KPMG Screen 3:4 (2007 v4.0)
Download
Report
Transcript KPMG Screen 3:4 (2007 v4.0)
FEEL
FREE
A NEW APPROACH
TO CYBER SECURITY
CYBER RISK – A PERSONAL
VIEW POINT
INSTITUTE FOR
OPERATIONAL RISK
DAVID FERBRACHE OBE
APPROACH
CHALLENGES
THREAT VIEWPOINT
HARD QUESTIONS
FEEL
FREE
A 360º VIEW OF CYBER SECURITY
SURROGATES FOR
ANSWERS
A WAY OF THINKING
PARTING THOUGHTS
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
2
CHALLENGES
IS CYBER SECURITY THE NEW Y2K?
CAN WE REALLY TRUST THE STATS?
IS IT REALLY A SEPARATE RISK –
OR JUST US DOING BUSINESS IN A DIGITAL WORLD?
HOW DO WE QUANTIFY CYBER SECURITY RISK?
WHAT DOES THE RISK “FEEL” LIKE?
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
3
WHY DOES IT MATTER?
$ 4.2 Trillion across
G-20
Russia
EU-27
India
G-20
US
Japan
China
UK
2016
2010
Internet economy
as % of GDP
0%
5%
10%
Scale of Internet Crime
0.0%
3500
3000
2500
2000
1500
1000
500
0
Government
Involvement
Control
Cyber crime as %
of GDP
Espionage
Military attack
Economic impact
0.2%
0.4%
0.6%
Sources: Estimating the global cost of cybercrime, Centre for strategic and international studies, June 2014;
The $4,2 Trillion Opportunity, Boston Consulting Group, March 2012 drawing on OECD/Economist Intel Unit sources
International Telecommunications Union, Key 2005-2014 ICT Data
40% of World On-line
15%
$ 375-575 Billion
Globally
Russia
EU-27
India
US
Japan
China
UK
Internet Growth Over Time
Million Users
Size of Internet Economy
0.8%
NSA
RISING PRIORITY FOR BOARDS
Board members globally report
Cyber risk has risen from twelfth to
third in the last two years in their
priorities.
Lloyds Risk Index
2011
2013
Loss of customers/cancelled orders
1
1
High taxation
Talent and skills shortage
2
2
Loss of customers/cancelled orders
Reputational risk
3
3
Cyber risk
Currency fluctuation
4
4
Price of material inputs
Changing legislation
5
5
Excessively strict regulation
Cost and availability of credit
6
6
Changing legislation
Price of material inputs
7
7
Inflation
Inflation
8
8
Cost and availability of credit
Corporate liability
9
9
Rapid technological changes
Excessively strict regulation
10
10
Currency fluctuation
Rapid technological changes
11
11
Interest rate changes
Cyber risk (malicious)
12
12
Talent and skills shortage
Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index
NATURE OF THE THREAT
THE
HACKTIVISM
HACKING INSPIRED BY IDEOLOGY
MOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC, UNPREDICTABLE
IMPACT TO BUSINESS: PUBLIC DISTRIBUTION, REPUTATION LOSS
ORGANISED CRIME
GLOBAL, DIFFICULT TO TRACE AND PROSECUTE
THREAT
ACTORS
MOTIVATION: FINANCIAL ADVANTAGE
IMPACT TO BUSINESS: THEFT OF INFORMATION
THE INSIDER
INTENTIONAL OR UNINTENTIONAL?
MOTIVATION: GRUDGE, FINANCIAL GAIN
IMPACT TO BUSINESS: DISTRIBUTION OR DESTRUCTION, THEFT OF
INFORMATION, REPUTATION LOSS
STATE-SPONSORED
ESPIONAGE AND SABOTAGE
MOTIVATION: POLITICAL ADVANTAGE, ECONOMIC ADVANTAGE,
MILITARY ADVANTAGE
IMPACT TO BUSINESS: DISRUPTION OR DESTRUCTION, THEFT OF
INFORMATION, REPUTATIONAL LOSS
SECTOR VIEWPOINT - BANKING
ATM Card Fraud
3.3 bps EA-17 2013
EPOS Threat
Banking Trojans
£40M? in UK 2013
E-Commerce
Mobile Malware
New since 2012
Insider Threats
1 in 6 US Cards
3.9 bps EA-17 2013
Denial of Service Attacks
Finance 9% attacks
Sources: Fraud the facts 2014, Financial Fraud Action UK
3rd Report on Card Fraud, February 2014, European Central Bank
Regional Advanced Threat Report, 1H2014, Fireeye
Quarterly Global DDOS Attack Report, Q1 2014, Prolexic
18 bps UK 2013
Espionage
Finance 13% attacks
Black Economy - Big Data - Systemic Risk
Well known - hard
Data Manipulation
Hypothetical...?
