No business safe from cyber attack, says KPMG

Every organisation must consider the cyber risks it faces and the impact an attack might have, according to David Ferbrache, technical director in KPMG’s cyber security practice.

“Only then can an organisation assess what a cyber threat might mean to its business – and perhaps its very survival,” he wrote in a blog post.

Companies should be investing more time and energy in cyber protection and resilience than ever before in view of the constantly changing cyber crime threat, said Ferbrache. But he noted that many firms are suffering from “cyber fatigue” and focusing IT investment on a variety of emerging technologies, such as machine learning, at the expense of security.

Ferbrache said a “radical rethink” is required on the part of internal audit (IA), which generally focuses on mapping control networks as a way of preventing cyber crime.

“The problem is that this does not always mirror how the crimes are committed,” he said. “It’s time for a different approach.”

He described cyber criminals as “rational businesspeople” looking for a return on their investment in the tactics and tools they use to steal, commit fraud and extort money. “One thing they do not do is think in is organisational silo structures – and so neither should the IA team,” said Ferbrache.

Although a combination of technological and behavioural controls within a strong, but agile governance framework is a good approach, he said many organisations are still failing to get the basics right or to apply their controls and governance consistently.

“The key is to concentrate on operational resilience – focusing on the threats, assessing what the organisation is trying to defend against, and then aligning the objectives of its distinct levels of controls,” said Ferbrache.

Building up true resilience relies on understanding just how interconnected and interdependent different segments of the organisation are, as well as the third parties they rely on, he said.

“Only by gaining a holistic view of the entire business can those charged with keeping it secure form a true picture of its weak spots and vulnerabilities.

“By understanding the adversarial nature of cyber threats and the cascade of consequences after cyber strikes, organisations can prepare for a swift and agile response to attacks – the mark of a properly resilient organisation.”

Ferbrache recommended that organisations start by assessing what stage they are at in their management of cyber risk.

“Too many companies either deny it is a problem for them or have false confidence in their processes,” he said. “At the other end of the scale, there are business worriers who want as much security as possible – without realising the impact on day-to-day business. None of these extreme positions is helpful.”

KPMG advises that organisations should:

• Get the cyber threats they face in perspective by considering what cyber criminals might be after and how they could get it.
• Use credible attack scenarios to test the adequacy and integration of controls.
• Build buy-in from the organisation’s leaders for controls to apply in a proportionate way across all areas of the business.
• Think about what the organisation needs to do to survive and rebuild after a major cyber attack.

In a join report with industry body UK Finance, KPMG is also advising the UK’s financial firms to collaborate more with each other, government and law enforcement to combat cyber crime.

The report calls for a new approach to fighting cyber crime in the financial sector, aimed at disrupting cyber criminal markets, tools and systems.

“This approach imposes cost on them [the criminals] because they then have to reconstruct that botnet, those phishing sites,” Ferbrache told Reuters. “For us, it’s very much a bit of a call to arms across the community. There’s a lot more we can do.”

There are groups such as the Cyber Defence Alliance, a London-based, public-private partnership set up to turn threat information into actionable intelligence, but different initiatives need to be linked up, according to report authors Ferbrache and Dan Crisp, interim director of technology and digital policy at UK Finance.

The report noted that cyber crime is now second only to political risk in terms of challenges facing the financial sector, and the attack on the Bank of Bangladesh in 2016, in which cyber criminals made off with $81m, shows the growing sophistication of attacks on financial firms, it said.

UK banks alone spent $360m on IT in 2016, but the report said approaches are often slow and constrained by regulation, while cyber criminals, who can operate beyond borders and the law, are constantly updating their methods.

This requires a quicker and more collaborative response, the report said. “Ultimately, the financial sector as a community needs to organise this itself,” said Ferbrache.