Cyber Accelerate. Fast-track to cyber security for SMEs. KPMG New Zealand. kpmg.com/nz/cyber

Transcription

1 Cyber Accelerate Fast-track to cyber security for SMEs KPMG New Zealand kpmg.com/nz/cyber

2 Fast-track to cyber security for SMEs Cyber attack is often viewed as a risk which only affects highprofile, asset-rich businesses, but as traditional targets for cyber attack enhance their protection, attackers are increasingly focusing on organisations with a lower level of cyber maturity. Furthermore, increasingly many businesses demand that their suppliers and business partners demonstrate that they are engaging in cyber security best practice. Regardless of industry or size, all organisations are potential victims and must endeavour to develop strong, resilient cyber defences. SMEs are at risk of losing customers, or their supply chain, if they don t have adequate security in place. What is Cyber Accelerate? Cyber Accelerate is a KPMG offering designed to help small and mid-tier organisations protect themselves from cyber attack, through a suite of tailored cyber security services and toolsets that don t require significant IT resources to implement. We focus on the areas important to you The development of Cyber Accelerate has drawn on the knowledge of a combination of KPMG specialists in information protection, technical security, risk infrastructure, organisational design, user education and security operations. These combined skills have been utilised to create an approach which is designed to respond to the cyber threats your organisation faces every day. Cyber Accelerate focuses on helping you: Understand and manage the cyber security risks faced by your organisation. Rapidly implement the policies, standards and procedures necessary to manage a secure environment. Educate staff about their cyber security responsibilities and their role in maintaining a secure environment. Understand what technical vulnerabilities exist in your environment, and what you need to do to manage them. Protect yourself from viruses and other malware, including ransomware. Gain cyber threat intelligence, putting you in a better position to manage any issues before they escalate. Securely configure your IT systems and restrict access to only those that should have access. One in five (20%) New Zealanders have been affected by cyber crime in the past year. This raises to 72% when spam and suspicious s are factored in. Research into Cyber Security Behaviours 2016 National Cyber Policy Office, Department of the Prime Minister and Cabinet Cyber Accelerate 2

3 Achieve a 360 view of cyber security Leveraging independent and tailored advice can help protect your brand and give you the confidence to pursue your growth ambitions. Successful organisations are the ones that integrate cyber risk management into all their activities. Those that practice sound cyber security practices rather than succumbing to knee-jerk reactive solutions can create a comprehensive approach that focuses on what they can do not what they can t. Cyber Maturity Assessment Undertake a detailed assessment of your organisation s ability to protect its information assets and its preparedness against cyber threats. Cyber in a Box Protect yourself from cyber attack through a series of pre-packaged cyber defence policies, standards, procedures and security awareness training materials. Ransomware+ Advisory Services Undertake a proactive assessment of your ability to prevent, detect and react to a ransomware incident. Cyber Accelerate provides a range of tailored cyber security services and toolsets to help SMEs proactively manage their risks and take advantage of the opportunities presented. Penetration and Red Team Testing Understand your cyber security risks through undertaking a real world simulation of an attacker attempting to gain unauthorised access. Phishing Test Evaluate the security awareness of your staff through performing a simulated phishing attack. ThreatInspect Intel Use actionable threat intelligence information to provide ongoing identification of whether your IPs and domains are involved in suspicious or malicious activity, in order to provide early identification of a potential breach. Certification and Third Party Controls Assurance Demonstrate to your customers and business partners that you take cyber security seriously through getting your security certified against internationally recognised standards. ThreatInspect Vulnerability Scanning Assess your IT systems for security weaknesses through detailed automated technical analysis. ThreatInspect Analysis Detect breaches through using coloration, threat intelligence and analysis techniques to identify if you have already been compromised. Cyber Accelerate 3

4 Cyber Maturity Assessment KPMG s Cyber Maturity Assessment provides a rapid evaluation of an organisation s ability to protect its information assets and its preparedness against cyber threats. The Cyber Maturity Assessment is a unique offering in the market, in that it looks beyond pure technical preparedness for cyber threats. It takes a rounded view of people, process and technology to enable organisations to understand areas of vulnerability, to identify and prioritise areas for remediation and to demonstrate both corporate and operational compliance, turning cyber security risk to business advantage. In developing the Cyber Maturity Assessment model, KPMG has combined international information security standards with global insight of best practice in risk management, cyber security, governance and people processes. The model addresses the following six key domains that together provide an in-depth view of an organisation s cyber maturity. Leadership and Governance Understanding of cyber, ownership, roles and responsibilities, and direction from the top. Business Continuity and Crisis Management Preparations for a security incident and ability to prevent or minimise the impact through successful crisis and stakeholder management. Human Factors The level and integration of a security culture that empowers and helps to ensure the right people, skills, culture and knowledge. Operations and Technology The level of control measures implemented to address identified risks and reduce the impact of compromise. Information Security Risk Management The approach to achieve comprehensive and effective security risk management throughout the organisation and its third party providers. Legal and Compliance Compliance with regulatory and legislative requirements. Cyber Accelerate 4

5 Cyber in a Box Cyber in a Box is a package of policies, procedures and tools which can be used to effectively develop basic cyber security defences. Each area has the necessary documentation to implement policies and controls in an organisation, as well as the processes and tools required to operate those controls effectively. Below are the areas Cyber in a Box addresses. 01. Governance and Risk Build a framework for the governance of information security. Manage risks effectively and in line with organisational risk appetite. Report on the existing risk position in a clear and concise format. 02. Network Security Implement a Network Security Policy. Set standards for secure network design and operation. Manage and track the operation of network security controls. 03. Education and Awareness Educate users about their responsibilities. Maintain awareness of security risks, trends and issues within the organisation. Deliver information security training. 04. Malware Defence Implement a policy to support the prevention of malware infection within the organisation. Define an effective process for the detection and management of malware incidents. Support understanding of malware risk and the controls required to manage it. 05. Secure Configuration Configure IT assets securely and ensure they do not present an unacceptable risk. Implement the correct secure technical configurations for a range of devices and systems. Manage and track the configuration of your devices. 06. Access Control Define the access requirements of users within the organisation. Manage access to systems in line with leading practice. Manage passwords appropriately and securely. 07. Backup and Recovery Establish the backup processes required to support the continuity of operations. Define the system recovery processes necessary to restore systems. Agree backup and recovery service levels with the wider business. Cyber Accelerate 5

6 Ransomware+ Advisory Services Ransomware is not a new phenomenon and has in fact been around for over 20 years. However, it is growing in prevalence and the latest variants are so advanced and malicious, they could completely cripple your business. Have you done enough to protect yourself? Simply relying upon anti-virus/antimalware solutions gives a false sense of security. Most organisations that have been affected by ransomware had up-to-date anti-virus/antimalware software in place at the time of infection. Our unique Ransomware+ Advisory Services are specifically designed to review your ability to prevent, detect and react to a ransomware incident. What is Ransomware? Ransomware is a type of malicious software that typically infects your machine or device and renders the device (or the data on the device) unusable until a ransom is paid. The data is typically rendered unusable by encryption, which is a process of scrambling the information so you cannot gain access to the data or device until you pay a sum to the cybercriminal that caused the infection. The sum requested varies, although often has to be paid within a specified time-frame (often 3 days or 7 days), otherwise the data is destroyed and typically lost forever. The latest variants of ransomware can also encrypt entire websites, any backup data you may hold, and even system files in your computer. Some ransomware not only stops you from gaining access to your data, but also threatens to create a privacy issue for you and unless the ransom is paid, it will upload your data to the public Internet. Our Services KPMG s Ransomware+ Advisory Services provides a proactive assessment of your capability to manage ransomware attacks, as well as shameware and other extortion-driven attacks. Our assessment goes beyond simply considering the technical controls in place, and evaluates your capability from a people, process and technology point-of-view. The holistic nature of our assessment involves: People: Identifying whether there are any changes you could make to help prevent staff from accidentally or deliberately infecting you. Process: Reviewing your organisation s ability to manage current and emerging ransomware. Technical: Helping you understand whether your technical capabilities are sufficient to deal with the risk. Cyber Accelerate 6

7 Penetration and Red Team Testing Penetration and red team testing helps you evaluate and test your organisation s defences using real world attack scenarios to more accurate gauge and address your cyber risk. Also known as ethical hacking, white hat hacking, or the use of tiger teams, penetration and red team testing is more beneficial than traditional forms of testing, in that it: Focuses on the real risks, not theoretical best practice risks, providing better quality and more focused recommendations. Is significantly more cost effective than other forms of testing. Tests your ability to detect and respond to an attack. Takes into account aspects of security other than just the technical components of security, e.g. the human element of security, and the inter-relationship between systems and processes. Each penetration or red team test requires a customised approach that will be determined by your objectives for the testing. Our tailor-made approach aims to provide a more realistic picture of your organisation s security posture, allowing you to make informed decisions on areas requiring remediation. Penetration Testing Our New Zealand Penetration Testing Centre of Excellence utilises tried and tested penetration testing methodologies and approaches that allow us to test the security of a wide range of technologies and processes. This includes: Internet infrastructure and systems. Websites and web based applications. Internal networks and systems. Mobile apps. Thin client solutions e.g. Citrix solutions. Wireless networks. Red Team Testing Our red team testing goes further than penetration testing, and uses intelligence based capability for hands-on security assessment to help identify and provide greater visibility into cyber operational threats. Building upon our penetration testing capability, our red team testing services include: Social engineering testing. Physical security testing. VOIP/telephone attack. Insider threat simulation. Third-party breach analysis. Cyber Accelerate 7

8 Phishing Test Phishing attacks are a reality that all organisations have to deal with. Criminal organisations are readily using phishing as an attack method, with attacks occurring with increased frequency and with an increased level of sophistication. The risks are real both in a business environment and in our personal lives. Symantec s 2016 Internet Security Threat Report identified that New Zealand had the eighth-highest proportion of global phishing traffic. This reflects that New Zealand organisations are often seen as soft targets. With no slow-down in sight, inherently the likelihood of some staff falling for a phishing attack is very high. A phishing test provides a simulated attack to measure the security awareness of your staff, and the effectiveness of your end-user education and incident response processes. A phishing test can help an organisation identify individuals and groups that require additional training and help to identify gaps in security controls and policies. A phishing test can either be undertaken as a one-off exercise, on a regular basis to measure ongoing effectiveness, or as part of a wider security education campaign. Our in-house phishing platform can be used to undertake a variety of simulated phishing attacks, including spear phishing and whaling attacks. We are also able to benchmark the susceptibility of your staff to phishing; either against other New Zealand organisations we have undertaken phishing tests for, or against past phishing tests performed for your organisation. In addition to delivering based phishing attacks (the most common social engineering attack method), we can also undertake a variety of more advanced simulated social engineering attacks. These include testing the susceptibility of staff to: Malware infected portable storage, including USB drives and DVDs. Fake invoices. Smishing (SMS/texting based phishing). Cyber Accelerate 8

9 ThreatInspect Intel The information security landscape is constantly evolving, but private and public sector organisations find it difficult to believe they could be a target for cyber attacks. This mindset needs to change as the best offence is a good defence. At the same time, it is no longer viable to rely on defence. The determined adversary will get through eventually. As a result, organisations must know what is going on around them so that they can identify when an attack has taken place or when an attack is imminent. Intelligence and the insight that it brings is at the heart of next generation information security. An intelligence capability enables organisations to identify potential threats and vulnerabilities in order to minimise the threat attack window and limit the amount of time an adversary gains access to the network before they are discovered. For most SMEs however, the cost and capability needed has meant that it has not been possible to use threat intelligence. ThreatInspect Intel addresses these challenges through the utilisation of a KPMG-managed low cost platform. ThreatInspect Intel is a data analytics based threat intelligence service designed to help you gain early detection of cyber threats. Developed in New Zealand, ThreatInspect Intel undertakes 24x7 monitoring of the information available on social networks, forums, blogs, honeypot networks and a range of other repositories, to help you monitor and analyse the mass of cyber threat information generated daily. ThreatInspect Intel analyses millions of threat indicators daily, and alerts you when suspicious activities about your organisation are detected, such as: The disclosure of sensitive information that could be used to breach your systems, such as the publication of staff usernames and passwords on the Internet. Indications of a potential breach, such the detection of spam or attacks originating from your organisation. Signs of that your website may have been hacked. Through taking a proactive stance, your ability to respond and prevent or minimise incidents is enhanced. You no longer have to wait until there is a high-profile breach before you can respond. Cyber Accelerate 9

10 Certification and Third Party Assurance Organisations are increasingly outsourcing activities to third party service providers. It is often difficult however, for an organisation to gain comfort that the third party service provider has implemented robust security controls to protect their confidential and sensitive information. If you are a provider of services to third parties, you can provide ongoing confidence to your clients that you are following good practice, meeting their expectations, and protecting the information entrusted to you. KPMG can help, by offering a broad range of certification and third party assurance services to meet your needs. The type of assurance you provide to your clients will vary depending upon their specific needs and the services you provide. KPMG provides a variety of services to support you. These include: Third party assurance report A third party assurance report, also known as a Service Organisation Assurance Report (SOAR), demonstrates an appreciation of clients risks through obtaining third party assurance on effective processes and controls under an established international framework. These reports are known around the world by a variety of names such as SAS 70, SOC 1 or SOC 2. In New Zealand, these are known by the names of the underlying reporting standards used, being ISAE (NZ) 3000, ISAE (NZ) 3402 and the recently released standard for assurance over controls SAE Having a third party assurance report over your services also gives you an edge in the market. It shows your controls have been independently audited, and demonstrates your commitment to a robust control environment. It can also be used to reduce the amount of time and effort your customers auditors need to spend directly auditing your operations, saving time, money and effort. Certification Similar to third party assurance reports, certification can also be performed against specific standards to help demonstrate to management, clients and other third parties, that robust security controls are in place. The most common standard certified against is ISO The standard focuses on the implementation of an Information Security Management System (ISMS) and covers a variety of areas including physical and environmental security, information security policies, access control and operations security. Cyber Accelerate 10

11 ThreatInspect Vulnerability Scanning Cyber security is a moving target, with new vulnerabilities in systems being discovered on a daily basis. Keeping up-to-date with this can easily be a fulltime job, something most business cannot spare the time to focus on. Vulnerability scanning provides a high value low cost solution to help you identify any new vulnerabilities, and help ensure that you are in a defensible position to protect your systems and information assets. Industry standards such as NIST s Small Business Information Security: The Fundamentals and PCI DSS recognise vulnerability scanning as a key control for protecting against cyber security risks. Using KPMG s ThreatInspect platform, regular vulnerability scanning of your Internet systems can be performed to identify any weaknesses that need focusing on. Our ThreatInspect platform achieves this through integrating best of breed commercial vulnerability scanning tools and threat intelligence to provide you an in-depth assessment. The threat intelligence capability of our ThreatInspect platform goes beyond traditional vulnerability scanning, and helps your better prioritise your remediation efforts for any vulnerabilities identified. Prioritisation is based on a baseline risk rating, plus the combination of other factors, including whether the vulnerability is: Currently being exploited at other organisations. Trending in popularity across multiple organisations. Included in an exploit kit or other public exploit sources. While vulnerability scanning normally focuses on your Internet infrastructure, the services are also able to be expanded to perform vulnerability scanning over your web based applications and internal systems. Cyber Accelerate 11

