Technology Risk Radarkpmg.co.uk/email/11Nov13/OM006033A/files/assets/common... · 2015-04-22 · Technology Risk Radar 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary

Technology Risk Radar

kpmg.co.uk

http://www.kpmg.co.uk

b | Technology Risk Radar

© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Jon Dowie Partner

FS Technology Risk T: +44 (0)20 73115295

E: [email protected]

In this first edition of the Technology Risk Radar, we evaluate the most reported technology incidents impacting businesses worldwide and help leaders to pinpoint key threats to their business.

So why are we doing this now? Given the ever-increasing complexity of IT environments and external technology threats, I sense that it is only a matter of time before the world sees another major UK business or

organisation succumb to a severe technology outage or failure.

But also on a smaller scale, it is almost certain that every organisation will face an IT failure in the short to medium term, which has the potential to disrupt ‘business as usual’ operations.

I believe that our insight and analysis can help businesses look at risk differently, improve their controls and promote better industry-wide understanding of the existing and emerging threats at large.

This study is based on our analysis of over 400 global events reported in the media over a three month period between May and July 2013. That data is categorised according to standard Information Security Forum criteria. It is

mapped by sector and, where known, financial impact. We also determine the root control failure, using industry -recognised Control Objectives for Information and Related Technology (COBIT) standards.

We will repeat this same exercise over extended capture periods, looking back to identify shifts in risk events and, importantly, looking ahead to predict how and where the risk radar might change. These will be published in subsequent issues of our Technology Risk Radar.

We bear in mind media hype and predilection for certain news stories. This may catapult some risks into the spotlight while others, though more damaging, remain outside the radar simply because they are deemed less emotive, less sensational and less newsworthy by editors. We give our views on the top technology risks out there, as we see them

impacting our clients and the wider market.

The Technology Risk Radar aims to reach a wide audience: Chief Information Officers, Chief Risk Officers and Heads of Audit, as well as those with an interest in technology risk and control. It is also for Executive and non-Executive Directors, and is

designed to aid understanding of the big picture risks that could undermine the smooth running of commercial operations. Further, it will help to inform risk assessment planning and enable benchmarking against known, rather than assumed (and media reported) threats to IT.


mailto:[email protected]

Technology Risk Radar | c


Technology Risk RadaR

Contents 1.0 Risk Radar 01 Media -reported Events 03 Top five risks by sector 05 Control failures 08

2.0 Don’t believe the media hype 09 Corporates 11 Financial services 23 Public sector 35

3.0 Our views 47 Lack of proactivity and under investment 48 Internet blackout 49 IT espionage 50 Data leakage 51 Cloud computing 52 Cyber criminality 53

1 | Technology Risk Radar



RISK RADAR



Technology Risk Radar | 2Technology Risk Radar | 2

The leap-out statistics are obvious. Hacking, malware and identity theft are the most reported threats globally, accounting for more than two thirds (71 percent) of the total.



Inter

+

Risk Radar

Media-reported eventsKPMG analysed over 400 events reported in the global media between May and July 2013, using only reputable online sources and data analtyics tools.

We have created four dimensions to our Risk Radar: External /Internal / Stable / Changing. We have plotted the reported risks according to those dimensions to enrich our analysis and depict the nature and sources of technology risk.

STA

BL

E

CH

AN

GIN

G

EXTERNAL

INTERNAL

Identity theft 30%

Hacking

Power failure 1%

IT complexity 1%

27%

Cloud 1%

IP theft 1%

nel coms blackout 1%

Espionage 2% Malware Data

leakage 6%

Phishing Socia

l media 3% 14%

9%

Brand abuse <1% Political instability <1% Social engineering <1%

Third party <1%

Denial

of se

rvice

4%

Third Party

Identity Theft

Malware

Phishing

Power Failure

IT Complexity

Data Leakage

Social Media

Cloud

Brand Abuse Espionage

Internet/Comms Blackout

Social Engineering

Denial of Service

Political Instability

IP Theft

Hacking

How to interpret the Radar The size of the circle illustrates the frequency with which the threat is reported in our source information.

Technology Risk Radar | 4


”

“

“Just one tweet was enough to spark a regulatory investigation at one of my clients.”

Identity theft is the most pernicious threat globally, accounting for 30 percent of the total reported risks. State-based hacking and “hacktivism” is rising in frequency and impact. It is estimated, for instance, that one Nation-State alone steals upwards of US$300 billion in intellectual property from the US each year1. Malware continues to permeate at alarming rates, affecting both corporates and individuals’ PCs and mobile devices. Phishing, the fourth-rated threat is rising too as targeted recipients of emails inadvertently trigger malware infections or theft of credentials.

Partly what we are seeing here is a media fascination with reporting cyber-related threats. It sells newspapers. But putting aside the media hype, government, security services and regulators echo this view. Indeed, the June Bank of England systemic risk poll2 identified cyber attacks as more worrying for banks than the Eurozone crisis.

The business community itself now seems to have caught up and leaders and executives have cyber risk firmly on their agenda. This has been reflected in The Lloyd’s Risk Index3, which shows a meteoric rise for cyber into third position in its global risk survey.

Other results, however, confound KPMG technology risk experts. Social media and Cloud have surprisingly low rankings in this edition of the Radar.

However, according to Daniel Gorton, a Technology Risk Director at KPMG, “Just one tweet was enough to spark a regulatory investigation at one of my clients. This underlines the significant potential for misuse of social media in the workplace that can threaten corporate reputations.

For Maria Rodrigues, a Technology Risk Director in Corporates, social media and Cloud have low rankings because few incidents have happened in both spheres: Are we waiting for something to go badly wrong before we even consider social media and Cloud as serious IT security threats?”, she asks.

Data leakage, which is fifth in the top-rated risks, may be attributed to corporate ignorance. Companies spend millions on technical security measures and protection, but can be brought down by something as small as a USB stick. “If investment in security is not backed up with information and training on IT security, businesses may be compromised by people who unknowingly or deliberately introduce infected devices,” says Alejandro Rivas-Vásquez , a KPMG Senior Manager in Information Protection. “People can undermine the very best risk control efforts and the finest IT security systems,” he added.

1 BBC News, May 2013 http://www.bbc.co.uk/news/world-asia-china-22634685 2 Systemic Risk Survey, Bank of England, 2013, p4. 3 Lloyd’s Risk Index 2013, Lloyds of London, 2013, p11.

http://www.bbc.co.uk/news/world-asia-china-22634685


Risk Radar

Top five risks

Identity Theft Identity theft ranks the highest of threats yet is largely an individual rather than corporate assault. It is most likely to engender public sentiment. “Media stories tend to be more compelling where crime affects an individual rather than a faceless organisation,” comments Alejandro Rivas-Vásquez, a KPMG Senior Manager in Information Protection. It is important to note that identity theft itself is often the intended result or outcome of hacking, malware and phishing - rather than a risk ‘vector’.

Hacking Organised crime and ‘hacktivism’ is increasing the frequency and impact of this threat. Overall, the level of sophistication is growing. A significant amount of hacking is state-sponsored and this largely goes undetected and unreported: essentially ‘under the radar’. It is estimated that one particular Nation-State steals upwards of $300 billion worth of intellectual property each year from the United States. We must not underestimate the insider threat - a large proportion of hacking emanates from inside organisations with staff purporting to be external hackers.

Malware Malware development has continued to rise at alarming rates, and has extended beyond PCs to mobile devices, infecting individuals as well as businesses.

Phishing Phishing is a scam conducted for the purposes of information or identity theft. According to the FBI, victims are typically selected because of their involvement in an industry or organisation the attackers wish to compromise.

Data Leakage The reality is that companies spend millions on technical security measures and tools, but can be brought down by something as small as a USB stick.

STA

BL

E

CH

AN

GIN

G

EXTERNAL

INTERNAL

Identity Theft

Malware

Phishing

Data Leakage

Hacking


How to interpret the Radar The closer the circle is to the centre of the radar, the more intense the impact.


T

T


RiskRisk Radar

by sector Total reported risks - sector analysis

Automotive

Energy

Agribusiness

Healthcare

Utilities

Investment M

gt

Insurance

Banking

Government/

Public sector

Materials

ransport/leisure

Technology

Consumer m

arkets

Chemicals/

pharmaceuticals

elecomm

unications

Media

Construction

101

121

113

100

127

107

100

108 111 107

125

100 106

103

159

182 176

By analysing online reported incidents over the three month data-gathering period, KPMG identified the sectors in which the technology risks were most commonly reported.

Government and public sector bodies are most targeted. Andrew North, a Director in Public Sector Technology Risk, puts this down to the sprawling nature of departments and complex technology landscapes that have grown up over time. Hacking is most commonly reported in this sector. The Public Sector holds a vast amount of personal data on individuals within our society and is therefore a likely target for hackers. Without ready access to information on the people the public sector serves, services would be costly, poor or even impossible to deliver. The sector is required by Government to protect our data effectively and to report promptly when issues arise so the level of reported incidents is likely to be higher than for the commercial sector.

Banking is second highest.The classic image of a bank heist, replete with guns and balaclava-clad criminals, increasingly belongs in the past. Cyber-related threats such as phishing, hacking and malware represent rapidly growing areas of crime. They are a challenge to control, with some banks considering cyber crime a threat to their stability and existence.

An increasing number of criminals are exploiting the speed, convenience and anonymity that modern technologies offer to commit a diverse range of criminal activities. Internet-based commerce systems provide more opportunities to steal information and hack systems. Some of the prominent enablers for cyber attacks are:

• Toxic combinations, which can be created when individuals move positions, but access to systems can be retained from previous roles

• Poor data management, has made sensitive data vulnerable to cyber attacks

• Digitisation, such as use of social media, mobile devices and remote access to network are increasing the probability of cyber security attacks

• Lack of understanding by Boards and staff about the extent of cyber threats and ways they can be tackled.


Gov

T


r

Risk Radar

Analysisof the top five risks

Automotive

Energy

Agribusiness

Healthcare

Investment m

gt

Insurance

Banking

ernment/Public secto

Materials

Transport/leisure

Technology

Consumer M

arkets

Chemicals/pharm

aceuticals

elecomm

unications

Media

Construction

Utilities

Identity Theft

Hacking

Malware

Phishing

Data Leakage

Percentage distribution of each risk across sectors

0

5

10

15

20

25

30

35

We are concerned by data leakage incidents in healthcare. Of all the risk types, data leakage in the healthcare sector stands out.

“Commonly, data lost within healthcare organisations is down to user negligence and lack of understanding,” says Andrew North. “This data is not heavily sought-after by hackers, but sparks emotional responses which generates column inches.”

The Technology sector features highly. Technology companies, large and small, are changing the way everyone does business with industry challenging innovations. Complex IT services contracts and Cloud-based services are a feature of the corporate landscape, and with technology dominating our personal lives, it is unsurprising that such companies are a clear target. Cyber criminals are attacking financial institutions’ suppliers of technology, software and hardware. Thus, when a financial institution installs the equipment or software impacted by cyber crime it compromises its own security.

Wider financial services are also highly at risk. As the major banks get better at protecting themselves, cyber criminals are targeting smaller institutions, such as wealth managers, who have high value customers.

Cyber security poses significant threat to financial institutions and the broader financial system, with implications including:

• Financial and reputational damage: it increases the risk of loss of sensitive information (including intellectual property and trade secrets), which can result in financial (regulatory fines, compensation to victims of crime and theft of intellectual property) and reputational loss (loss of confidence in cyber transactions).

• Systemic threat: as banks and financial institutions are interconnected, an attack on one bank can leave other institutions vulnerable to disruption, threatening the security and stability of the broader financial system.

• Increase in IT budget: the heightened risk of cyber security attacks will result in financial institutions increasing their IT budgets to enhance security measures such as antivirus software installation, incur cost of insurance and ensure IT security standards maintenance, plus invest in more training and awareness.

• Disruption in business continuity: a cyber attack can severely disrupt business operations, resulting in monetary losses.


TTechnology Risk Radarechnology Risk Radar || 88

ContrRisk Radar

ol failures

+

Other 9%

Device encryption 6%

User Account Mgt 7% Identity Mgt 30%

Exchange of Sensitive Data

8%

Malcious software

protection 14%

Network Security

26%

KPMG further analysed the reported risks to identify the root causes in terms of control failures. Two of the top five control failings are down to human interference, according to Louise Street, Senior Manager in Financial Services Technology Risk Consulting.

“Poor controls surrounding identity and user account management are amongst the principal failings identified by KPMG. These are people-dependent processes. You can have all the latest tools and gadgetry, but if you don’t educate, reinforce and explain, then the flaw is not the control but the way in which it is applied by people.”

Tools and gadgetry clearly do play a role. Insufficient or ineffective controls in relation to device encryption, malware software protection and network security measures figure very highly as control failings.

Technology is changing so rapidly that it frustrates companies’ abilities to respond and control its risks, according to Richard Carty, a KPMG Manager in CorporatesTechnology Risk: “Companies do not look far enough ahead.They wait for something to happen and deal with it.They don’t predict.” Moreover, intricate supply chains and third-party arrangements make networks more extensive than ever, allowing control failures at multiple intersections.

Failure to implement malicious software protection accounts for 14 percent of instances and poor network security for over 25 percent of the control failings identified. Jon Dowie, a Partner in Financial ServicesTechnology Risk believes companies make “risk-reward decisions”. They do not always fully understand the risks they face and do not make commensurate investment in patching and hardening tools to give protection.

These control failures relate very much to business as usual activities.There are some further fundamental causes to such day to day control failures. Rhys Hermansson, a Senior Manager in Financial ServicesTechnology Risk, acknowledges that many institutions are hamstrung by legacy IT systems: “Systems run concurrently following acquisition because it is cheaper than moving to a single platform.They do the same thing but don’t talk to one another.That builds huge risk into the merged entity in terms of innovation, business agility and change.”

For our experts, the wrong IT strategy is the greatest control failure of all. “IT strategy is about understanding the impact of technology on business,” explains Andrew North. “A large music retailer did not invest in online capabilities; a world famous camera company persevered with film when the rest of the world turned digital. Both failed to understand the impact of technology on their operations and suffered grave consequences.




DON’T BELIEVE THE


MEDIA HYPEKPMG experts in technology risk management caution companies to detach newspaper

reporting from commercial reality when defining their IT risk priorities. Just because stories about hacking and identify fraud make newspaper headlines, it does not mean that

those attacks are more frequent or more damaging than lapses in, say, change execution or service delivery. They just make better reading.


“


Unsurprisingly, the more ‘mundane’ threats receive less media attention. For example, IT complexity fails to register any real impact as a reported threat, accounting for just one percent of incidents reported in the media. For Andrew North, a Director in Public Sector Technology Risk at KPMG, this is a surprise. Arguably, due to the complex legacy IT systems in banking and other sectors, the smallest hiccup can halt business operations. Unlike phishing or malware, which are external threats, IT complexity originates within the organisation and is perpetuated by acquisition and failure to mesh IT networks and systems effectively”.

Identity theft ranks first in the list of most common media reported threats, yet is largely an individual rather than corporate assault. It is most likely to engender public sentiment. However, it does not appear in KPMG’s experts’ views of the top risks in terms of impact. “Media stories tend to be more compelling where crime affects an individual rather than a faceless organisation,” comments Alejandro Rivas-Vásquez, a KPMG Senior Manager in Information Protection.

Allowing the media agenda to dictate the corporate IT risk agenda is dangerous. Budget and resources need to be allocated to the right risks, within the commercial context of each business.

So the question is,

“Is your business focused and spending money on mitigating the right risks?”



CorporateDon’t believe the media hype

s Many corporate institutions have experienced high profile IT project failures. Successful delivery of IT projects to time, budgetand quality remains an issue. Businesses typically struggle to realise benefits.

Prolonged under-investment in technology has resulted in an inability to effectively support service delivery with many systems no longer fit for purpose.

Technology is disrupting some businesses to the point of potential extinction. Examples have occurred in a range of industries including retail, telecoms, music and computing and will be seen in more industries as technology enables changes in their business models.

Meaningful Management Information is hard to find and underlying data is often inconsistent and of patchy quality.The public sector has experienced a number of high profile IT project failures. Successful delivery of IT projects to time, budget and quality remains an issue. Businesses typically struggle to realise benefits.

Bring Your Own Device and the proliferation of social networks are changing the relationship between users and technology, and the way businesses and organisations protect their IT systems.

Theft of intellectual property through bribed employees, on-site theft and re-engineering continues to grow at huge rates profiting developing countries.

The frequency and sophistication of cyber crime continues and is expected to rise even further. Hacktivism, espionage and financial theft facilitated by technology systems and networks are being seen across all parts of the market.

IT estates can be heavily dispersed and lack resilience. Resilient technologies such as server virtualisation and network triangulation are not always in place.

Skilled resources are hard to come by, the war for talent is making the people agenda a key issue for CIOs.

IT teams are often poorly structured and inefficient in working practices resulting in low levels of IT service delivery.

12


Technology Risk Radar |

Don’

Corporatet believe the media hype

s - our radar

INTERNAL

STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7

1

Major IT project failure The potential consequences of poor IT project delivery can be far and wide. Poor IT project delivery typically occurs due to:

• Inadequate focus on benefits

• Unclear or changing scope of requirements

• Poor project management processes

• Lack of executive sponsorship and management buy-in

• Insufficient project and quality assurance processes.

Key

1 – Major IT project failure

2 – System fitness for purpose

3 – Failure to exploit new / disruptive technologies

4 – Poor quality data and MI

5 – Consumerisation of IT & social media

6 – IP theft

7 – Cyber crime

8 – Lack of resilience

9 – Talent management

10 – Inefficient IT service delivery


We have created four dimensions to our Risk Radar: External /Internal / Stable / Changing. We have plotted the reported risks according to those dimensions to enrich our analysis and depict the nature and sources of technology risk.



Technology Risk Radar Corporates

2

System fitness for purpose Many businesses look at the cost of IT first, rather than related value (i.e. whether the IT platform capable of delivering in line with business need). If a system is not designed to support decision-making, planning and strategic thinking of a business, then there is a risk that IT platforms and solutions could be misaligned to business objectives. IT platforms or solutions should be driven by business requirements to ensure that they are proactively aligned to business need.

Key






6 – IP theft

7 – Cyber crime




How to interpret the Radar The closer the circle is to the centre of the radar, the more intense the impact.INTERNAL

STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7




3

Failure to exploit new / disruptive technologies Organisations are looking to IT to help the business turn change into opportunity. Agility is key, as is the need to be more proactive in creating strategies to deliver this. Technology functions must adopt the role of change-agent, capable of delivering value and stability through major change.

A key determinant of business success going forwards will be the ability or failure of technology teams to turn disruptive forces and emerging trends into sustainable and achievable business opportunities.

Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7




4

Poor quality data and MI Data is the life blood of every business - driving decisions, supporting operations, creating an audit trail and delivering insight into the market. Poor quality data takes away a business’s critical edge in performance, profitability and risk.

Better quality data and MI can help improve customer profitability and product coverage through single customer view and product insights, reduce risk (cost and reputation) through improved data quality, as well as enable forward planning and forecasting, optimisation of operations and provide early risk warning systems.

Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7



Technology Risk Radar Corporates 5

Consumerisation of IT & social media With more and more business activities now leveraging social media, the need for a coordinated and consistent approach becomes critical. In particular, the need for greater coordination on marketing, business development and product development will become increasingly important as these three functions begin to engage customers in two-way conversations over social networks.

