Cyber Security It s not just about technology May 2017
Introduction
The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked. - World Economic Forum Global Risk Report 3
Cyber risk: Why is it topical now? This is not a new threat, hackers have been infiltrating sensitive government and institutional systems since the early 1990 s, however, the Cyber Security market is erupting due to many high profile and highly disruptive/damaging security breaches threatening financial and physical damage across critical national and corporate infrastructures. Source: 2017 the WEF Global Risks Landscape 2017 4
How perverse are Cyber Risks? This has caught the attention of governments and policy makers, intelligence services, the media and increasingly also board-level executives across the globe. Cyber security has become an Executive driven issue. 5 Source: 2017 the WEF Global Risks Landscape 2017
Cyberattacks prevalence, rank Source: 2016 the WEF Global Risks Landscape 2016 6
The Fourth Industrial Revolution is here Klaus Schwab, founder and executive chairman of the World Economic Forum (WEF) believes that we are at the beginning of the fourth industrial revolution Source: 2016 the WEF Global Risks Landscape 2016 7
Global CEO Outlook East Africa Source: KPMG 2016 CEO Outlook Survey 8
Cyber Incidents are the new normal Source: Cyber Crime Survey, 2015, KPMG India 9
Cyber Security Data Analytics Organisations are able to 46% Remediate only if legitimate alerts received 44% Of operations managers See more than 5000 security alerts per day 22% Of breached organisations lost customers 29% Of breached organisations lost revenue 23% Of breached organisations lost business opportunities Source: Cisco 2017 Annual Cyber Security Report 10
Is the traditional approach effective? No of incidents identified by internal IT teams < 6% Time taken from infection to detection > 150 days Post detection to reaction & Reaction to remediation? 11
Cyber Security Traditional Approach 12
Limitation with Traditional Approach 13
Trends and Lessons Learnt
Trends Accelerating The Cyber Threat 1 2 3 4 5 External threats Change in the way business is conducted Rapid technology change Regulatory compliance Changing market and client needs Organized crime, nation-states, cyber espionage, hacktivism, insider threats. Cloud computing, big data, social media, consumerization, BYOD, mobile banking. Critical national infrastructure, smart/metering, internet of all things. Data loss, privacy, records management. Strategic shift, situational awareness, intelligence sharing, cyber response. 15 15
Some considerations Considerations Configuration management Factors to consider Is there a database of configuration items (CMDB)? Has a security standard been implemented (list of secure settings applied on the platform)? User access Access creation, modification, deletion and review Is access integrated across platforms (e.g., Windows, MS SQL and AD)? Privileged access management Is privileged access appropriate granted, revoked, reviewed and monitored? Is there a segregation between users with privileged access at each level of the access path? Is access integrated across platforms - jump servers? 16 16
Examples of lessons learnt and top risks Key risks Security vulnerabilities Inappropriate / unauthorised activities 3 rd party risks Factors to consider Are security patches applied (not only OS and DB, also other applications like Adobe, Java etc)? Have network controls been implemented (Firewalls, IPS, APT etc.)? Have appropriate malware controls been implemented? Logging and monitoring of access (can be native logging or done by a third party tool). Is there a process to detect and follow-up on activities identified? Are logs stored on a different server and access to the logs restricted (to a different set of people that who can access the server)? Have 3rd party risks been assessed? Are security requirements clearly articulated to 3rd parties? Do we have a right to audit 3rd parties? Have are the other key risks addressed with respect to 3rd parties 17 17
Where do we start?
Board Governance Key areas from board governance perspective. Roles and responsibilities Proactive Approach identify new threats and risks 5 Protect what Matters Identify Crown Jewels Determine key risk indicators Socialize to Increase Awareness on Cyber Security across the enterprise 19
Cyber Security: Board Room Questions? 20
Cyber Security -A Comprehensive Program 21 21
Proactively identify changing threat environment 22 22
Thank you Jared Nyarumba Associate Director, KPMG Risk consulting kpmg.com/socialmedia kpmg.com/app The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo are registered trademarks or trademarks of KPMG International.