12 ThreatInspect Analysis Our ThreatInspect Analysis service allows you to gain insights into the Internet traffic passing out of your organisation to determine if there is suspicious or unusual activity. Though the use of the ThreatInspect Analysis service you are able to gain the early identification of potential issues before they escalate and become significant. ThreatInspect Analysis uses the threat intelligence capability of our ThreatInspect platform to analyse your Internet traffic for suspicious or unusual activity, including: Traffic which indicates that you have already had a security breach, such as botnet command and control traffic or spyware phoning home. The use of non-approved cloud based applications, which may place your organisation at undue risk. Accessing of websites which are known distribution sites for virus, trojans and other malware. The use of applications commonly associated with misuse, such as the downloading of pirated movies. The intentional bypassing of your security controls through the installation of unauthorised remote control software or through the use of anonymiser proxies. The assessment can also provide insights into issues impacting operational costs, productivity and business continuity. The analysis is non-intrusive and does not require any downtime, complicated changes to your systems, or the installation of software on your systems. Cyber Accelerate 12

13 The principles of our approach We believe cyber security should be about what you can do not what you can t. Driven by business aspirations We work with you to move your business forward. Positively managing cyber risk not only helps you take control of uncertainty across your business; you can turn it into a genuine strategic advantage. Razor sharp insights In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance. Our people are experts in both cyber security and your market, which means we give you leading edge insight, ideas and proven solutions to act with confidence. Shoulder-toshoulder We work with you as long term partners, giving you the advice and challenge you need to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with you to turn that into a real sense of security and opportunity. Cyber Accelerate 13

14 Why KPMG? KPMG is uniquely placed to help you manage your cyber security risks. The benefits of using KPMG are: A dedicated cyber security team KPMG operates a dedicated cyber security practice. This ensures you are receiving services from the best people who have up-to-date pragmatic advice that considers both your current and future needs. KPMG s Cyber Security practice in New Zealand is supported by KPMG s wider IT Advisory division, and is linked to over 4,600 other security professionals within the KPMG Cyber Security practices around the world. Practical advice from practical experience Our Cyber Security team all come from practical backgrounds, and all have deep hands-on IT experience. This provides them a deep understanding of what works in the real world, and ensures that the recommendations we develop are realistic and practical, not simply best practice. The size and breadth of skill of our Cyber Security practice means that our service delivery is not reliant upon one or two people. Furthermore, the size of our team also means that we can quickly scale our resources to meet needs. Cyber Accelerate 14

15 Proven performance KPMG s Cyber Security practice is the market leader in security advisory services in New Zealand. Our quality and experience has been recognised by the New Zealand Government, through the appointment of KPMG to the All-of-Government panel for the provision of ICT Security and Related Services. KPMG was appointed to all possible seven categories available under the panel. KPMG was also named a Leader in the Forrester Research Inc. report, The Forrester Wave : Information Security Consulting Services, Q achieving the highest score for current offering and strategy (tied). According to the Forrester report: Clients applaud KPMG for being doers and easy to work with. They also identify strategic advice, subject matter expertise, flexibility and adaptability and delivery of commitments as being strengths for KPMG. A business focus Although we have technical expertise equal to the best, we are essentially business advisers. This means that our advice will be fit for purpose, recognising your needs, objectives and constraints. We know that there is no value in simply delivering technical services with recommendations that are text-book without any analysis of the true business implications and your risk appetite. Independence KPMG is one of the world s leading audit and business advisory firms for which independence is an ethos that is upheld to the highest possible standards. Unlike some service providers, we do not sell security software or hardware. This means that you can be certain that our advice is never compromised by the desire to support other security products. Cyber Accelerate 15

16 Philip Whitmore Partner Cyber Security T M E pwhitmore@kpmg.co.nz KPMG Cyber Security KPMGNZ_Cyber kpmg.com/nz/cyber This document is made by KPMG, a New Zealand Partnership and a member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in New Zealand. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative ( KPMG International ), a Swiss entity