cyber security: the changing landscape - home.kpmg · seventy-two percent of ceos say they are not...
TRANSCRIPT
![Page 1: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/1.jpg)
Cyber Security: The changing landscapeSeptember 2016
kpmg.com/channelislands
![Page 2: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/2.jpg)
2
Document Classification: KPMG Confidential
© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Agenda
- Introduction- Cyber- General Data Protection Regulation- Questions
![Page 3: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/3.jpg)
3
Document Classification: KPMG Confidential
© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Introduction
−Protect your personal, client and business information−Strategic matters−Technical versus cultural−KPMG has global expertise
![Page 4: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/4.jpg)
Mika Laaksonen
![Page 5: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/5.jpg)
5© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Our cyber security journey - global
Accelerated Cyber Security revenue growth
$614mFY14
Overtaken our direct competitors in many key markets…
Made Cyber Security one of our six global multi-disciplinary Strategic Growth Initiatives (SGIs)
Deepened and broadened our range of services
Completed five acquisitions in a year
Increased our range of clients
6
…and moved Cyber Security to the heart of KPMG
$153mFY11
Earmarked $165m for investment in organic growth over five years
3,810Clients globally
40%
Growth target
$1000mFY20
![Page 6: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/6.jpg)
6© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
How prepared are we?
Are we prepared? Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent).
Can you be fully prepared? In interviews, CEOs frequently said: “We are as prepared as we can be” or “You can never be fully prepared.”
How to prepare? By practicing the ability to respond to cyber events. Companies need an ability to be agile and deal with the unexpected.
![Page 7: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/7.jpg)
7© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
AttacksTargeted attacks are becoming more common…
In a study of 1,200 companies, security research firm FireEye identified:
24%97%
We did a similar study in Finland, Sweden and Denmark – The results are similar.
of these companies were breached.
of these companies experienced events that matched the patterns of a targeted attack
![Page 8: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/8.jpg)
8© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
The risks – where’s the upside?Cyber security is correlated with performance. More CEOs from top-performing companies believe that they are fully prepared for a cyber event
As the volume of data grows exponentially, so do the opportunities to use it. Typically, when services are free, businesses make money from the data, and the consumer becomes, in effect, a product.
KPMG CEO Survey 2016. Growing companies are more prepared
KPMG CEO Survey 2016. Security prompts innovation
![Page 9: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/9.jpg)
9© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Threats - http://cyber.kpmg.com/#− Data breach
− Malware
− APT
− Hacktivism
− Mobile security
cyber.kpmg.com. Threats (1.9.2016)
![Page 10: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/10.jpg)
10© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Regulatory Focus Areas and Industry ActivitiesRegulatory Focus Areas
− Evaluation of Cybersecurity Inherent Risk
− Enterprise Risk Management and Oversight
− Threat Intelligence and Collaboration
− Data Classification and Risk-Based Controls
− External Dependency and Vendor Risk Management
− Cyber Incident Management and Resilience (BCP/DR)
− Information Sharing
− Social Engineering and Insider Threats
− Data Loss Prevention (DLP)
Industry Activities
− Cybersecurity Assessments and Benchmarking
− Refresh Information Governance Model
− Enhance Data & Information Protection
− Improve Security Monitoring and Incident Management
− Participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
− Develop and Revise Policy & Standards
− Maintain an Effective End-User Awareness Program
− Improve Third-Party Vendor Security Assessment Program
![Page 11: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/11.jpg)
11© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
The General Data Protection Regulation (”GDPR”)
- Applicable to all organisations that process personal data of EU nationals, including organisations outside EU
- Approved in April 2016
- Two year transition period binding 25 May 2018
- Significant increase in sanctions (up to €20m / 4% of global turnover)
Security measures
apply both to personal data
and other critical data
![Page 12: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/12.jpg)
Teijo Peltoniemi
![Page 13: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/13.jpg)
13© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Welcome to the Channel Islands
![Page 14: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/14.jpg)
14© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Perfect storm
Why is this important?4.3 million phishing attempts / hour
1.8 million malware attacks / hour
74% UK SME companies report breaches
20% of all attacks target SMEs
The cost of an attack often exceeds £300k
And regulations…
Good security practices are needed to protect the information
You will be accountable!
Data protection
Cyber security
Source: EU, McAfee, UK Gov
![Page 15: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/15.jpg)
15© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Questions we ask related to GDPR/cyber− Personal data?− What are “logical” personal data registers?− Who should own the data?− What policies are needed?− What are the responsibilities?− Is training needed?
− What contracts should be amended?− What is your policy on data retention?− What logging and audit trail are needed?− How do you meet the right of access/right to be
forgotten/data portability?− What are your detection and forensic capabilities?− User management?
![Page 16: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/16.jpg)
16© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Investment Advisers
Investment Managers
Investors
Boards
Trust / Fund Service Providers
Beneficiaries
IT Vendors
Investors
Implications in the Channel Islands
Regulators
Registries
Banks
Settlors
Web, mobile services, social, email etc.
![Page 17: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/17.jpg)
17© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key questions to be addressed
Business processesWhat are the business processes processing personal data?What type of data is that?Who are the participants in the process?What are the IT systems involved?
What personal data is stored in association to products/services?IT systems and participants?
What are the information flows between services?
What processes or services are outsourced? To whom and where?
Who has access to the information?What is the purpose?
Product/service information
Information flows
Outsourced services
Access to information
![Page 18: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/18.jpg)
18© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Know where you are
Sanctions
![Page 19: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/19.jpg)
19© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Know where you are (cont’d)
Efficiency
![Page 20: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/20.jpg)
20© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Jersey stats
- JFSC: 4,000 attacks per day (spikes up to 12,000)
- States of Jersey: estimated at 10% of the JFSC’s threat level
- Jersey Police: receives significant cyber crime reports, with huge
increase year on year and they estimate that this is significantly under
reported
- Relatively low awareness covering cybersecurity (95% of breaches
involved human error in 2014)
- NO local centralised emergency operation
Guernsey stats unavailable at this time
![Page 21: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/21.jpg)
21© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Threats to the Channel IslandsLocally, we have seen a sharp increase in:
- Whaling - Ransomware
- Distributed denial of service - Data loss
- Insider threat
![Page 22: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/22.jpg)
22© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Topical in the Channel Islands− Awareness
− Information sharing
− GDPR
− ISO 27001 (information security management standard)
− SIEM (security information and event management)
![Page 23: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/23.jpg)
23© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Thank you
![Page 24: Cyber Security: The changing landscape - home.kpmg · Seventy-two percent of CEOs say they are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent)](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d48ced188c993f7368ba72a/html5/thumbnails/24.jpg)
Document Classification: KPMG Confidential
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2016 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Brian BethellDirectorTel: +441534 [email protected]
Ashley PaxtonAdvisory Executive DirectorTel: +441481 [email protected]
Matej JurkicAudit ManagerTel: +441481 [email protected]
Linda JohnsonAdvisory DirectorTel: +441481 [email protected]
Teijo PeltoniemiAdvisory senior ManagerTel: +441534 [email protected]
Rob KirkbyAdvisory Executive DirectorTel: +441534 [email protected]
Follow KPMG in the Channel Islands