35 percent. 40 percent of Australian CEOs expect the Chief Information Officer (CIO) position will become more important, on par with the global average. 29 percent of global CEOs said cyber security is having the biggest impact on their company, just ahead of 25 percent in Australia. Collectively we sleepwalked into a position of vulnerability and failed to learn lessons of embedding security into products right out of the gate. Malcolm Marshall, Global Head of Cyber Security at KPMG For Australian CEOs and their management teams, the requirement to keep ahead of cyber security threats is vital for the safety of their business and customers. KPMG s Cyber security: A failure of imagination by CEOs 1, which surveyed over 1200 international CEOs, found that emerging technology risk was one of the biggest risks CEOs are concerned about for 21 percent of CEOs globally and 37 percent of Australian CEOs. The survey also found that 25 percent of CEOs globally are extremely concerned about keeping up with new technologies. The figure was less in Australia, at 19 percent, however 40 percent were somewhat concerned, while 40 percent were not concerned about it. However, the real issue appears to be a lack of preparedness for a cyber attack. Of the 52 Australian CEO participants in the survey, only 35 percent said they were fully prepared for a cyber event, compared to the global result of 49 percent. A greater portion of Australian CEOs, 58 percent, were somewhat prepared, while 4 percent said they were not where they need to be, and the rest were unsure. Security must run deep CEOs need to realise that building cyber security into products and processes can be a competitive advantage, says Malcolm Marshall, Global Head of Cyber Security at KPMG. Some organisations are turning security into a selling point with touch identification, he explains. Banks, for example, are starting to replace outdated security processes with touch ID. While 40 percent of Australian CEOs expect the Chief Information Officer (CIO) position will become more important, cyber security should not be left in the domain of this role. CIOs are often not part of the C-suite inner circle, which could mean the rest of the organisation surrenders responsibility to the IT function rather than making sure security is built into behaviour, controls and processes. It s vital that the CEO and senior executives engage with the issue. There is a bottom line benefit too Marshall says institutional investors are less likely to invest in a company that has had a major public cyber breach. 1. See survey methodology at the end of this report.

Organisations need to understand what the crown jewels are, what value they would have in the wrong hands, where they are located and how well they are protected. Gordon Archibald, Cyber Security Leader for KPMG in Australia Cyber security: a strategic risk Nearly a third of the global CEOs listed cyber security as one of the issues with the biggest impact on their company (in a multiple choice answer). Australia was just short of this at 25 percent, amid the issues of economic growth at 40 percent and energy prices at 27 percent. Globally, one out of five CEOs indicated that information security is the risk they are most concerned about, similar to Australian CEOs at 29 percent. Across the board, operational and compliance risks rated highly, but cyber risk, if uncontrolled, becomes an operational issue and a regulatory issue very fast. Is Australia ready? In Australia, many CEOs and boards understand the importance of cyber security, however their understanding is not yet at a level that can drive action, according to Gordon Archibald, Cyber Security Leader for KPMG in Australia. Part of this is due to lack of visibility of what needs to be done. This falls with management who may sometimes struggle with building impetus to clearly define the problem what am I trying to protect, what are my risks and how well protected are those assets? he says. They are aware of the threat, but they don t always see the potential impact to the business if those assets get into the wrong hands. What are Australian CEOs doing? Discussions about the issue In Australia, 60 percent of the CEOs said they had met with their executive teams or board of directors four to six times in total to discuss cyber security, up on the global rate of 40 percent, while 27 percent said they had done so one to three times, and 10 percent had done so seven to 10 times. Four percent had never done so. Appointing the experts In promising results, 88 percent of Australian CEOs had taken pre-emptive steps to appoint a cyber security executive or create a cyber security team, better than a result of 50 percent globally. Yet just 23 percent of Australian CEOs had taken pre-emptive steps to convene multiple meetings with their cyber security team, down from the global result of 37 percent. However 73 percent of Australian CEOs were planning to do so in the next 3 years. Others had taken pre-emptive steps to hire a cyber security consultant 37 percent globally and 38 percent in Australia while in Australia 52 percent intended to do so in the next 3 years. Upgrading technology Compared to 49 percent globally, 42 percent of the Australian CEOs had taken pre-emptive steps to upgrade current technologies with a view to cyber protection, while 50 percent planned to take steps in the next 3 years. Eight percent had no planned action. New technologies had been deployed by 21 percent of Australian respondents, compared to 40 percent globally, however 71 percent were planning to take steps to deploy new technologies in the next 3 years. Again, 8 percent had no planned action. Internal and external processes In Australia, 50 percent of respondents had taken pre-emptive steps to change internal processes with cyber security in mind for example securing data sharing, or how employees use mobile devices containing company data. Forty-two percent were planning to do so in the next 3 years, while 8 percent had no planned action. In terms of changes to external processes, for example client data gathering or receiving invoices, 40 percent had taken pre-emptive steps to security, higher than the global result of 34 percent. Forty-eight percent of Australian CEOs were planning to do so in the next 3 years, and 12 percent had no planned action.

