David Ferbrache, technical director in KPMG’s cyber security practice claims that every organization must consider the cyber risks faced and the impact an attack might have on their organization.
He wrote in a blog post saying, “Only then can an organization assess what a cyber-threat might mean to its business – and perhaps its very survival.”
He added saying, “Companies should be investing more time and energy in cyber protection and resilience than ever before in view of the constantly changing cybercrime threat.” But he claims that many firms are suffering from “cyber-fatigue” and are instead focusing IT investment on the latest technologies such as machine learning.
Ferbrache added that, “A radical rethink is required on the part of internal audit (IA), which generally focuses on mapping control networks as a way of preventing cybercrime.
The problem is that this does not always mirror how the crimes are committed. It’s time for a different approach.”
He described cyber-criminals and hackers as “rational businesspeople” who are looking for a return on their investment in the tools they used to steal, commit fraud and extort money from. He said that, “One thing they do not do is think in is organizational silo structures – and so neither should the IA team.”
He said that even though a combination of technological and behavioral control with a governance framework is a good approach, many organizations are failing to get the basics right or to even apply their control.
He added saying, “The key is to concentrate on operational resilience – focusing on the threats, assessing what the organization is trying to defend against, and then aligning the objectives of its distinct levels of controls.”
“Building up true resilience relies on understanding just how interconnected and interdependent different segments of the organization are, as well as the third parties they rely on.”
Ferbrache even claimed in the blog post, “Only by gaining a holistic view of the entire business can those charged with keeping it secure form a true picture of its weak spots and vulnerabilities.
“By understanding the adversarial nature of cyber threats and the cascade of consequences after cyber strikes, organizations can prepare for a swift and agile response to attacks – the mark of a properly resilient organization.”
He recommended that organizations should start to assess at what stage they are on regarding management of cyber risk.
“Too many companies either deny it is a problem for them or have false confidence in their processes,” he said. “At the other end of the scale, there are business worriers who want as much security as possible – without realizing the impact on day-to-day business. None of these extreme positions is helpful.”
KMPG gave out a set of advice for organizations to adapt which included
- Get the cyber threats they face in perspective by considering what cyber criminals might be after and how they could get it.
- Use credible attack scenarios to test the adequacy and integration of controls.
- Build buy-in from the organization’s leaders for controls to apply in a proportionate way across all areas of the business.
- Think about what the organization needs to do to survive and rebuild after a major cyber-attack.