WHAT WE KNOW (ish)
Spending on
security
Cost of data
breaches
Likelihood of data
record breaches
Type of security
breaches
Sources:Gartner Worldwide Spending on Security, BIS Information Security Breach Survey 2014, Ponemon 2014 Cost of Data Breach Survey,
RAND Markets for Cybercrime Tools and Stolen Data 2014, Verizon 2014 Data Breaches Investigation Report,
CMU Trusted Computing in Embedded Systems Workshop, November 2010
Cost of artifacts on
black market
Indications of link
between security
and cost to attacker
A MARKET FOR
LEMONS?
HARD QUESTIONS
How effective
are my security
controls?
What risks
am I running?
What is the
link between
risk and £
spent?
How much
should I spend
on security?
Is this really
worth the
money?
Have I got the
right balance
of controls?
What really
makes their
life difficult?
What would
make an attacker
look elsewhere?
How much will
the attacker
spend?
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
9
SURROGATES FOR ANSWERS
Best
Practice
Trends &
Fashions
I heard about it
at a conference...
Expert
Judgement
The CEO I read
about it in the
paper...
Benchmark
Everyone else is
doing it...
Compliance
We were
told to..
You pay me to
get it right...
Nobody ever got fired for...
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
10
A WAY OF THINKING ABOUT CYBER RISK
CYBER SECURITY IMPOSES
COST ON ATTACKERS
AND ON BUSINESS
Cost
Cost
Information
Asset/Service
Threat
Actor
Exploitation
BUSINESS
OPPORTUNITY
FOR BOTH SIDES
Company
Exploitation
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
11
PARTING THOUGHTS
CYBER SECURITY IS A TRANSIENT RISK... NOT BECAUSE IT WILL GO
AWAY... BUT BECAUSE IT IS BECOMING INTRINSIC TO BUSINESS
THINGS ABOUT CYBER SECURITY RISKS ARE TRICKY... SCALE...
OPAQUENESS... SYSTEMIC RISK...
AS RISK PROFESSIONALS WE HAVE A LONG WAY TO GO TO
UNDERSTAND AND MANAGE THIS RISK... LET ALONE COMMUNICATE IT!
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
12
HELPING HELPING
CLIENTS
SPREAD
THEIR
CLIENTS
SPREAD
THEIR WINGS
The information contained herein is of a general nature and is not intended to
address the circumstances of any particular individual or entity. Although we
endeavour to provide accurate and timely information, there can be no guarantee
that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the
particular situation.
DRIVEN BY BUSINESS
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG
Europe LLP and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative, a Swiss entity. All rights
reserved.
RAZOR SHARP INSIGHTS
The KPMG name, logo and “cutting through complexity” are registered
trademarks or trademarks of KPMG International Cooperative (KPMG
International).
The information contained herein is of a general nature and is not intended to
address the circumstances of any particular individual or entity. Although we
endeavour to provide accurate and timely information, there can be no guarantee
that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the
particular situation.
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG
Europe LLP and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative, a Swiss entity. All rights
reserved.
The KPMG name, logo and “cutting through complexity” are registered
trademarks or trademarks of KPMG International Cooperative (KPMG
International).
We work with our clients to move their business forward.
Positively managing cyber risk not only helps take control of
uncertainty across business; it can be turned into a genuine
strategic advantage.
In a fast-moving digital world of constantly evolving threats and
opportunities, you need both agility and assurance.
Our people are experts in both cyber security and our priority
sectors, which means we give our clients leading edge insight,
ideas and proven solutions to act with confidence.
SHOULDER TO SHOULDER
We work with our clients as long term partners, giving them
advice and challenge to make decisions with confidence. We
understand that this area is often clouded by feelings of doubt and
vulnerability so we work hand-in-hand with them to turn that into a
real sense of security and opportunity.