Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
KPMG Türkiye Denetim Komitesi Enstitüsü26 Temmuz 2016
2
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
David FerbracheKPMG İngiltere Siber Güvenlik
Danışmanlığı Direktörü
Cyber CrimeChanging landscapes developing responses
Dave Ferbrache
4© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Committee Trends
15%
40%
37%
3% 5%
How much agenda time should you devote to cyber security (including data privacy) relative
to last year?
Significantly more time More time No change Less time N/A
10%
49%
41%
Please rate the quality of the information you receive about the risks…
Excellent Generally good Need improvement
5
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
Patterns of Cyber Crime
6
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
Commoditised Attacks Against Everyone
Botnets & Banking Trojans
Extortion by DDOS & Ransomware
Underground Economy
Large Scale Social Engineering
7© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Key Questions to Ask…
Who is in charge?
Have we got the basics
right?
How would we respond if it happened?
What would we tell our
clients?Are we sure?
What about our
suppliers?
Do our people know what to do?
Firewalls Anti-Virus Patching Passwords BackupsEducation/Awareness
8
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
Targeted Attacks against businesses/UHNWI
CEO FraudsBusiness Email Compromises
Card Not Present and EFTPOS
Bulk Data Breaches
9© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
More Demanding Questions to Ask…
Do we know what
matters?
Are we protecting our “crown
jewels”?
How do we keep up with the threat?
How do we test and
exercise our defences?
How do we detect
intrusions?
What about our
ecosystem?
What is the role of cyber insurance?
Risk Management
Additional Protection
Access Management
Threat Intelligence
Red Teams and Exercises
Third Party Security
Cyber insurance
10
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
High End Cyber Attacks against finance system
Direct Compromise of Bank Systems
Financially Savvy Criminals
Secondary Market Manipulation
Links Between Espionage and Crime
11
Document Classification: KPMG Confidential
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
The Most Demanding Questions to Ask…
How
effectively do
our defences
counter the
threat?
How do we
detect &
counter
unusual
activity?
How do we
stop criminals
exploiting our
information?
How do we
build a cyber
resilient
organisation?
How do we
pool & share
intelligence?
What about
the wider
community?
What is the
return on our
investment?
End to end
security
Behavioural
monitoringCommunity
intelligenceActive cyber
defence
Cyber
resilience
Portfolio
opimisation
12© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Comprehensive approach
Identify
Protect
Detect
Respond
Identity key assets and business
processes
Protect key assets from insider and
external attack
Detect malicious, unusual or anomalous
activity
Develop and exercise
response and recovery options
BUILD
CYBER
RESILIENCE
13© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Bringing it together
TechnologyPeople Processes
Imp
lem
en
tati
on
Business Strategy and Goals
IntelligenceAssetsRegulatory
Environment
Un
de
rsta
nd
ing
Funding & Sponsorship
Policy
Governance
Fou
nd
atio
ns
Ownership Accountability
Risk Management
Security Operations
Pla
nn
ing
and
Co
ntr
ol
Vendor & Supplier Management
Compliance
14© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Cybersecurity Regulation• Global agenda point for regulators, but no common agreement on specifics.
• Meeting the requirements of multiple regulators increasingly challenging.
• Key themes:
• Governance/Risk Management
• Frameworks and Independent Review
• Third Parties/Supply Chain Security
• Transparency/Incident Reporting
• Threat Intelligence and Information Sharing
• Started with banks… now extending to other critical infrastructure
15© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The takeaways…
Basics of cyber
security
Risk and key asset based
approach
Education and
awareness
Detection response
and recovery
Building cyber
resilience
Digital risk and
opportunity
Document Classification: KPMG Confidential
The KPMG name, logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of
any particular individual or entity. Although we endeavour to provide accurate and timely information, there
can be no guarantee that such information is accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.
© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved.