the inconvenient truth about cyber security

October 2016

kpmg.co.za

Nathan Desfontaines

@CYBERS3C

2© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Document Classification: KPMG Confidential

The Nitty-Gritty



Threat Actor Attack Vector

Attack Surface / Landscape

Why Not?It’s probably

Already Happened

Cyber Attack

So What?



Parking Ticket



Five Major Concerns For CFO’s WRT Cybersecurity

Cyber attacks around the world areincreasing in volume and sophistication.Many organisations do not even know theyare victims of cyber attacks.

The costs of these attacks to theorganisations – whether financial orreputational – can be staggering. For CFOs,information security needs to be a toppriority in safeguarding their organisationsfuture.



1. Your information network will be compromised.

Five Major Concerns For CFO’s WRT Cybersecurity (cont.)

3. Cyber damages go beyond direct financial loss.

2. Physical security and cybersecurity are increasingly linked

5. Your walls are probably high enough.

4. Everything can’t be protected equally.

Now What?



Five Steps For CFO’s Towards Addressing Cybersecurity

One of the biggest mistakes any companycan make is to relegate cyber security tothe CIO office.

There is no single solution to the problemof cyber risks. Here are some steps thatyou can take to get your organisation onthe path to a secure future:



Five Steps For CFO’s Towards Addressing Cybersecurity (cont.)

3. Make the right investments in projects and people

2. Have a clearly defined strategy and involve all relevant stakeholders

1. Make cybersecurity a board-level issue



5. Measure and monitor performance regularly

Five Steps For CFO’s Towards Addressing Cybersecurity (cont.)

4. Stay current on emerging threats, and change processes as needed

3. Make the right investments in projects and people

2. Have a clearly defined strategy and involve all relevant stakeholders

1. Make cybersecurity a board-level issue



An Ever-Changing Threat Landscape

Extortion-driven attacks and ransomware attempts will increase

Pressure to disclose data breaches and threat responses will intensify

Widespread use of mobile devices and IoT brings a parallel increase in risk

Organisations will make greater use of real-time intelligence tools to monitor attacks

Organisations will focus much more on risks posed by third party vendors and suppliers

So What is The Inconvenient Truth?



6. What training, technology and controls are in place to ensure that incidents do not happen again?

CFOs need to find answers to some questions

2. How quickly are we detecting incidents?

1. Are the same incidents occurring repeatedly?

3. Do we have a well-tested incident response and communication plan?

4. Do we track what information is leaving our organisation and where it is going?

5. How do we identify our critical assets, associated risks, and vulnerabilities?

7. Do our security controls cover the entire company, including subsidiaries and affiliates?



So What is the CFO’s role in Cybersecurity?

2. Identify finance’s role in cybersecurity. Work with your CIO or CISO and the business leaders to see how finance can help create the necessary culture of security and privacy.

1. Evaluate the existing cyber-incident response plan. Focus on the controls for the “crown jewels” and what you would do in the event of an incident. The team responsible for this should include senior management from the lines of businesses and administrative functions.

3. Organisations can enhance their security stance by valuing cyber-security and the protection of privacy and viewing. Remember: “Security begins with me.”



So What is the CFO’s role in Cybersecurity? (cont.)

5. Review the cyber-security budget. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cyber-security budgets is recommended.

4. Require regular reports on security risks. These reports should be from senior management and detail privacy and security risks, based not on project status but on specific risk indicators.

6. Re-evaluate cyber insurance. Also on an annual basis, revisit the use and need of cyber insurance.



Closing The Loop

1

2

3

What are we trying to protect and from whom?

Accept the fact that a breach is inevitable

Focus on early detection and response

getting an up-to-date, detailed snapshot of the current cyber threat landscape that is understood by all

whether or not your organisation has doing enough due diligence to mitigate risks, preparing for a breach is now mandatory

Real-time intelligence solutions, heads-up situational awareness and proactive “hunting” of incidents is the new status-quo

Questions?

Contact me

© 2016 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in South Africa. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Nathan Desfontaines

Nathan dot Desfontaines at KPMG dot co dot za

the inconvenient truth about cyber security

Internet