The root cause is often a failure of imagination. A failure to imagine the sophistication and persistence of their attackers. Malcolm Marshall, Global Head of Cyber Security at KPMG How prepared is your company for a cyber threat? Region Who you have is important Global average Australia US UK China Fully prepared 49% 35% 87% 28% 41% Somewhat prepared/ not where we need to be 50% 62% 13% 64% 59% Unsure 1% 4% 0% 8% 0% Organisations need to invest in the right tools and the right people to protect against cyber threats. Bringing in security intelligence can help pinpoint problems, identify anomalies and highlight unusual or suspicious activity. However one of the biggest challenges CEOs could face is skills shortage. Global estimates suggest that over 23 percent of cyber security positions take more than six months to fill, with a further 10 percent remaining unfilled. Key lessons for Australian CEOs 1. Understand your enemy It s vital to understand who might attack an enterprise, what they would attack and why. A cyber security framework can help organisations understand which assets are most in need of protection and which could cause damage if compromised. This framework helps focus investment and protection appropriately. 2. Share threat intelligence Organisations can expand their security intelligence by sharing information about their own security threats with peers and competitors. While some sectors are reluctant to do, banks are leading the way with this approach. 3. Create collaborative networks White-hat hackers can use their hacking powers positively rather than illegally, by helping organisations find weaknesses in their architecture. Executives are often surprised at how quickly an accomplished hacker can infiltrate their systems. 4. Be aware of fourth-party risk Many organisations, particularly banks, have long thought about third-party cyber risk. Some have multiple suppliers so that if one fails, they have resilience. But a deeper look might reveal that the risk gets reconsolidated at the next layer because all of their diversified suppliers are reliant on a single supplier a phenomenon known as fourth-party risk. This discovery is common in assessing liquidity risk, but the process can be equally revealing for cyber resiliency. For instance, what if all of your suppliers rely on the same cloud provider? 5. Merging or acquiring? Find out the real situation A common risk for cyber safety is mergers and acquisitions. Buying a company that has not built security into its products can be costly, so due diligence is vital. 6. Have a response plan One way companies can expand their expertise is by bringing in security intelligence to pinpoint problems, identify anomalies and highlight unusual or suspicious activity. Intelligence can help in two ways. First, an early-warning-as-a-service can reduce the vulnerability threat window: the time between the detection and the remediation of an attack. Intelligence can also provide a broader picture of global threats than any one organisation could gather on its own. Security is an ecosystem; organisations need to know what is going on externally as well as internally. Further to this is the need for a swift and effective response plan. If hackers do get in, know exactly how you will mitigate the damage and test the plan to ensure it works.

kpmg.com.au In summary There is no such thing as complete security coverage. CEOs must lead their organisations towards a proactive and predictive approach to cyber security, instead of relying too heavily on reactive technologies such as firewalls or intrusion prevention, or putting all the responsibility in the hands of the CIO. Understanding the threat landscape, knowing your enemy, and getting the right help with security intelligence is essential. What you can t prevent, you should try to detect. And what you can t detect, you should be prepared to respond to quickly. Contact us Gordon Archibald +61 2 9346 5530 garchibald@kpmg.com.au Gary Gill +61 2 9335 7312 ggill@kpmg.com.au Mark Tims +61 2 9335 7619 mtims@kpmg.com.au Methodology The survey data published in this report are based on a survey of 1,276 chief executives from Australia, China, France, Germany, India, Italy, Japan, Spain, UK and the US. Nine key industries are represented, including automotive, banking, insurance, investment management, healthcare, technology, retail/ consumer markets and energy/ utilities. Three hundred forty seven CEOs came from companies with revenues between US$500 million and US$999 million, 626 from companies with revenues from UD$1 billion to US$ 9.9 billion, and 303 from companies with revenues of US$10 billion or more. The survey was conducted between April 22 and May 26, 2015. The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise). December 2015. QLDN13575LOBS.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information