Cyber defense: It’s not just about technology
Today’s increasingly complex state of cyber risk is prompting organizations to question if they are truly resilient against cyber attacks.

When evaluating their cyber defense, most organizations focus on the technologies they have in place and how their environment is secured using the best-of-breed solutions.

Yet, recent well-publicized attacks on established organizations have demonstrated an important fact: building a technology fortress is just not enough to fully protect an organization’s valuable information assets.

Why is this so? Technology is a tool dependent on the people wielding it. Processes are also required to ensure that the solution remains effective even as cyber threats evolve rapidly.

What organizations should embrace is a holistic approach. The maturity of a cyber defense system hinges not just on technology, but also on other factors such as leadership, people, information risk management, business continuity in a crisis, and compliance to regulations.
Leadership & governance: board level leadership is critical
Board level awareness of emerging cyber threats and their direct involvement in determining the response to a cyber threat is critical.

This is necessary as investors, governments and regulators alike are increasingly challenging board members to actively demonstrate diligence, ownership and effective management of cyber risks.

Incorporating cyber risk into the enterprise risk strategy is also vital.

By doing so, leaders can quickly identify gaps in the current cyber security strategy and encourage an organization-wide approach to countering cyber crime.
Human factors: people are the weakest link
No cyber security approach is complete without carefully considering human factors.

Organizations should engage and invest in critical talent because their IT and security staff must be technically competent. They should also be disciplined in keeping themselves constantly updated on the necessary skills to be an effective part of cyber defense.

More than the technical competency of the IT and security department, the organizational culture plays an even more significant role in combating cyber threats. It is not unusual for existing staff behavior to put an organization at risk.

Technological advances and changing working practices such as the use of cloud services and employee-owned devices are making organizations increasingly vulnerable.

To address cultural weaknesses and generate greater awareness of cyber defense, a comprehensive program should be put in place to refine and monitor staff attitude to meet the cyber security needs of the organization. Doing so can help an organization detect threats or risks early.
Information risk management: 100% security is not a feasible goal
An effective approach to cyber security can only be achieved through a comprehensive and effective management of information risks, not just throughout the organization but also through its delivery and supply partners.

Increasingly important in the current cyber threat landscape is the organization’s approach towards preventing data leakage, both accidentally and intentionally. This includes performing assessments on their service providers to ensure compliance to the organization’s security requirements.

While cyber threats are frequently associated with Internet activities, many studies have shown that external threats from hackers only account for about a third of cyber incidents. The remaining stems from insider threats- the staff, vendors and contractors.

As achieving 100% security is not feasible, organizations can prioritize and focus on areas that matter by understanding their risk appetite and managing their information asset lifecycle.
Continuity & crisis management: cyber attacks can quickly escalate into a crisis
One moment your website is defaced and the next moment, you are looking at your organization’s website on TV headline news.

It is important to be prepared against a cyber attack and critically, the organization must be resilient in the face of an ongoing attack.

Putting in place a good resiliency plan can prevent or minimize the impact through successful crisis and stakeholder management.

Practical drills and simulation exercises during peacetime can help you improve your plans, ensure readiness of key personnel and enhance preparedness to respond to a cyber incident.
Operations & technology: appropriate operational and technological controls
Control measures must be designed and implemented at a level appropriate to identify risks and minimize the impact of a cyber attack.

While there are various cyber security guidance available, organizations should have a clear understanding of their threat environment and the defenses required instead of blindly trying to implement "what everyone else is doing".

Questions they need to ask include: Do we need to invest in best-of-breed technology? Are we underinvested in certain areas but overinvested in others?
Legal and compliance: demonstrating compliance to regulatory and legislative demands
Organizations are subject to increasing amounts of legislative and regulatory requirements to demonstrate that they are managing and protecting their information appropriately.

Keen awareness of your compliance requirements is important to avoid any compliance issues with undesirable organizational impact.

Organizations should implement a robust cyber security framework with clearly defined roles, responsibilities and accountabilities for decision-making. The framework should also give due consideration to risks and controls.

Cyber insurance is another component which should not be dismissed. It can act as a means to mitigate losses from data breaches, service disruptions and other cyber damages.
Are you prepared and resilient against cyber attacks?
Just how can an organization approach this question? The answer is to look beyond pure technical preparedness and carry out a thorough review of your organization’s ability to protect its information assets.

Taking an integrated view of people, processes and technologies allows organizations to better understand areas of vulnerability, identify and prioritize areas for remediation, and demonstrate both corporate and operational compliance. Drills and even cyber war gaming exercises can go a long way towards helping companies prepare for various scenarios.

Beyond considering the six key dimensions discussed in this article, an organization’s standing in the market, its business context and the inherent cyber risk in its respective industry must be considered.

All in, a holistic cyber security approach can help a company turn information risk into a differentiating business advantage. Customers trust and have greater confidence in companies which display commitment to safeguarding their personal information and transactions.
This article was contributed by Lyon Poh, Head of IT Assurance and Security, KPMG in Singapore. The views expressed are his own.
© 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.