Consumer electronic devices such as smart phones and tablets have seen a huge rise in popularity, available features and capability. The Bring Your Own Device (BYOD) phenomenon raises a number of data protection and data security risks and compliance requirements.

. Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7


INTERNAL

STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7



6

IP theft Theft of intellectual property through bribed employees, on-site theft and re-engineering continues to grow at huge rates. This is of great concern particularly to governments and a country’s national security, but also to businesses.

Key






6 – IP theft

7 – Cyber crime







Technology Risk Radar Corporates 7

Cyber crime Over recent years cyber crime has become a major threat to organisations. This risk can emerge due to:

• Inadequate security policies

• Un-patc hed software

• P oor mobile device security

• Hac king activities

• Internal threats

• S ocial networking platforms.

Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7




8

Lack of resilience Although organisations often plan for known risks, it is equally important that they have a resilience plan in place for unforeseen events.

Apart from the obvious technology outages, this risk may emerge due to an environmental or climate related issue, terrorism, or an economic shock.

Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7




9

Talent management Most organisations have recognised that attracting and retaining talented resources comes at a premium. Constant evaluation and a refresh of IT capabilities and skills is necessary to deliver competitive advantage and utilise the benefits of innovation.

Few businesses and technology leaders believe that they possess strong enough execution capabilities, organisational structures or governance capabilities to meet the demands of the business.

Key






6 – IP theft

7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

EXTERNAL

10 9

8 2 1

6

4

3

5 7


© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member fi rms affi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.


Inef ficient IT service delivery Many technology functions struggle to create a valuable partnership with the business. And with multiple service providers and sourcing options, there is a need to focus on integrating services into valuable solutions for the business. In order to improve business performance, a constant evaluation and refreshing of IT service delivery capabilities is needed to deliver competitive advantage and utilise

the benefits of innovation.

10

Key


2 – Sy stem fitness for purpose




6 – IP theft

7 – Cyber crime



10 – Ineffi cient IT service delivery

How to interpret the RadarThe closer the circle is to the centre of the radar, the more intense the impact. INTERNAL

STA

BLE

CHANGIN

G

EXTERNAL




23


| Technology Risk Radar

Don’

Financial Servicest believe the media hype

Financial institutions are highly complex organisations, with complex IT. Many businesses have ageing legacy estates, with systems that are product centric, rather than customer centric.

It is difficult and costly to build in resilience, especially with single points of failure. However, the regulator’s interest in resilience is currently very high, following a series of outages and incidents in the market.

The amount of regulatory-driven change is significant. New regulations are placing huge pressure on technology systems to accommodate reporting and evidence gathering requirements of regulatory investigations, and the subsequent remediation projects.

The banking industry is one of the most targeted industries for cyber criminals. We expect the frequency and sophistication of cyber crimes against banks to rise even further and is now moving to other parts of the financial services market, with insurers and wealth managers being targeted.

Identity and access management is often poorly executed and is a costly/manually intensive activity. Despite some large investments being made in this area around automation, it remains sub-optimal. Audit findings are typically high in this area. Toxic combinations and inappropriate access rights are often found in cases of rogue trading.

With the complexity of the environment and limited change window availability, making changes to the live environment is highly risky. Poorly executed change can impact system functionality and availability, which can be highly visible to customers, business partners and regulators.

Major fraud instances have been reported in recent years through rogue trading, causing billions of pounds in losses. Data leakage events also regularly hit headlines, particularly in relation to customer data.

Governance, risk and compliance investment is not seen as effective and value-adding. Basic compliance with policy and frameworks such as Sarbanes-Oxley remains a challenge for many. Internal Audit functions continue to report major IT control issues.

Successful delivery of IT projects to time, budget and quality remains an issue. Businesses typically struggle to realise benefits. The requirement to deliver regulatory driven change has diverted resources away from delivering business improvement programmes.

With complex inter-linked outsourced processes, poor service performance or compliance failures on behalf of service providers have a major impact on business operations. FS institutions regularly experience failure by a third party to meet performance targets, contractual obligations or regulatory requirements and these have a profound impact for the customer of an organisation.

Risks relating to IT cost reduction, talent management and inability to transform or innovate narrowly missed our Top 10.

24



Don’

Financial Servicest believe the media hype

- our radar 1

IT complexity and legacy The more complex the IT system, the more vulnerable it is, therefore the higher the risk. Risks include:

• Malicious activity exploiting system weaknesses or loopholes

• High maintenance costs

• Difficulty in providing and testing resilience

• Ineffective achievement of business objectives

• Lack of skilled resources

• Implementation of new solutions.

CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7

Key

1 – IT complexity and legacy


3 – Regulatory change

4 – Cyber crime

5 – Unauthorised system access

6 – Ineffective or erroneous change

7 – Fraud and data leakage

8 – Ineffective governance, risk and compliance


10 – Third party performance & management




Technology Risk Radar Financial Services

2

Lack of resilience Although organisations often plan for known risks, it is equally important that they have a resilience plan in place for any unforeseen events. Apart from the obvious technology outages, this risk may emerge due to an environmental or climate related issue, terrorism, or an economic shock.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7




3

Regulatory change There are too many types of regulatory change to list, but of prevalence recently are the numerous mis-selling scandals which have plagued banks and other institutions. Usually dissatisfaction begins with a particular product being the subject of isolated complaints. This can quickly escalate to consumer protection websites and then into mainstream media outlets, all gathering anecdotal evidence. Regulators are compelled to intervene, first by investigating individual cases but swiftly followed by full thematic reviews. This and other regulatory changes have diverted IT resources away from other business change initiatives.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7




4



• Un-patc hed software

• P oor mobile device security

• Hac king activities


• S ocial networking platforms.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7




5

Unauthorised system access Unauthorised system access can have severe implications for an organisation such as enabling fraud and rogue trading, providing a back door for hackers and compromising segregation of duties. It may emerge from:

• A lack of awareness regarding best practices

• Malicious intent

• Ineffective system settings

• Misuse of logical access measures.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7



CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7


6

Ineffective or erroneous change Changes that are poorly executed can have significant detrimental impacts upon business operations. Ineffective or erroneous change can result from:

• P oor software development practices

• Insuf ficient quality assurance and testing

• P oor release management.

Key




4 – Cyber crime










Technology Risk Radar Financial Services 7

Fraud and data leakage Fraud and more recently data leakage are key areas of risk within organisations. This risk may emerge due to:

• Unauthorised application use

• Physical and network access

• Misuse of the corporate IT infrastructure

• Passwords

• Login/logout procedures

• Transfer of data to less secure targets (e.g. information sent to personal email addresses)

• A lack of awareness or responsibility towards sensitive information.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7


CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7



8

Ineffective governance, risk and compliance The constantly evolving nature of standards, regulations and security and privacy laws create a risk that an organisation may not be in compliance. A lack of investment in a robust, value-adding risk and control framework is a common cause, as is a lack of skills within the IT function.

Key




4 – Cyber crime











9



• Unclear or changing scope or requirements

• Lack of executive sponsorship and management buy-in

• Insufficient project and quality assurance processes.

Key




4 – Cyber crime








CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7


CH

AN

GIN

G

EXTERNAL

INTERNAL

STA

BL

E

9

10

8

2 1

6

4 3

5 7



10

Third party performance & management The trend for outsourcing continues unabated, with organisations seeking cost savings and capability benefits. Whilst day to day operations are delegated to the supplier, the underlying risk and accountability is not. Failure by a third party to meet performance targets, contractual obligations or regulatory requirements can have profound implications for an organisation.

Key




4 – Cyber crime










35


| Technology Risk Radar

T

Public Sectechnology Risk Radar

orProlonged under investment in technology has resulted in an inability to effectively support service delivery with many systems no longer being fit for purpose.

The public sector has experienced a number of high profile IT project failures. Successful delivery of IT projects to time, budget and quality remains an issue and political pressures add to the tendency to keep problems quiet until it’s too late, often to protect a minister from unwanted criticism.

The public sector is highly dependent upon private sector partners to deliver and develop IT. Poor service performance or compliance failures on behalf of service providers have a major impact on business operations. Public sector institutions regularly experience failure by a third-party to meet performance targets, contractual obligations or regulatory requirements and these have a profound impact for the customer and organisation.

Many core systems have been in place for years and are often not clearly understood and are expensive to maintain.

Meaningful MI is hard to find and underlying data is often inconsistent and of patchy quality.

IT teams are often poorly structured and inefficient in working practices resulting in low levels of IT service delivery and poor value for money.

Protecting public confidence in web enabled services is critical, as is protecting national interests.

Central Government processes £1.2 trillion p.a. through IT systems making them a key target for fraud and data leakage.

The public sector is increasingly required to comply with regulation and centrally defined standards such as CESG security accreditation.

IT estates can be heavily dispersed and lack resilience. Resilient technologies such as server virtualisation and network triangulation are not always in place.

36



Don’

Public Sectt believe the media hype

or - our radar1

System fitness for purpose Many businesses look at the cost of IT first, rather than related value (i.e. whether the IT platform capable of delivering in line with business need). If a system is not designed to support decision-making, planning and strategic thinking of a business, then there is a risk that IT platforms or solutions could be misaligned to business objectives. IT platforms or solutions should be driven by business requirements to ensure that they are proactively aligned to business need.

STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6

Key







7 – Cyber crime






STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6


Technology Risk Radar Public Sector

2



• Unclear or changing scope or requirements

• P oor project management processes

• Lac k of executive sponsorship and management buy-in

• Insuf ficient project and quality assurance processes.

Key







7 – Cyber crime








3

Third party performance & management The trend for outsourcing continues unabated, with organisations seeking cost savings and capability benefits. Whilst day to day operations are delegated to the supplier, the underlying risk and accountability is not. Failure by a third party to meet performance targets, contractual obligations or regulatory requirements can have profound implications for an organisation.

Key







7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6


STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6



4

IT complexity and legacy The more complex the IT system, the more vulnerable it is and therefore the higher the risk. Risks include:

• Malicious activity exploiting system weaknesses or loopholes

• Unforeseen events requiring disaster recovery solutions

• Inef fective achievement of business objectives

• Lac k of available resources

• Implementation of new solutions.

Key







7 – Cyber crime







Technology Risk Radar Public Sector 5

Poor quality data and MI Data is the life blood of every business - driving decisions, supporting operations, creating an audit trail and delivering insight into the market. Poor quality data takes away a business’s critical edge in performance, profitability and risk.

Better quality data and MI can help improve customer profitability and product coverage through single customer view and product insights, reduce risk (cost and reputation) through improved data quality, as well as enable forward planning and forecasting, optimisation of operations and provide early risk warning systems.

Key







7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6


STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6



6

Inefficient IT service delivery Many technology functions struggle to create a valuable partnership with the business. And with multiple service providers and sourcing options, there is a need to focus on integrating services into valuable solutions for the business. In order to improve business performance, a constant evaluation and refreshing of IT service delivery capabilities is needed to deliver competitive advantage and maximise the benefits of innovation.

Key







7 – Cyber crime








7



• Un-patched software

• Poor mobile device security

• Hacking activities


• Social networking platforms.

Key







7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6


Technology Risk Radar Public Sector 8

Fraud and data leakage Fraud and more recently data leakage are key areas of

risk within organisations. This risk may emerge due to:

• Unauthorised application use

• Physical and network access

• Misuse of the corporate IT infrastructure

• Passwords

• Login/logout procedures

• Transfer of data to less secure targets (e.g. information sent to personal email addresses)

• A lack of awareness or responsibility towards sensitive information.

Key







7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6





9

Ineffective governance, risk and compliance The constantly evolving nature of standards, regulations and security and privacy laws creates a risk that an organisation may not be in compliance. A lack of investment in a robust, value adding risk and control framework is a common cause, as is a lack of skills within the IT function.

Key







7 – Cyber crime





STA

BL

E

CH

AN

GIN

G

INTERNAL

EXTERNAL

10

9

8 21

4

3

5

7

6


© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member fi rms affi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.


10

Lack of resilience Although organisations often plan for known risks, it is equally important that they have a resilience plan in place for any unforeseen events. Apart from the obvious technology outages, this risk may emerge due to an environmental or climate related issue, terrorism, or an economic shock.

Key

1 – Sy stem fitness for purpose





6 – Ineffi cient IT service delivery

7 – Cyber crime




How to interpret the RadarThe closer the circle is to the centre of the radar, the more intense the impact. INTERNAL

STA

BLE

CHANGIN

G

EXTERNAL





47 | Technology Risk Radar47 | Technology Risk Radar

OUR VIEWSAlthough we cannot predict the future exactly, our industry experts took it upon themselves to each identify one threat from the radar that they feel will change position significantly from its current position in one year’s time. Here’s what they came up with.




Jon Dowie: Lack of proactivity and under-investment – two of today’s leading technology risks

Jon Dowie Partner FS Technology Risk

Too many organisations consider technology risk as a potential risk rather than an actual risk – and are preparing their defences accordingly. However, in my opinion it’s inevitable that every organisation will face an IT failure in the short to medium term which disrupts ‘business as usual’ operations. We are also likely to witness (another) major UK business or financial institution have its technology outage or failure unfold in the media spotlight. This is unfortunately almost certain, given the ever-increasing complexity of IT environments and the dynamic nature of external technology threats.

Cyber crime and cyber risks in particular are now very much in the corporate consciousness – in fact, managing cyber risk is in danger of becoming synonymous with managing technology risk more broadly – robust cyber security does not equal robust technology risk management. Other, less high profile risks are being neglected.

I anticipate that media scrutiny and reporting of cyber crime will continue and this will cause perceived levels of technology risk exposure to grow. More and more emotive headlines in the papers should be expected.

Reputational damage caused by media coverage of actual or perceived poor management of technology risks can be significant and have a potentially high financial cost - not only caused by lost customers, but also from lost business partners who will take a dim view of their partner being unable to manage its risk exposure. A consequence of this concern is a growing trend which sees an organisation

assuring itself over the processes, controls and risks of organisations it does business with.

However, I do expect to see more and more organisations promoting awareness of technology risk and investing in better capabilities – but reluctantly, and in reality, only when a serious breach or failure has been experienced.

Time after time, it is only after a serious, financially painful issue that improvement programmes are initiated. While this may not be a wise approach, it is understandable. It can be a hard sell to argue that an organisation should invest millions or hundreds of millions of pounds in mitigating IT risk. Investing in revenue and growth-generating activity is more appealing.

My view is that the best, most practical way to approach the technology risk challenge is through introducing or enhancing the role of the ‘Chief Technology Risk Officer’– this role is already gaining greater recognition and power within IT functions. In turn, technology risk will get greater exposure to boards and risk committees. However, the right people with the rights skills and the right mandate need to fill the role.

Chief Technology Risk Officers need to invest in prioritising and protecting against the most significant risks for their organisation. I am not advocating protecting against all risks as this is not feasible. This role needs to evolve from being compliance-focused to being more of a consultancy role which is forward looking and helps the CIO to make better risk-based decision on how best to allocate limited resources. Most importantly, organisations need to stop managing IT risk reactively – if the strategy is to act reactively, an organisation will always be playing catch-up.



Stephen Bonner: Internet blackout: why do we not worry about (and plan for) the internet failing?

Stephen Bonner Partner Information Protection

The subject of internet blackout risk receives relatively little attention. It is often drowned out by tales of the risks associated with state-sponsored cyber crime and sophisticated malware. As a consequence companies could be in for a shock, at any point in the near future. I think that we have experienced an extremely unlikely and unusual period of stability of core internet services like routing tables and name lookups. This good luck has meant most organisations don’t take the threat of long term internet outage seriously enough. I think one of the biggest IT risks that we face is the combination of capacity and complexity issues causing internet failures.

Organisations should be surprised that the internet works so well, rather than be surprised when it fails – given that no one body is responsible for making it work. This is only an issue because it has become normal to think of the internet as a utility such as power, telecommunications or water, where a service is paid for with contractually agreed service levels.

Organisations do protect their connection to the internet, for example by using ‘dual pipes’ from two providers, but out of sight, the internet is cobbled together in a whole series of insecure, outdated technologies which are lashed together with the sweat and tears of network engineers.

The internet is also dependent on numerous other factors which cannot be controlled by end users. For example, reliable power and access to cooling is needed and a global network of cables needs to be protected from being cut by construction machinery or damaged by fishing trawler nets. Then of course, there are risks caused by those acting maliciously – which has

happened in the past. ‘Worms’ for example have spread rapidly across the internet, causing significant disruption.

It represents a giant leap of faith for so many organisations to bet their business model on the internet, which is managed with so few formal controls. Ironically, it is also an endorsement for this ‘unregulated’ approach, as it appears to be more robust than highly regulated systems such as power or financial networks which have rare, but very significant outages.

The loads and complexity of internet usage is growing exponentially while the skills and capability to manage the systems is growing (at best) in a linear fashion. Last year, we passed the point where more than half of all internet traffic was created by machine-to-machine communication – the number and criticality of connections facilitated by the internet is far outpacing the resources dedicated to maintaining it. More and more data is being transferred by an ever more exotic collection of devices, from fridges to pacemakers.

I believe that we will see substantial disruption to organisations and entire businesses failing through not appreciating that relying on the internet means relying on third party services for which there are no contracts and not even a clear owner.

I take no pleasure in suggesting that another item be added to the already daunting list of IT risks which need to be considered. However, heavily internet-dependent

businesses which have processes and procedures in place to respond to the internet failing for a number of days are currently likely to be in the minority. Have you taken the time to consider the impact on your business of an extended internet outage beyond your (or your ISP’s) control?

It could be argued that organisations should celebrate the miracle that is the internet proving to be so robust for so long and press ahead with business as usual, but having contingency plans in place to survive a sustained loss of internet access is probably wise – from maintaining access to business-critical information to interacting with customers and having appropriate insurance to cover losses. The internet is incredible, but this shouldn’t blind us to the fact that it isn’t a traditional utility and its prolonged failure is an IT risk.



Louise Street: IT espionage: a recognised form of business intelligence within 5 years time

Louise Street Senior Manager FS Technology Risk

Stories of countries committing espionage using technology systems have promulgated into the news recently and I envisage that over the coming months more will emerge, still. These incidents are already beginning to show that IT espionage is actually not an uncommon occurrence but mostly goes under their radar on account of the difficulty of detection.

In just six to eight months, as more cases appear, I can foresee IT espionage becoming a far greater concern to not only countries but businesses too. This does not necessarily mean that it is happening any more often than previously, but that businesses’ awareness of the threat will have grown.

Whilst recent news has been more centred on country-focused attacks, I expect that more companies– first large corporations then mid-sized organisations – will be put into the spotlight. But companies such as this won’t only fall prey to IT espionage, they will also be committing it themselves.

Indeed, I can see that very soon, within five years, IT espionage will become more recognised as a tool to keep track of your competitors’ business development. Keeping up or ahead of your competitors is certainly not a new objective; IT espionage will simply be viewed as another tool in business intelligence departments’ repertoires.

This may be met by some initial shock by companies and individuals alike, but over time and as a an increased awareness of such activity prevails, I believe that for many, apathy will kick in and IT espionage stories will not even make the news in the future. This is not to say that all IT risks will also not make the news, however. There is still a big difference between IT espionage and sabotage or malware, for example. Whereas the purpose of IT

espionage is arguably to simply get ahead of your competitors, other IT risks, like sabotage or malware, are more focused on actual physical detriment and therefore likely to provoke far more of a reaction.

Nevertheless, an IT espionage attack should not be undermined by organisations, it should raise big questions about their data security. Unfortunately, when people talk about data security at present, I do not think that they are talking about IT espionage. Part of the problem is that it is very difficult to tell when a company or individual has been subjected to an attack. Unlike other data security attacks, espionage rarely leaves a trace and is therefore very hard to prove.

At the crux of the matter, I believe that businesses are not spending enough time or money on preventative measures against these kinds of cyber attacks. This is partly because businesses are too preoccupied with protecting the here and now, but also because they are busy focusing on protecting customer and transactional data, rather than their strategy which is just as at stake from an IT espionage attack, if not more.

But as more incidents come out of the woodwork, I think that there will be an increased demand for targeted IT skills and tools to support quicker and deeper espionage discovery. Additionally, espionage will be a service to sell. To be honest, this is not a far cry from today’s businesses which use penetration testing services to find the holes

in their own networks. Through this change, we may also see more businesses employing ‘hackers’ to fulfil these tasks. Of course, as IT espionage becomes more accepted in companies, these roles will be re-named ‘business intelligence analysts’, as they will not have the stigma of today’s hacker.

I can also foresee that government and business IT espionage will merge as governments support their local business development. Of course, this would be seen as quite controversial today, but in the long run will help support local economies.

And what does this mean to the average man on the street? I’m not sure that the majority are bothered about IT espionage, as long as it doesn’t affect them financially. Ironically, in some instances, they might see it as a good thing; like in retail for example, it might mean products coming on the market quicker and at a cheaper price than anticipated.

In summary, I believe that for the most part, commercial IT espionage will be seen as a crime without victims; and a signal for businesses to better protect their data against competitors. However, in contrast, IT espionage where national security is concerned will continue to be seen as a different ball game.



Andrew North: Data leakage: a human force to be reckoned with

Andrew North Director Public Sector Technology Risk

Data leakage affects all sectors and individuals but in my experience, losses are especially prominent in the public sector, due to the sheer volume of data they hold records for: everyone in society. This is why in most cases when we hear about data leakage in the news – if at all - it is due to a public sector error, in the healthcare system for example.

Data leakage is a major risk for organisations reputationally and often there are serious financial consequences too. But as awareness of the causes of these incidents grows and action is taken to avoid the loss of large data sets, I think that the residual risk associated with data leakage will reduce.

The biggest issue in combating data leakage is that most incidents go undetected in the first place. As data leakage occurs inadvertently on the whole, it is very hard to monitor, until someone finds the missing data; this could be in the form of an email (often sent to them by mistake) or a piece of lost property such as a USB stick on the floor. Quite often people don’t even realise it to be a data risk when they see it, so the majority of cases are not flagged up (and lessons are not learnt).

Having said that, organisations seem to be beginning to get up to speed about data leakage and the consequences. Back in 2007 the topic was promulgated into the news when Her Majesty’s Revenue and Customs allegedly lost two computer discs, which contained personal information and bank details of all families in the UK claiming child benefits. This incident although never conclusively proven - not only illustrated just how badly lost data can reflect on an organisation (i.e. reputational and financial damage or loss of competitive advantage) but also that all sorts of organisations – even Central Government – have inadequate controls in place.

I think that it is particularly difficult for the Public Sector to get up to scratch on data leakage because of the frantic environment they operate in. Healthcare, for example, is already under a lot of pressure as it is, with recent concerns that A&E will not be able to provide the right level of service over the winter. Inevitably, when organisations or people are under pressure they go into survival mode and only focus on their core business which in this case you would hope is patient care – and this is when accidents can occur.

Despite this, the NHS has certainly upped its game in terms of information governance over the past few years, with the emergence of The Information Governance Toolkit, which all NHS hospitals and trusts must use. But at the end of the day, these are big complex organisations and it comes down to the people: how well they use their systems and how clearly they understand their responsibilities on the ground.

Although companies are spending more (and in some cases a lot) on implementing new processes and controls to prevent data spills and related risks, few effectively address the underlying culture of why there are occurrences. I believe that they spend too much time focussing on managing technical security when the majority of data leakage incidents are due to human error.

IT solutions should still be an integral part of combating this risk, such as encrypting laptops and restricting sensitive information, but engaging employees about the risks should carry just as much weight. Unfortunately long company training modules at the start of every year are clearly not enough as incidents are still occurring and mostly due to the same human faults. Going forward, senior management must place a clear focus on prevention through implementing ongoing awareness as well as training programmes.

Whilst I believe that data leakage will never fall off the radar altogether, I sense that individuals’ awareness and specifically those handling sensitive personal data of the risks surrounding data leakage is increasing and will continue to do so over the next twelve months, due to the high profile media coverage of data loss incidents and their inevitability of occurrence. Unfortunately, witnessing a national scandal unfold or being the victim of a data leakage incident yourself seem to be the most effective way of hitting the message home.



Rhys Hermansson: Cloud computing: a hacker’s Holy Grail

Rhys Hermansson Senior Manager FS Technology Risk

In the next twelve months, I foresee that more and more companies will be using Cloud technology. As a result of reducing network communication costs, use of Cloud computing is already reducing our clients’ IT expenditure and improving operational efficiencies. But with any emerging technology comes increased risk, especially for Cloud, which is still in its relative infancy.

Although at present companies are predominantly putting a subset of their data into the Cloud, I expect over time –and as Cloud security becomes increasingly mature, leading to more confidence - this will change.

However, I believe that as more and more data is stored in the Cloud, hackers will see this concentration of data as an increasingly attractive target – a holy grail even –for potential financial gain, such as theft of personal data, corporate espionage, research and development or, for some, simply even bragging rights.

Indeed, a leading computer game console manufacturer’s network outage in 2011- where the personal details of 77 million customer accounts were stolen from its systems – illustrated the consequences of a large-scale data security breach. Not only was users’ personal information severely compromised but the effects on the company’s reputation were also crippling and meant two weeks of network downtime.

Whilst there have been relatively few high profile attacks on Cloud technologies, we are increasingly seeing hackers using Cloud technology architecture as a platform to stage an attack. To add to this complexity, it has been reported that the bulk of Cloud security misdemeanours are actually caused by insiders, either maliciously or inadvertently. This highlights the importance of an equal emphasis on internal security strategies as well as preventing external threats.

Having said that, security over Cloud technology is perceived to be good (and improving). Organisations that have substantial amounts of personal data, such as those in Financial Services or the health sector, seem to be ensuring that their data held in the Cloud is appropriately encrypted both in transit and in storage. They cannot be complacent, as whilst the uptake of Cloud services increase, so too will the hackers’ knowledge and desire to penetrate the network.

