Cyber security and awareness for non-financial services 24/25 May 2017
Agenda Robert Kirkby (Jsy) / Linda Johnson (Gsy): Introduction Sion Lloyd-Jones: Cyber Security The need for a cunning plan Teijo Peltoniemi: Have a safe journey to cloud Arthur Mainja (Jsy) / Matej Jurkic (Gsy): KPMG Cyber CAT Robert Kirkby (Jsy) / Linda Johnson (Gsy): Q&A 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 2
Cyber Security Direction of travel and the need for a cunning plan Sion Lloyd-Jones (Manchester)
Data and Wisdom 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 4 Document Classification: KPMG Confidential
The Challenge
A time of Uncertainty This is no time for complacency The threat is increasing in scale and complexity. It is also increasing at such pace that we must run simply to stand still (Rt Hon Matthew Hancock MP Minister for the Cabinet Office and Paymaster General, 2016) All business sizes and sectors are risk! 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 6 Document Classification: KPMG Confidential
Current Trends 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 7 Document Classification: KPMG Confidential
Business Impact Financial loss Share price Reputational damage Loss of investor, organisational and customer confidence CEO exposure Regulatory scrutiny Competitive advantage Missed business opportunities Significant disruption Management focus diverted Expensive transformation programme 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 8 Document Classification: KPMG Confidential
How to respond?
The Basics UNDERSTAND YOUR ASSETS MANAGE THE RISK UNDERSTAND THE THREAT! 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 10 Document Classification: KPMG Confidential
Good Practice PEOPLE Confidentiality THREATS PROCESS Integrity Availability CYBER RISK CROWN JEWELS TECHNOLOGY 1. Acknowledge critical assets VULNERABILITIES 2. Understand the risk exposure 3. Design Controls 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 11 Document Classification: KPMG Confidential
Leadership Approach
The Benefits Compliance Reduced Risk Increased Security Organisational confidence Discovery and understanding (ID efficiencies) Differentiate to the customer Improve trust Audit posture Commercial advantage versus slow adopters Developed organisational culture (eg H&S) 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 13 Document Classification: KPMG Confidential
What is your posture? 2016 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ),a a Swiss entity. All rights reserved. 14 Document Classification: KPMG Confidential
Key Questions Ask yourself: Have we assessed the Cyber Security threats to our business? How well are our controls operating to protect assets against those threats? What are our gaps? Where are we most exposed and vulnerable? 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 15 Document Classification: KPMG Confidential
Key Questions Ask management: What is our Cyber Security Strategy? Do we understand who is responsible for protecting the business and who around this table is ultimately accountable? Do we have sufficient skills and knowledge regarding Cyber Security to help us make informed decisions? 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 16 Document Classification: KPMG Confidential
Client Issues 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 17 Document Classification: KPMG Confidential
GDPR / Privacy
Key GDPR changes Breach Notification Data Protection Officer Increased Fines Individual s Rights Explicit Consent 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 19 Document Classification: KPMG Confidential
Thank You sion.lloyd-jones@kpmg.co.uk
Have a safe journey to cloud Teijo Peltoniemi KPMG Channel Islands Limited
Agenda Cloud: background Risks in cloud Leading practices 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 22
What is cloud? There is no cloud! It s just someone else s computer 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 23
Why cloud? Innovation 2000 2017 Lights on 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 24
What is cloud? Level of control/responsibility for Company and CSP across different service models On Premise Hosted Service Public IaaS Public PaaS Public SaaS Data Data Data Data Data App App App App App VM VM VM VM VM Server Server Server Server Server Storage Storage Storage Storage Storage Network Network Network Network Network Company has control Company shares control Service provider has control 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 25
Example Warehouses Suppliers Private/dedicated Point of sale Enterprise Resource Planning Customer Data IDM Public cloud Web commerce Bricks & mortar Customers 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26
A business challenge All in on cloud How do I integrate cloud platform with other tools and processes? Business CIO My data center is disappearing how to secure what s not in our data center? Where do I start? How do I achieve and demonstrate regulatory compliance on cloud platform? How do I build and operate securely on cloud platform, in a way that enables innovation and lower time to market? How do I audit the security controls on cloud platform? How do I operate and deliver securely on cloud platform and what should be my minimum security baseline for my workload? CISO/ Internal audit & legal GDPR..? 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 27
Leading practices to implementing a secure cloud API-based security Incident response Identity and access management Data-centric security Secured perimeter that spans the entire stack Integrated security monitoring and operations 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 28
Three takeaways 1 Cloud is used because of cost-efficiency and flexibility 2 It is a myth it s less secure 3 But you cannot outsource the responsibility for security 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 29
KPMG Cyber CAT Self-assessment of cyber risk exposure Arthur Mainja and Matej Jurkic KPMG Channel Islands Limited
Overview Mobile app for self-assessment of cyber security posture Based on leading industry practices and standards Work in an offline mode Assessment is questionnaire based Focuses on two key dimensions: Cyber risk exposure Cyber security preparedness Quantitative view of current cyber exposure Provides recommendations to strengthen cyber security posture 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 31
Assessment - Cyber Exposure Index (CEI) 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 32
Assessment - Cyber Preparedness Index (CPI) 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 33
Reporting - Executive dashboard 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 34
Accessing the app Google Play>Search KPMG Cyber CAT >Install App Store>Search KPMG Cyber CAT >Install 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 35
Q&A
Thank you
kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017 KPMG Channel Islands Limited, a Jersey company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.