Cyber Security Challenge

7/21/2019 Cyber Security Challenge

http://slidepdf.com/reader/full/cyber-security-challenge 1/8

Cyber security: Are consumer companies up to the challenge?

Cyber security: Are

consumer companiesup to the challenge?

A survey of webcast participants

kpmg.com



1 | Cyber security: Are consumer companies up to the challenge?

Technology has truly empowered the customer and is rapidly changing the consumer

industry. While all digital channels, as well as brick and mortar, are being integrated

to provide a seamless brand and shopping experience, the technological advances

making this possible are also making companies increasingly vulnerable. Threats from

cyber criminals and “hacktivists” are growing in scale and sophistication. Customers,

investors, and regulators are all demanding stepped-up efforts when it comes to cyber

security, and organizations are subject to increasing amounts of legislative, corporate,

and regulatory requirements.

From profit, customer, and data loss to operations disruption and reputation damage, cyber

crime has enormous implications to any business. Organizations need to take action to

reduce the risk of a data breach. And when a breach occurs, they need to act quickly and

efficiently to manage and resolve the issue with as little damage as possible.

Focusing on technology alone to address these issues is not enough.

In April 2014, KPMG held a webcast entitled “Cyber security: It’s not just

about technology,” which focused on assessing and effectively managing cyberrisk. Participants were provided with a concrete model they can use to assess their

organization’s cyber maturity and to implement sustainable cyber security practices.

Our conversation covered:

• Evolving cyber threats – what is new?

• The cyber landscape – how consumer organizations are responding

• The Cyber Maturity Assessment – how to find answers to, “Are we prepared?” and,

“How safe are we?”

• Immediate action items – 10 key questions to determine next steps

To view a replay of the webcast, go to:

www.kpmg.com/us/CSWebcast

During KPMG’s cyber security webcast, more than 100 professionalsfrom the retail and food, drink, and consumer goods industryresponded to survey questions about their organizations and cybersecurity. The results reveal that despite the fact that cyber threatshave received much attention from the media and industryorganizations, the majority of consumer companies have a longway to go to effectively mitigate cyber risk and manage evolvingthreats. Explore our findings—and the perspectives of our cybersecurity specialists—to learn how your organization compares to those

surveyed in such areas as cyber readiness, and how you can effectivelyaddress the complex challenge of cyber security.

Cyber security: It’s not just about technology

Effectively managing cyber risk means putting inplace the right governance and the right supportingprocesses, along with the right enabling technology.

© 2014 KPMG LLP, a Delaware limited liabilit y partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Printed in the U.S.A. The KPMG name, logo and “cutting through complexit y” are registered tr ademarks or trademarks of

KPMG International. NDPPS 259750

http://www.kpmg.com/us/CSWebcast

http://www.kpmg.com/us/CSWebcast%E4%A0%B7ww.kpmg.com/us/CSWebcast

http://www.kpmg.com/us/CSWebcast




In the last six months, more than 86 percent of survey participants’

organizations have increased their focus on cyber security.

KPMG insights: Cyber security is an important concern for every organization, and

consumer businesses are ideal targets for hackers trying to capture cardholder data

and steal customer identities. Clearly, the recent cyber breaches were a wake-up call for the industry. The majority of retailers and consumer packaged goods

companies have elevated cyber security to the top of their agendas.

Daily occurrences demonstrate the risk posed by cyber attackers—from individual,

opportunistic hackers, to professional and organized groups of cyber criminals with

strategies for systematically stealing intellectual property and disrupting business.

The management of any organization faces the task of ensuring that its organization

understands the risks and sets the right priorities. While this is no easy task, it

is essential that leaders take control of allocating resources to deal with cyber

security, actively manage governance and decision making over cyber security, and

build an informed and knowledgeable organizational culture.

Cyber security is front and center

{Respondents: 107}

Survey question 1Please select the statement below that best describes your organization in thelast six months.

There has been a significant increase in our focus on cyber security

There has been some increase in our focus on cyber security

There has been no change in our focus on cyber security

Don’t know

There has been less focus on cyber security 2

4

8

42

44

86% increased

their focus








Survey question 2Which of the trends listed below is having the most impact on your organization?

Change in the way business is conducted: Cloud computing,

big data, social media, consumerization, BYOD, mobile banking

External threats: Organized crime, nation-states,

cyber espionage, hacktivism, insider threats

Regulatory compliance: Data loss,

privacy, records management

Rapid technology change: Critical national infrastructure,

smart/metering, Internet of all things

Don’t know

Changing market and client needs: Strategic shift,

situational awareness, intelligence sharing, cyber response

None of the above 1

4

6

9

18

27

46

Innovation and transformation: rewards worth the risk

Participants indicate that business model and operational changes along

with new technologies are having a significant impact on their organizations.

KPMG insights: Most consumer companies are not being driven by fear, uncertainty, or

doubt. They see the potential that rapidly advancing technology has and continue to explore

new ways of doing business, new ways of running a business, and new ways to better

understand and engage with consumers. However, technology does not come without

challenges. Companies must balance a relentless pursuit of innovation with assessing and

effectively managing risk.

Cyber crime risks can be controlled. The key is to embed security and risk management

processes in technology and related initiatives—right from the

get-go. By treating cyber security as “business as usual” and balancing investment

between risks and potential impacts, an organization can be

well-prepared to combat cyber crime.

{Respondents: 111}








Survey question 3Does your organization have a formal cyber incident response plan?

36

16

20

33

Yes

Not yet, but in the process of defining the plan

No

Don’t know

{Respondents: 105}

Unprepared for a data breach

Only 36 percent of survey participants indicated that their

organization has a formal cyber incident response plan.

KPMG insights: The majority of consumer companies are not yet considering

how they will respond to a data breach before it occurs. When companies do not

have a formal cyber incident response plan—now considered a standard of care

across industries—they are forced to rely on the ad hoc action of their people,

leaving the outcome unpredictable and unreliable. Mishandling an incident is a

major liability—potentially costing billions of dollars and having the potential to

destroy a brand virtually overnight. In some cases, not having a plan may even be

perceived as negligence and become a legal liability.

Additionally, should an incident occur, organizations need to ensure that they

are evaluated in such a way that lessons can be learned. In practice, however,

actions are driven by real-time incidents and often are not recorded or evaluated.

This destroys the ability of the organization to learn and put better security

arrangements in place in the future.

Organizations can reduce the risks

to their business by building up

capabilities in three critical areas—

prevention, detection, and response.

Prevention

Prevention begins with governance

and organization. It is about installingfundamental measures, including placing

responsibility for dealing with cyber crim

within the organization and developing

awareness training for key staff.

Detection

Through monitoring of critical events and

incidents, an organization can strengthe

its technological detection measures.

Monitoring and data mining together for

an excellent instrument to detect strang

patterns in data traffic, to find the locatio

on which the attacks focus, and to obsesystem performance.

Response

Response refers to activating a well-

rehearsed plan as soon as evidence of a

possible attack occurs. During an attack

the organization should be able to direct

deactivate all technology affected. Whe

developing a response and recovery plan

an organization should perceive cyber

security as a continuous process and no

as a one-off solution.© 2014 KPMG LLP, a Delaware limited liabilit y partnership and the U.S. member firm of the KPMG network of independent







Survey question 4

At your organization, who is responsible for cyber security?

Chief information officer

Chief information security officer

There is shared responsibility between several departments

Other

Chief financial officer

Don’t know

44%

19%

16%

8%

7%

6%

{Respondents: 105}

Less than 20 percent of survey participants have a chief information security

officer dedicated to overseeing cyber security at their organization.

KPMG insights: Across the marketplace, we are seeing chief information security officers

taking on much more prominent roles. Survey results reveal that consumer companies

are moving slower in adopting this approach than other industries. Given the complexity

and multidisciplinary nature of the problem, cyber security demands direct management

attention. Companies should be evaluating their leadership models to ensure effective

oversight of security operations and support of risk and compliance functions.

High-profile data breaches of retail and CPG companies exposed the massive dropin shareholder value which can result from ineffective cyber security. In other words,

defending against cyber crime became a board problem. As a result, cyber security

initiatives in the consumer industry are being driven from the top down. From boards, to

audit and risk committees, to CEOs, CFOs, CIOs, and CISOs, leadership is under immense

pressure to show progress in securing systems and managing risk and compliance, and they

are seizing control of cyber.

Cyber security demands attention

Have you considered…• Having an on-call expert forensic team to provide on-demand

response, analysis, containment, eradication, and investigation of any

threat, concern, or incident?• Establishing a relationship with outside counsel to mitigate potential

exposure of a data breach?








{Respondents: 107}

Survey question 5

On a scale where 1 indicates “informal” and 5 indicates “industry leading,”where would you rank your organization’s cyber maturity level?

22

45

22

4

9

5

< 1

1-2

2-3

3-4

4-5

Don't know

0

10

20

30

40

50

Nearly three-quarters of survey respondents rate their organization’s

cyber maturity level as average or below.

KPMG insights: Cyber security has historically been a neglected area in consumer

companies. It’s no wonder that only five percent of organizations believe they have

“industry- leading” levels of cyber maturity. With the growth of omni-channel retailing

exposing new risks—and regulatory watchdogs sharpening their teeth—the industry

needs to play catch-up. Now is the time to increase the focus on cyber security.

At KPMG, we consider six key dimensions that together provide a wide-ranging and

in-depth view of an organization’s cyber maturity.

Leadership and governance

Is the board demonstrating due diligence, ownership, and effective management

of risk?

Human factors

What is the level and integration of a security culture that empowers and ensures the

right people, skills, culture and knowledge?

Information risk management

How robust is the approach to achieve comprehensive and effective risk

management of information throughout the organization and its delivery and

supply partners?

Business continuity

Have we made preparations for a security event and the ability to prevent or minimize

the impact through successful crisis and stakeholder management?

Operations and technology

What is the level of control measures implemented to address identified risks and

minimize the impact of compromise?

Legal and compliance

Are we complying with relevant regulatory and international certification standards?

Merely average at cyber security







The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual

or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is

accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information

without appropriate professional advice after a thorough examination of the particular situation.

© 2014 KPMG LLP, a Delaware limited liabi lity partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the

U.S.A. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG In ternational.

NDPPS 259750

Contact us

Tony Buffomante

Principal

Information Protection andBusiness Resilience

E: [email protected]

Tony Buffomante is KPMG’s US leader

for Cyber Security Assessment and

specializes in information security,

privacy and business continuity. Over

the past 20 years, he has managed

and executed Information Technology

security strategies, assessments

and implementations for some of the

largest global organizations. Tony

is a recognized industry leader ininformation protection, frequently

speaking at industry conferences and

instructing at training seminars both

nationally and internationally.

Ronald Plesco, Jr.,

Managing Director

Cyber Investigations,Forensic Services


Ron Plesco is an internationally known

information security and privacy attorney

with 16 years experience in cyber

investigations, information assurance,

privacy, identity management, computer

crime, and emerging cyber threats

and technology solutions. Ron is the

National Lead of the KPMG Cyber

Investigations, Intelligence and Analytics

practice. He joined KPMG in 2012 aftera distinguished career in the private

and public sectors, and is a frequent

speaker nationally.

Dennis Van Ham

Director

Information Protection andBusiness Resilience


Dennis Van Ham focuses on

transformational projects and on overall

strategy and governance in cyber

security and threat intelligence. In

2012, he joined KPMG’s US firm from

the Netherlands office and is currently

responsible for the execution and the

ongoing development of the firm’s Cyber

Security Assessment services. In his

15-year tenure, he has acquired deepindustry experience in Retail, Oil & Gas,

Financial Services and Healthcare.

About KPMG’s cyber security services

With award-winning, global cyber security specialists who are at the forefront of the

cyber agenda, KPMG helps the world’s leading organizations solve the biggest

cyber security challenges of today and tomorrow. Our capabilities cut across the

entire cyber security spectrum: information protection, privacy, and security;

threat intelligence and cyber investigations; business resilience and continuity;

risk management and compliance; and governance, strategy, and operations. Through

our global network of KPMG member firms, we have the deep consumer industry

insight and vast knowledge on the evolving cyber landscape and regulatory environment

necessary to help you manage cyber risk across a broad spectrum of evolving threats.

kpmg.com

http://kpmg.com/

http://kpmg.com/

Documents

Cyber Security Challenge