cyber security a topic for the board - mdbc · 23-5-2016 · —cybercrime-as-a-service...

© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.

Document Classification: KPMG Confidential

1

Cyber security A topic for the BoardA new approach to Cyber Security

May 23, 2016



2

ProgrammeIntroduction to Cyber Security

Setting the scene on Cyber Security

Determining the Cyber Risk Profile

The human factor – social engineering

Legal and Regulatory requirements

EU Data Privacy Act

NL “Meldplicht datalekken”

Cyber in the board room

• Relevant questions

Cyber Crisis Management Game



3

Cyber Security - Definition

Cyber Security is the body of technologies, processes and practices designed to protect networks, computers,

programs and data from attack, damage or unauthorized access.

Cyber security is not new, only the number and impact of cyber incidents increased dramatically;

Due this increase of impactful cyber incidents (with huge media intention), we see more and more attention from customers, media and regulators

1 Source: NCSS 2



4

Relevant TrendsOrganised crime, nation-states, cyber espionage, hactivism, insider threats.

Cloud computing, big data, social media, consumerisation, BYOD, mobile banking.

Hyper Connectivity – The Internet of Things, Information Availability, Anytime Anywhere, Scaleability, On-Demand

Data loss, privacy, records management, Governments / Regulators become more demanding on organisations in terms of cyber security

Strategic shift, situational awareness, understanding that cyber security requires more than technological measures

Slowly but surely society becomes more aware of the need to strengthen cyber security

EXTERNAL THREATS1

CHANGE IN THE WAY BUSINESS IS CONDUCTED2

RAPID TECHNOLOGY CHANGE3

REGULATORY COMPLIANCE4

CHANGING MARKET AND CLIENT NEED5

INCREASING AWARENESS6



5

Changes in Risk Ranking

2011 2014Loss of customers/cancelled orders

Talent and skills shortage

Reputational risk

Currency fluctuation

Changing legislation

Cost and availability of credit

Price of material inputs

Inflation

Corporate liability

Excessively strict regulation

1

2

3

4

5

6

7

8

9

10

1

2

3

4

5

6

7

8

9

10

High taxation

Loss of customers/cancelled orders

Cyber riskPrice of material inputs

Excessively strict regulation

Changing legislation

Inflation

Cost and availability of credit

Rapid technological changes

Interest rate changes

Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index



6

FTSE 350 Cyber Governance Health CheckKPMG’s Top 10 findings

WHAT ABOUT THIRD PARTIES? WHAT DO YOU BASE

YOUR DISCUSSIONSON?

ARE YOU DOING ENOUGH?

25%

of respondents have never received

intelligence from their CIO on cyber threats

30%

of respondents regularlyreceive

cyber intelligence

48%have a basic understanding

of information assets shared with third parties

…but Chairsdid not have a strong

understanding of how they dealt with third-party risk 74%

think their board colleagues take cyber very

seriously

48%

of chairs had IT security/cyber training in

the last 12 months

HOW ARE CYBER RISKSPERCEIVED

IN YOUR BUSINESS?

58% of respondents expectcyber risk to increase

29% of chairmen are anxious about cyber risk

WHO IS IN CHARGE?

89%see responsibility for cyber threats sitting with the board executive or audit committee

15%see the CIO as the senior cyberrisk owner; nearly half say it is the CEO or CFO



7

Managing Cyber Risk - Past vs Present

Risks of user error and insider fraud

PAST PRESENT

ORGANISED CRIME GLOBAL, DIFFICULT TO TRACE AND PROSECUTEMotivation: financial advantageImpact to business: theft of information

STATE-SPONSORED ESPIONAGE AND WARFAREMotivation: political advantage, economic advantage, military advantageImpact to business: disruption or destruction, theft of information, reputationalloss

HACKTIVISM HACKING INSPIRED BY IDEOLOGYMotivation: shifting allegiances – dynamic, unpredictableImpact to business: public distribution, reputation loss

THE INSIDER DISGRUNTLED BY CHANGE AND UNCERTAINTYMotivation: grudge, financial gainImpact to business: distribution or destruction, theft of information, reputationloss



8

Determining Cyber Risk Profile

Cyber risk

profile

Business environment

Possibletargets

(crownjewels)

Threat ActorsVulnerability/ Resilience

Legal & regulatory

requirements



9

CHANGING “BUSINESS MODEL”

FAST TECHNOLOGY DEVELOPMENTS2

1Increased digitalization, offline to online (customer as active actor in online business proces), doing business in risk countries, new services

Cloud computing, big data, social media, consumerisation, BYOD, mobile banking

CUSTOMER EXPECTATIONS3

Customer expects that his data is protected when stored / processed byleading organizations.

Business environment



10

What is being stolen? Possible targets(crown jewels)

Information That Is Valuable

Business Critical Information

Critical Business Transactions

Intellectual property

Business processes

Customer, supplier and personnel data

Financials

Business plans

New products

New markets

Raising finance

M&A

JV

Divestitures



11

Threat Landscape Each threat actor has their own motivations, capabilities and targets

Threat Actors



12

Threat Landscape Threat Actors

Organised Crime –global, difficult to trace and prosecute

+ Financial assets

+ Personal data, including financial records

TYPICAL ASSETS THEY TARGET

Nation States –cyber espionage and warfare

+ Intellectual Property

+ Strategic/Operational Plans

+ M&A activity

+ Critical Infrastructure (for cyber warfare)

Hacktivists –hacking inspired by ideology

+ Reputation – public and media perception

+ Publications – websites

+ Services – disruption

The Insider –disgruntled by change and uncertainty

+ Customer and client lists

+ Processes and plans

+ Services – disruption

Journalist –Investigative reporting

+ Confidential information through leaks and hacking



13

Vulnerability / ResilienceAssess the level of vulnerability / resilience for relevant threat actors

—Assess vulnerability: - Assess whether your organisation is vulnerable for specific attack

vectors used by specific attackers – based on Kill Chain approach

- Assess whether your organisation was able to detect such attach vector (knowing that most organisations detect advanced attacks only after 200 days after the attack itself occurred)

—Build / Assess resilience:- Build crisis plan for these types of attacks and test this plan

periodically!

Vulnerability / Resilience



14

The approachCyber kill chain methodology

BEFORE THE HACK T-1 AFTER THE HACK T+1T0

YOUR GOAL: MOVE DETECTION AND RESPONSE UP THE KILL CHAIN

ReconWeaponi

zeDeliver Exploit Install Control Execute

Select targets and determine attack

methods

Transmission of the attack via

physical, email, web, or social engineering

Install “malware” to gain remote

control

Complete actions and achieve the

red flags

Develop the attack methods

Successful penetration –access gained

Establish command &

control throughout the

network




15

Social EngineeringWhat is social engineering?

You and your employees are the weakest link..

.. but when well trained, can be the strongest weapon of the organisation against social engineering attacks.

Technology

Process

People




16

Social Engineering Evolution of the attacks—Attacks are getting more complex and difficult

to recognize.




17

Social Engineering Evolution of the attacks—Malware creation tools that can be used in

social engineering attacks are today available “off the shelf”.

—Cybercrime-as-a-service marketplaceEnables fraudsters to cash in without the need for technical knowledge

Cybercrime “service providers” must improve the quality of malware more then ever to keep and win customers

Many attacks are easy to perform and low cost

- Phishing attacks: 500.000 email addresses costs $ 30,-

- Hosting a phishing site can be done for free

- 1000 credit card numbers cost $ 100,-




18

Social EngineeringPsychological concepts (that are used by social engineers)—Six basic principles from Robert CialdiniLiking (Sympathie)

Authority (Autoriteit)

Social Proof (Sociale bewijskracht)

Consistency (Consistentie)

Reciprocation (Wederkerigheid)

Scarcity (Schaarste)

—Other conceptsSimilarity (gelijkheid)

Do the unexpected (het onverwachte doen)

Perceptual contrast (verschil in perceptie)




19

Real life examplesKPMG attack simulation: using USB sticks


Dit is een van de USB sticks zoals afgelopen donderdag uitgedeeld door “Brasserie Mimicry”



20

Real life examplesKPMG attack simulation: using USB sticks—Within 40 minutes after initiating the attack we had full access toThe “crown jewels” of the bank. We could read and edit financial details of al their clients.

As we had access to multiple desktops segregation of duties did not exist anymore.

Network shares full with further sensitive internal information on clients and employees.

—But we could also:Use the compromised systems to perform further attacks. E.g. use the mailbox of the victims as trusted source to spread malware further on the network.




21

Real life examplesKPMG attack simulation: Hide in plain sight—Dutch Sinterklaas on assignment…




22

Legal and Regulatory changes

DNB / DUTCH CENTRAL BANK EUROPEAN UNION

• Cybercrime: theme 2014/2015

• Mandatory periodical self-assessment –required maturity level 3 / 4

• ECB: similar scheme

• On 12 August 2013, Directive 2013/40/EU on attacks against information systems (the Cyber Crime Directive) came into force.

• The Cyber Crime Directive requires Member States to bring into force laws, regulations and administrative provisions by 4 September 2015 in order to provide a pan European approach to cyber crime.

• Focus on critical infrastructures.

Legal & regulatory

requirements

DUTCH GOVERNMENT UNITED STATES

• National Cyber Security Strategy 2- Government will act if required. If required, regulations and

standards will be proposed – as a consequence of the implementation of the EU Cyber Risk Directive

• Primary focus: critical infrastructures

• CBP / Privacy: maximum fine EUR 800.000, after implementation of EU Privacy Regulation: maximum fine 2% to 5% of global turn over

• Obama’s Executive Order February 2013 aimed at increasing the cyber resilience of US organisations

- Focus critical infrastructures.- Development of NIST Cybersecurity Framework.

• PCAOB issued guidelines for financial auditors related to cyber crime / cyber security

- NBA is working on a Public Management Letter



23

Draft EU data privacy regulationOverview With over 4,000 requested amendments to be

negotiated between the European Parliament and the Council of Ministers, there are

likely to be significant changes between nowand the 2016 target date for adoption…

Legal & regulatory

requirements

HARMONISE PRIVACY LAWS ACROSS EUROPE REFLECT THE DIGITAL AGE

EU DATA PROTECTION DIRECTIVE 95/46/EC GENERAL DATA PROTECTION REGULATION

“Our current data protection rules were adopted in 1995, when only 1% of the EU population was using the internet…and the founder of Facebook was only 11 years old”

Viviane Reding, European Commissioner of Justice, 2010-2014

Applicabilitynon-EU

controllers

One StopShop

PrivacyOfficer

( > 5,000)

Fines of€1 mio. or2% of TR

AdditionalSubjectrights

BreachNotification

PrivacyImpact

Assessment

Processor’sLiability



24

Privacy in the Netherlands…Dutch data protection act

STATUS QUO 1st January 2016

Supervision On Data BreachesLaws & RegulationsEUROPEAN DUTCH

EU DATA PROTECTION

DIRECTIVE95/46/EC

CBP

COLLEGE BESCHERMING

PERSOONS-GEGEVENS

ACM

AUTORITEIT CONSUMENT EN

MARKT

MISC.

Wet BRP, Wpg, Wjsg,

Gedragscodes

MELDPLICHT DATALEKKEN

WET BESCHERMING

PERSOONS-GEGEVENS

(Wbp)

EU DATA RETENTION DIRECTIVE

2006/24/EC

E-PRIVACY DIRECTIVE

2002/58/EC

TELECOMWET(Tw)

COOKIEWET

COOKIEDIRECTIVE

2009/136/EC

AP

AUTORITEIT PERSOONS-GEGEVENS

Legal & regulatory

requirements



25

Dutch data privacy changesCurrent regulation?— Dutch changesThe bill ‘Meldplicht datalekken en uitbreiding boetebevoegdheid CBP’ was passed by the Tweede Kamer on February 10th 2015 and passed by the Eerste Kamer on May 26th 2015. This law will is enforced as of January 1st 2016.

— Key changes:Data Protection Authorities (‘Cbp’) should be notified of data breaches without delay.

Penalties up to €810k in case of not reporting a data breach, the careless processing of (sensitive) personal data, storing personal data too long, inadequate protection, or failure to comply with disclosure requirements.

Penalties up to 10% of annual sales (a.o. if binding instructions are not followed, to relate the height of fine to the size of the organization, i.e. Google, Facebook)

In case of data breaches the data controller should inform involved persons and society and provide information on:

- Nature and scope of data breach

- Harmful effects of the infringement

- Required effort for recovery actions

The Cbp’s name is changed to Autoriteit Persoonsgegevens and is authorized supervisor of the Telecommunications Act

Wet Persoons-Registratie

(WPR)1989

WetBescherming

Persoonsgegevens(Wbp)2001

+ MeldplichtDatalekken &

UitbreidingBoetebevoegdheid

2016

EU General Data Protection

Regulation2016 (exp.)

Legal & regulatory

requirements



26

Cyber risk is driven and managed by more than technology

The drivers of inherent Cyber risk include the threats, your vulnerabilities, your assets and the regulatory and business environment in which you operate.

This inherent risk can be mitigated by deploying controls and having response capability and plans. In the worst case, resiliency and contingency planning will reduce the impact of significant cyber incidents.

The readiness of technical systems to protect, detect and react to an attack is important but in many organisations the people are the weakest link but can become the greatest asset for defence if properly informed and trained.

Threats Regulations VulnerabilitiesBusiness drivers

Assets

Threat ActorActor

CapabilityAttack

ImmediacyPeople Process Technology

Information Assets

Systems Applications

Business Resilience and contingency

Protect and Defend

Technical ControlsBehavioural

Controls

Respond

Immediate Incident Response

Investigations



27

Lessons learned: how to mitigate the risks?Protect &

Defend

Technical Controls

Behavioural Controls

Respond

Immediate Incident

ResponseInvestigations

Human factor is weakest

link, unless…

Cooperation is required

ISAC, Sector, NCSC, (IT-) partners

Shift fromprevent todetect & respond

How to reactif you are

hacked (andyou will)…

PROTECT YOUR “CROWN JEWELS”



28

Five Steps to Minimize your ExposurePerform a cyber maturity assessment to look at areas such as Leadership and Governance, Human Factors, Information Risk Management, Business Continuity and Crisis Management.

Identify your critical assets but remember that what you consider to be of no value, may be considered valuable to an attacker. Take a look at the lifecycle of your critical information assets from creation all the way to destruction.

Based on your assessment and your critical assets, select your defenses. Know what threats you are going to defend against – trying to prevent them all gets very expensive

Everyone in the organization – from the boardroom to the mailroom –must understand the value and sensitivity of the information they possess and, more importantly, how to protect it.

Being able to adequately respond to a security incident through established tested processes should not be taken lightly. Supported by a security monitoring platform and good threat intelligence, you can get a better grip on monitoring and responding to cyber crime.

ASSESS YOUR READINESS TO RESPOND / RESILIENCE1

HONE IN ON YOUR CRITICAL ASSETS2

SELECT YOUR DEFENSE3

BOOST YOUR SECURITY AWARENESS AND

EDUCATION4

ENHANCE MONITORING & INCIDENT RESPONSE 5



29

Cyber risk discussion The board gains assurance that cyber risks are well managed through key questions

How secure are you currently?

What have been the most serious security and privacy incidents that you (and your peers) have faced in the past 12 months, what have you learned from those experiences, and what are you now doing differently to prevent them from re-occurring?

Are you getting more or less secure?

What key indicators are on your security dashboard, how is the organisation achieving those objectives, and how does this compare to your peers?

How do you set priorities and risk appetite ?

What is your organisational risk appetite for downtime, data loss and privacy incidents, how do you set your appetite level, and how are you tracking against that?

What are the 'crown jewels' that require the highest levels of protection? Which business processes are critical to survival of the organisation?

How are you organised to manage the issue?

How is your first line and second line of defence set up? How do you report on the risk? How do you co-ordinate across multiple responsible functions?

Are you spending at the right level? And getting value for money for that spend?

What are you spending on security over the next three years? Is it enough to appropriately respond to the threat? Where are you under-invested and where can you make savings? Can you defend your investment compared to your peers?

How do you manage third party suppliers?

How do you ensure your suppliers (and their suppliers in turn) do not expose you to unacceptable cyber risk?



30

John HermansPartner

John Hermans

Partner

KPMG Advisory N.V.

Laan van Langerhuize 1

1186DS Amstelveen

[email protected]

Function and specialization

• Cyber Security Lead Partner, Advisory KPMG The Netherlands

• EMA Cyber Security Lead Partner and Member of KPMG global Cyber Security leadership

Education, licenses and certifications

• Bachelor degree in Information Management

• Post Graduate EDP Auditing -Certifications as chartered IT auditor (RE).

— Background

John is partner of the Amstelveen practice of KPMG IT Advisory and member of KPMG’s Global Leadership on Cyber Security. In his current position he is heading the Cyber Security Services of KPMG in the Netherlands and, covering the following services:Security Strategy Services / Cyber Security In the Board RoomIT Governance, Risk and ComplianceTechnical Security ServicesCyber Security ServicesIdentity & Access ManagementBusiness Continuity ServicesData Privacy Services

Furthermore, John is leading KPMG’s Strategic Growth Initiative on Cyber Security services within the Netherlands as well in Europe, Middle East and Africa, and member of KPMG’s global Cyber Security Leadership.— Professional experience

John worked for numerous International and National organisations in most industry sectors, such as Financial Services, Oil & Gas, Retail and Government and is considered as one of the leaders in his field of expertise. John was involved in more than 100 national and international information security projects across the world. John’s major involvements were in advising and supporting our clients in developing, defining and implementing their overall Information Security strategy, building the required business cases for Executive Boards as well as Supervisory Boards, and performing multiple program management activities as well as executing quality assurance

assignments.

Next to being involved in many information security and cyber security programs and projects, John is involved in multiple Cloud Computing projects in both the private and public sector. John’s major involvements relate to advising and supporting our clients in developing, defining and implementing their cloud computing strategy as well as advising on cloud security/assurance advisory topics.

— Industry experience

Financials Services: Insurance, Mortgages and Banking

Oil & Gas

Telecommunications

Government

Health Technologies



31

© 2016 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks of KPMG International.

John HermansPartner, Risk Consulting

Laan van Langerhuize 1 1186 DS Amstelveen

Tel: +31 20 656 8394 Mob: + 31 6 51 366 389Email: [email protected]

Thank you

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia kpmg.com/app


http://kpmg.com/socialmedia

http://kpmg.com/socialmedia

https://www.instagram.com/kpmgmalaysia/

https://www.instagram.com/kpmgmalaysia/

https://www.facebook.com/KPMGMalaysia/

https://www.facebook.com/KPMGMalaysia/

https://www.linkedin.com/company/2354861?trk=tyah&trkInfo=clickedVertical:company,clickedEntityId:2354861,idx:2-1-4,tarId:1452647041016,tas:kpmg malaysia

https://www.linkedin.com/company/2354861?trk=tyah&trkInfo=clickedVertical:company,clickedEntityId:2354861,idx:2-1-4,tarId:1452647041016,tas:kpmg malaysia

cyber security a topic for the board - mdbc · 23-5-2016 · —cybercrime-as-a-service...

Documents