Furthermore, it is also the client’s responsibility to keep their Cloud safe, not just the provider of the Cloud service. The client must have their own security procedures in place, including writing clauses into the contract with the supplier of their Cloud technology and keeping abreast of all patches and upgrades. In turn, the clients’ security architecture will hopefully be integrated with the Cloud provider’s security architecture.

Unfortunately, without a data breach it is of course quite difficult to ascertain whether a system is up to scratch. This is why some companies use third-party providers to attest their systems. Whilst this is important, it is still not a fool-proof gage. For this reason, I think that companies would be safer rotating different third-party providers, at least on an annual basis. In many cases, the customer could also be a lot more insistent on making sure the security coverage and reviews are both in depth.

I imagine that whilst the number of successful hacking incidents will be low over the next twelve months, the size and impact of a successful hack will be much greater, leading to potential financial, regulatory and reputational impacts.

Part of the problem is that to date, whilst organisations have been fined, there have been few high-profile instances where the regulator has imposed a substantial fine on an organisation for not ensuring their Cloud provider has sufficient security controls. In my view, it is only a matter of time, however.

Nevertheless, I do not think that the threat of a hack or any other security failure should deter organisations from using Cloud. When used in conjunction with the right security precautions and vigilance, I believe that for many businesses, using Cloud technology outweighs not using Cloud at all. Not only can it provide significant cost savings, a greener alternative and many working innovations, it also has the potential to be just as safe if not more so than traditional organisational data storage, whose security cannot be centrally managed across all systems.



Richard Carty: Cyber criminality: the onward march

Richard Carty Manager Corporate Technology Risk

If I speculate as to what our Technology Risk Radar might look like in a year’s time, I can’t help but think that the biggest single difference from how the Radar looks now will be an increase in the threat posed by cyber criminality. A proposed period of up to five years in which cyber criminality risks causing real damage to business growth and performance; five years in which business organisations, governments and the general public have to quickly play catch-up with increasingly sophisticated cyber criminals.

Five years is a likely prediction because the current technology infrastructure is still limited but getting better with new smart technology devices and I feel that after that po int, the threat level will plateau or maybe even fall. That’s because a concerted effort will come – it has to come – in terms of standardising a response to this threat worldwide and better educating people in how to deal with it.

A lack of a standardised response is the biggest single challenge in this space. Many industrialised nations have clear and distinct frameworks and protocols for dealing with data capture and storage. Yet many others are lacking appropriate investment in data security and infrastructure, as other priorities such as employment and business growth take centre stage

What typically determines where that dividing line is drawn is whether or not cyber criminality poses any material threat to a sovereign state’s GDP.

Governments are beginning to realise that this is not a battle which can be readily fought alone, i.e. from Downing Street from the White House, especially bearing in mind the increasing frequency with which cyber criminality is linked to terrorism. Countries on one side of the dividing line will need far more help than they currently receive from those on the other side.

As long as some countries take it more seriously than others, I think that cyber criminality will only keep on proliferating.

Better collaboration at both a national and international level is needed. Currently, several parties are key players in this process: government, corporates, software manufacturers, vendors and individuals also. Having said that, it often feels that this is solely the government’s fight.

That’s a dangerous assumption. Legislators, developers, business owners, board members and the man on the street all need to work together in a coherent way to reduce cyber criminality. If the last person on that list seems an odd inclusion, what I mean is this; even the everyday user of online services has a duty to ‘do the right thing’, to follow instructions and employ best practice - including acting with integrity and within the law- when dealing with data creation and storage.

In fact, Joe Bloggs has an absolutely key role to play when you consider quite how soft a target he is. Corporates are typically well-protected but the moment that Joe uses his remote access device via his home broadband, a cyber criminal could be sniffing around.

Yes, VPNs can help in this regard but unless they are activated immediately, the instant that the device is turned on, then there is still a window of opportunity for the savvy cyber criminal.

While Joe Bloggs can be better educated about dealing with a threat he has typically been thought of as ‘someone else’s problem’. Software developers and vendors and tech support companies also have a role to play in ensuring that Joe Bloggs understand his role and responsibilities.

The problem is that in the software developer space there is an inevitable issue around customisation. So much of the fight against cyber criminality is about the software deployed to combat it rather than better preventative measures. If the software is customised, the minute it is put to use it could immediately reduce its effectiveness and efficiency against cyber threats.

To use an older, accounting example, it’s the software equivalent of how Sarbanes Oxley (perfectly sensible, well-intentioned legislation) was immediately ‘tailored’ to individual markets, thereby diminishing the benefits which could have been achieved if one standardised platform had been used across the board.

Standardisation is king in this arena. A Wi-Fi connection in Timbuktu for example needs to afford me the same level of security as in my own living room in the UK.

Where corporates come into this equation is in terms of where they position cyber crime on their board agenda. Yes, they need to educate employees and embed the appropriate levels of access and change controls – but they need to ensure an appropriate skillset and knowledge base is represented at the board level.

Since the banking crisis there seems to be a wave of non-exec directors who have emerged with the skills needed to drive an agenda around cyber criminality. That’s reassuring because a board without those skillsets or ambitions is less likely to countenance the required investment in either protection or education.

And invest they should – because I can’t help feeling that the impact of cyber crime at a corporate level is underplayed in this country. I’d suggest that in trying to minimise reputational risk, many organisations are simply keeping quiet – if possible – about whether or not they have been a victim of cyber crime.

In summary, if we manage to bring all these aforementioned parties together for one, concerted effort, then I honestly do believe that cyber criminality can be brought under control.

That won’t happen overnight though; hence my prediction of another five years, during which cyber criminals continue to spread from country to country.

Even countries like the UK are still in their infancy when it comes to developing a collaborative response – and we’re actually one of the more advanced nations in this regard.

The scale of the problem is now so extreme that a concerted retaliation must come soon but, for now, the likelihood of the threat and the potential impact of the threat are, I think, both set to escalate.




Contact us to find out more

Jon Dowie Partner Financial Services Technology Risk T: +44 (0)20 73115295 E: [email protected]

Stephen Bonner Partner Information Protection T: +44 (0)20 76941644 E: [email protected]

Chris Gumn Partner Corporates Technology Risk T: +44 (0)121 3352364 E: [email protected]

Andrew North Director Public Sector Technology Risk T: +44 (0)113 2542839 E: [email protected]

www.kpmg.co.uk

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Oliver Marketing for KPMG | OM 006033A | November 2013

http://www.kpmg.co.uk





Documents

Technology Risk Radarkpmg.co.uk/email/11Nov13/OM006033A/files/assets/common... · 2015-04-22 · Technology Risk Radar 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary