Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Clarity on Cyber Security

2,537 views

Published on

Swiss businesses are ill prepared for cyberattacks and much too reactive in their approach. What’s more, companies rely too heavily on technology while neglecting the human factor. These are insights offered by KPMG’s latest study “Clarity on Cyber Security”.

Published in: Technology
  • Be the first to comment

Clarity on Cyber Security

  1. 1. Cyber Security Swiss Survey towards understanding the cyber risk Media Conference 6 May 2015
  2. 2. 1© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Agenda 10:00 Welcome Andreas Hammer Head of Corporate Communications, KPMG Switzerland 10:05 Introduction Gerben Schreurs Partner Forensic, KPMG Switzerland Study Results Matthias Bossardt Head of Cyber Security, KPMG Switzerland 11:00 Questions & Answers 11:30 Lunch
  3. 3. Introduction Gerben Schreurs Partner Forensic KPMG Switzerland
  4. 4. 3© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Why this study?  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  Most news articles contain fear, uncertainty and doubt  Most studies are global and do not take local culture into account  Focus specifically on Switzerland The world's most innovative economy is an attractive target for cyber attacks. Are Swiss company's prepared to defend themselves? A better understanding of the cyber risk is the first step away from a reactive towards a predictive cyber defense strategy.
  5. 5. 4© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Methodology of the Survey • Online survey with 30 questions • 64 participants from C-Level • 27 working for large enterprises (> 5,000 FTEs) • 37 from small and mid-size companies • Personal interviews were conducted with four Swiss business representatives of large companies • Evaluation of the results was carried out by a KPMG cyber security team of experts. • The content of the study results is enriched with the experience of the KPMG consulting practice.  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies
  6. 6. 5© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Distribution by sector  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  Cross sector, however largest response from FS sector  42% from large enterprises, 58% small and medium size
  7. 7. Study Results Matthias Bossardt Head of Cyber Security KPMG Switzerland
  8. 8. 7© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Tackling cyber threats – how relevant is it? 76% believe that cyber security is NOT a hype that will subside  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  Cyber security is here to stay  Given the potential impact on companies it rightfully resides on the board level agenda 63% consider themselves as an attractive target 69% of the Executive Boards considers cyber security an operational risk 95% state they cannot defend themselves in isolation 71% have annually increased their budget for cyber security over the past 5 years
  9. 9. 8© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Structure of our results From reactive to predictive Understand the cyber risk More than technology
  10. 10. Understand the cyber risk
  11. 11. 10© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Understand the cyber risk – the lack of insights  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  Lack of understanding the risk – what is at stake for the company  Communication gap to the board – how to provide jargon free insights 44% of the respondent state that the Executive Board is sufficiently aware of the risks of cyber-crime 44% say that the Executive Board considers cyber security a technical issue 46% state that the Executive Board does not have any method to measure the cyber risk to the business 50% of the large companies have no insights in the damage
  12. 12. 11© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Understand the cyber risk – reporting 58% say that “security” doesn`t report to the executive board directly 54% say that “security” is communicating effectively and using the right jargon  For the strategic topic of cyber not always the right audience (executives) is addressed  Using the right language to discuss the cyber risk on board level remains a challenge for many companies
  13. 13. 12© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Understand the cyber risk – third parties and outsourcing 59% not convinced/do not know whether their providers understand how to defend against cyber attacks 15% of Non-Financial Institutions and; 25% of Financial Institutions feel that their understanding, visibility and control over cyber security has worsened after outsourcing  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  Blurred perimeters between companies due to increased connectivity  More insight and transparency is required in relation to the cyber security capabilities of third parties
  14. 14. More than technology
  15. 15. 14© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. More than technology  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  61% state that the primary focus for cyber security is too technical  36% believe employees are sufficiently aware of the cyber risk Planningand Control Risk Management Portfolio, Programme and Project Management Vendor & Supplier Management Implementation TechnologyPeople Processes Foundations Governance Funding & Sponsorship PolicyOwnership Accountability Understanding Business Strategy & Goals Assets Intelligence Regulatory Environment
  16. 16. 15© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. More than technology – need for a plan  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  51% believes that cyber attacks cannot be prevented completely  53% believes they would recognize an attack and have the skills to respond adequately
  17. 17. 16© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. More than technology – response planning  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  45% of all respondents say there is no incident response plan  Only 14% of the existing plans are being tested  7.7% of the companies have a response plan and test it CYBERCRIME DEFENSE FRAMEWORK PREVENT DETECT RESPOND PEOPLE  Risk awareness and technology understanding training  Corporate attitude programs  Security operations centre  Crisis organisation  Communications PROCESSES  Compliance monitoring  Vulnerability monitoring  Security testing  Patch management  Incident preparedness training  Incident monitoring  Emergency hotline  Attack mitigation procedures  High-value asset isolation procedures TECHNOLOGY  Segmentation  Endpoint and perimeter protection  Security baselines  Logging and alarming  Incident dashboards  Data Collection and Preservation  Forensic analysis  Data Recovery 45% has no response plan in place • 32% Large enterprises • 52% Financial institutions • 53% SMEs
  18. 18. 17© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Cycle of complacency 53% believe their organization is able to detect ongoing cyber attacks 45% have no response plan to cyber incidents 7% didn’t take any measure after a cyber attack 79% made no changes to their response plans in the last 12 months The vicious cycle of complacency
  19. 19. 18© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Managing third party service providers  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies Many successful attacks nowadays exploit third party vulnerabilities  36% include cyber security measures in their contracts with third parties  14% review and test whether third parties on comply with contractually agreed cyber security measures
  20. 20. From reactive to predictive
  21. 21. 20© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. From Reactive to Predictive  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies  55% say their organization is rather compliance driven than security driven  51% say attackers will always win eventually; successful cyber attacks cannot be prevented  95 % state they cannot defend themselves in isolation Reactive (Ad-hoc) Structured Integrated Predictive 75% agree that a main reason for intensifying controls is the occurrence of an incident Most companies are here: mostly reactive, some structures for compliance The most advanced companies currently work towards a integrated security capability
  22. 22. Key conclusions
  23. 23. 22© 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks. Key conclusions  Important to be able to convert the threats into opportunities  Focus on what your best at and the build-up of proactive strategies Given the strategic relevance of cyber security, a reactive approach to managing the cyber risk is no longer sustainable. The attention of the board presents an ideal momentum to develop an insight based, risk focused, and predictive management of cyber risk. From reactive to predictive Whilst cyber security is on top of many board agendas, companies struggle to properly assess, measure and communicate to what extent the resilience of their business is at risk. This understanding is paramount in order to tackle cyber risk effectively. Understand the cyber risk Whereas cyber crime has a strong connotation with “technology”, fighting it effectively requires an integrated and balanced approach involving both people and processes as well as technologies. More than technology
  24. 24. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. © 2015 KPMG AG/SA, a Swiss corporation, is a subsidiary of KPMG Holding AG/SA, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks.

×