With recent reports of data breaches to major companies within the UK and abroad, the issue of data security and protection is more important now than ever before.
It appears any business is vulnerable, with Visa, Mastercard, Google, the CIA, the NHS, Sony and Citibank among just a few of the organisations to become recent victims of cyber hacking.
Finding possible data leakages and ensuring internal procedures with clear definitions are in place, will reduce your business’ risk of becoming a victim of data loss. Policies and controls should be continually reviewed due to changes in technologies, processes and personnel.
Incidents of data loss pose a serious threat to organisations of all sizes and across every business sector. The impact on brand reputation is high and customer trust can be seriously damaged.
Malcolm Marshall, UK Head of Information Protection at KPMG says:
“No longer limited to fraudsters in search of instant financial returns, the dark side of the digital economy now boasts a diverse list of players ranging from governments, intelligence agencies, and organised crime syndicates through to geographically dispersed ‘hacktivists’ who share common social, political or ideological beliefs.
“As attacks from all quarters become more frequent and more sophisticated, organisations must prepare for an ever broadening spectrum of impacts arising from a compromise including loss of operational capability and adverse media publicity due to the publication of information that aims to destroy reputation.
“Cyber crime is no longer driven by profit alone – the evolution of the criminal hacker into state-sponsored attackers and politically motivated hacktivists means that money is often no longer the only target.
“This raises the stakes significantly and means that simply defending systems against attack is not a sufficient strategy for today’s threat environment.”
The European Union is to enforce new rules making it the obligation of every business to inform customers should their data security be compromised.
Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship said:
“Only recently, we witnessed a massive security theft in online gaming services affecting millions of users around the world. This incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers’ trust in the online economy.
“Companies should beef up their precautions against identity theft and better protect consumers’ personal data. They should immediately notify breaches of data security and confidentiality.
“I intend to introduce a mandatory requirement to notify data security breaches – for all sectors. It would create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.
“I welcome the proactive attitude of the United Kingdom’s government on privacy and personal data protection. This appears to reflect the public mood.
“I agree with those businesses arguing that regulation would be feasible if we make them more accountable. This is why I am considering the inclusion of the ‘accountability principle’ in my reform so that data of citizens exported to third countries is always exported with their rights attached.”
Recent and widely reported incidents of data theft, targeted attacks against public and private sector organisations, and suspected state sponsored intrusions breaching enterprise systems have clearly demonstrated the need for organisations to stress test their defences and readiness to respond to many different types of attack.
Behind the news headlines, rapid shifts are taking place in the background of the cyber threat eco-system. The driving forces behind its evolution are increasingly varied. So too are their motivations and aims, the resources or finances they have at their disposal, and their capabilities.
Security risks involving data loss are an unpalatable risk of life; as and when they are breached, companies and individuals alike, must act swiftly, appropriately and decisively to limit the potential damage to their customers, their assets and their reputation.
The current favourite target of ‘hacktivists’ is sensitive corporate information – a critical asset for all businesses, which needs to be carefully protected at all times. If confidential business information is compromised reputations may be impacted, customer confidence may decrease and business partners may lose trust.
Senior business executives will be held accountable when personal data is lost. They risk breaching legislation and regulations, both of which can result in significant financial penalties.
What does KPMG recommend?
Despite best efforts to maintain a tight security posture across networks and systems, data security incidents, including cyber attacks do occur. Security is a process and not a solution, and as such safeguarding IT networks and sensitive data from electronic attack and exposure, both from the Internet and internally at organisations is a constant endeavour.
Ask yourself these questions:
- How do I respond to this evolving threat landscape?
- Is my organisation at risk from confidential data leakage?
- Have employees been sufficiently educated on policy and undergone the necessary security checks?
- How are my competitors addressing these challenges?
- How do our suppliers handle our sensitive data?
- What are the risks associated with adopting new channels and technologies?
- How do I comply with the legislation, regulation and industry requirements?
A complete approach is needed for defence, detection, reaction and recovery. KPMG has produced Top 10 Tips for defending an organisation from this situation.
How can KPMG help?
KPMG’s Information Protection team can help organisations identify, prepare, manage and respond to data security incidents . We work with clients to provide peace of mind by offering the following range of advisory and assurance services:
- Strategic security remediation and improvement programmes, including planning, design and management
- Cyber Maturity Assessment Diagnostic
- Data leakage prevention assessments and incident response
- Benchmarking across peer organisations and Chief Information Security Officer roundtable discussions
- Secure system design and advice on identity and access management
- Supplier risk reviews and definition of good practice governance and processes
- Risk advisory for new channels and technologies, as well as process definition and technology selection
- Security assurance activities through UKAS accredited ISO 27001 certification and penetration testing
We can also offer bespoke technical knowledge with the business understanding and coverage of a global advisory firm, should your business fall victim to a cyber attack
- Supporting your response to security incidents or attacks with practical assistance and advice on investigation, containment, mitigation, resumption of business operations.
- An independent view of the security risks your business faces in line with your current cyber attack detection capabilities and procedures
- Confidence in the maturity of your security incident prevention capabilities and controls, including the state of your cyber response procedures and controls and the technologies which underpin them
- Global cyber response capabilities – KPMG’s network of offices across 140 countries derives a truly global cyber response capability, allowing us to quickly assist you during investigation of incidents that may affect geographically-disparate networks and systems
For further information, contact Malcolm Marshall on 020 7311 5456 or email email@example.com
KPMG were awarded the “Information Security Consultancy of the Year” at the SC Magazine Europe Awards 2011.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG LLP (UK). The information contained is of a general nature and is not intended to address the circumstances of any particular individual or entity.Please note any posts made to an Insideout page will not be posted immediately, the content will be moderated and if the comments are deemed inappropriate for sharing the post will not be published.