the inconvenient truth about cyber security
TRANSCRIPT
October 2016
kpmg.co.za
Nathan Desfontaines
@CYBERS3C
2© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
4© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
The Nitty-Gritty
6© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
7© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
8© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
9© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
10© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
11© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
12© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
13© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Threat Actor Attack Vector
Attack Surface / Landscape
Why Not?It’s probably
Already Happened
Cyber Attack
14© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
15© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
So What?
17© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Parking Ticket
18© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Five Major Concerns For CFO’s WRT Cybersecurity
Cyber attacks around the world areincreasing in volume and sophistication.Many organisations do not even know theyare victims of cyber attacks.
The costs of these attacks to theorganisations – whether financial orreputational – can be staggering. For CFOs,information security needs to be a toppriority in safeguarding their organisationsfuture.
19© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
1. Your information network will be compromised.
Five Major Concerns For CFO’s WRT Cybersecurity (cont.)
3. Cyber damages go beyond direct financial loss.
2. Physical security and cybersecurity are increasingly linked
5. Your walls are probably high enough.
4. Everything can’t be protected equally.
Now What?
21© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Five Steps For CFO’s Towards Addressing Cybersecurity
One of the biggest mistakes any companycan make is to relegate cyber security tothe CIO office.
There is no single solution to the problemof cyber risks. Here are some steps thatyou can take to get your organisation onthe path to a secure future:
22© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Five Steps For CFO’s Towards Addressing Cybersecurity (cont.)
3. Make the right investments in projects and people
2. Have a clearly defined strategy and involve all relevant stakeholders
1. Make cybersecurity a board-level issue
23© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
24© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
5. Measure and monitor performance regularly
Five Steps For CFO’s Towards Addressing Cybersecurity (cont.)
4. Stay current on emerging threats, and change processes as needed
3. Make the right investments in projects and people
2. Have a clearly defined strategy and involve all relevant stakeholders
1. Make cybersecurity a board-level issue
25© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
An Ever-Changing Threat Landscape
Extortion-driven attacks and ransomware attempts will increase
Pressure to disclose data breaches and threat responses will intensify
Widespread use of mobile devices and IoT brings a parallel increase in risk
Organisations will make greater use of real-time intelligence tools to monitor attacks
Organisations will focus much more on risks posed by third party vendors and suppliers
So What is The Inconvenient Truth?
27© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
28© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
6. What training, technology and controls are in place to ensure that incidents do not happen again?
CFOs need to find answers to some questions
2. How quickly are we detecting incidents?
1. Are the same incidents occurring repeatedly?
3. Do we have a well-tested incident response and communication plan?
4. Do we track what information is leaving our organisation and where it is going?
5. How do we identify our critical assets, associated risks, and vulnerabilities?
7. Do our security controls cover the entire company, including subsidiaries and affiliates?
29© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
So What is the CFO’s role in Cybersecurity?
2. Identify finance’s role in cybersecurity. Work with your CIO or CISO and the business leaders to see how finance can help create the necessary culture of security and privacy.
1. Evaluate the existing cyber-incident response plan. Focus on the controls for the “crown jewels” and what you would do in the event of an incident. The team responsible for this should include senior management from the lines of businesses and administrative functions.
3. Organisations can enhance their security stance by valuing cyber-security and the protection of privacy and viewing. Remember: “Security begins with me.”
30© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
So What is the CFO’s role in Cybersecurity? (cont.)
5. Review the cyber-security budget. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cyber-security budgets is recommended.
4. Require regular reports on security risks. These reports should be from senior management and detail privacy and security risks, based not on project status but on specific risk indicators.
6. Re-evaluate cyber insurance. Also on an annual basis, revisit the use and need of cyber insurance.
31© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Document Classification: KPMG Confidential
Closing The Loop
1
2
3
What are we trying to protect and from whom?
Accept the fact that a breach is inevitable
Focus on early detection and response
getting an up-to-date, detailed snapshot of the current cyber threat landscape that is understood by all
whether or not your organisation has doing enough due diligence to mitigate risks, preparing for a breach is now mandatory
Real-time intelligence solutions, heads-up situational awareness and proactive “hunting” of incidents is the new status-quo
Questions?
Contact me
© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Nathan Desfontaines
Nathan dot Desfontaines at KPMG dot co dot za