Cyber Related Regulatory Requirements · Hacking - This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed

Cyber Risk

A Different Perspective

Stan Gallo and Heather Hicks

1

Document Classification: KPMG Confidential

© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

THE

THREATACTORS

HACKTIVISMHACKING INSPIRED BY IDEOLOGY

MOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC, UNPREDICTABLEIMPACT TO BUSINESS: PUBLIC DISTRIBUTION, REPUTATION LOSS

ORGANISED CRIMEGLOBAL, DIFFICULT TO TRACE AND PROSECUTE

MOTIVATION: FINANCIAL ADVANTAGEIMPACT TO BUSINESS: THEFT OF INFORMATION

THE INSIDERINTENTIONAL OR UNINTENTIONAL?

MOTIVATION: GRUDGE, FINANCIAL GAINIMPACT TO BUSINESS: DISTRIBUTION OR DESTRUCTION, THEFT OF

INFORMATION, REPUTATION LOSS

STATE-SPONSOREDESPIONAGE AND SABOTAGE

MOTIVATION: POLITICAL ADVANTAGE, ECONOMIC ADVANTAGE, MILITARY ADVANTAGE

IMPACT TO BUSINESS: DISRUPTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATIONAL LOSS

9

2



Source: http://www.thelastamericanvagabond.com

3



Examples of Cyber Crime

Information Risk Management Regime

■ Hacking - This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed.

■ DDoS - Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users.

■ Malware - Malicious Software (Virus, Trojan, Worm), is software used to disrupt computer operation, gather sensitive information, or gain access to private

computer systems.

■ Identity Theft - This has become a major problem with people using the Internet for cash transactions and banking services.

■ Phishing – This is the common name given to a prolific scam wherein a fraudster or scam artist sends an e-mail purporting to be from a financial institution or other

organisation.

4



A Commercial Approach

What about Australia?

6



7



This is how the subverted communication occurred

Normal Company A - Chinese CompanyEmail Communications

Hijacked Compay A – Chinese CompanyEmail Communications

Company A Employee Chinese

Company Employee

The Bad Guy

8



This lasted for 2 Months

9



99

How much should I spend

on security?

Is this really worth the money?

What is the link between

risk and $ spent?

How effective are my security

controls?

What risks am I running?

Have I got the right balance of

controls?

What really makes their life difficult?

What would make an attacker look elsewhere?

How much will the attacker

spend?

Do other parts of the business

understand their incident response

role?

Managing cyber risk is not straight forward

10



‘89% of CIOs globally believe that digital business models are creating new levels of risk for their organization and 69% believed that current risk management techniques

are inadequate to address this increased risk in a digital world.’

- Gartner "Flipping to Digital Leadership: The 2015 CIO Agenda"

SOURCE: https://home.kpmg.com/content/dam/kpmg/pdf/2016/01/cyber-security-2015-au-findings.pdf

• Working in an Hyper connected world, operating in an outside-in architecture • The business relies on technology like never before

• Business and Digital strategies are intertwined• Digital brings opportunities but opens up new risk and threats

• Technology & Cyber risk is a board level topic

4

Risk convergence – Keeping CEO’s awake at night

https://home.kpmg.com/content/dam/kpmg/pdf/2016/01/cyber-security-2015-au-findings.pdf

11



• Cyber security often focusses on the technical – malware, indicators of compromise, anomalous flows

• Cyber Security is a people problem• Cyber intelligence isn’t really

intelligence about cyberspace… it should be about what people do

• Controls evolve but breaches continue – what are we doing wrong?

• Behaviour Based Safety• Bringing the disciplines together – very

different views• Tone from the top is critical

• It matters… because criminals are getting more creative…

Intent centric security – or more of the same?

"Cyber-security is about people, processes and technology, and

organisations need to bolster the weakest link - which invariably is

the human element.”

- Kevin Mitnick

12



UNAWARE AWARENESS CRISIS TACTICAL RESPONSE ADAPTIVEEVOLUTION

RISK

SECURITY CAPABILITY

CONSUMER GOODS PHARMACEUTICALS

MINING

OIL & GAS

RETAIL BANKING

INVESTMENT BANKING

AEROSPACEDEFENCE

The Evolutionary Journey

GOVERNMENT

13



The six dimensions of cyber maturity

Leadership and governanceIs the board demonstrating due

diligence, ownership, and effective management of risk?

Human factorsWhat is the level and integration of a

security culture that empowers and helps ensure the right people, skills,

culture, and knowledge?

Information risk managementHow robust is the approach to achieve

comprehensive and effective risk management of information throughout

the organization and its delivery and supply partners?

Business continuityAre we prepared for a security event with the ability to prevent or lower the impact through successful crisis and

stakeholder management?

Operations and technologyWhat is the level of control

measures implemented to address identified risks and lower the

impact of compromise?

Legal and complianceAre we complying with relevant

regulatory and international certification standards?

Six key dimensions together provide an in-depth view of an organization’s cyber maturity.

14



14

1DO CURRENT RISK

MANAGEMENT PROCESSES ADEQUATELY HIGHLIGHT

CYBER RISK TO THE BOARD? 2IS THE CORPORATE

VALUE OF INFORMATION ASSETS CLEARLY UNDERSTOOD?

3IS THE CORPORATE IMPACT CLEARLY UNDERSTOOD IF

INFORMATION ASSETS ARE STOLEN, CORRUPTED OR

DESTROYED?4

DOES THE ORGANISATION’S RISK

APPETITE TAKE ACCOUNT OF CYBER RISK?

5WHAT FUTURE STEPS ARE MANAGEMENT PLANNING TO STAY ON TOP OF CYBER RISK COST EFFECTIVELY? 6

IS THERE AN APPRECIATION OF THE

BUSINESS BENEFITS OF PROACTIVELY MANAGING

CYBER RISK?

Questions for the Board of Directors to ask

Thank youStan Gallo, KPMG Forensic

Tel: (07) 3233 3209M: 0414 507 742

[email protected] information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).

Liability limited by a scheme approved under Professional Standards Legislation.

Heather HicksKPMG

Tel: (03) 6230 4077M: 0423 779363

[email protected]

Documents

Cyber Related Regulatory Requirements · Hacking - This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed