The five most common myths about cyber security
Just as our lives have increasingly moved from the physical into the online world, threats associated with this medium have correspondingly grown. The number of and threats posed by data breach is evolving rapidly, and many organizations are finding their defenses increasingly on the back-foot.

The reality is that Information Technology (IT) departments find it difficult to be as nimble as the people attacking their systems. According to Lloyd’s Risk Index 2013, cyber risk ranks third among 50 risks globally among 588 senior and board level executives polled.

What is also becoming obvious is that the costs of a data breach far exceed that of implementing the right security measures in the first place. In a report titled Cost of Data Breach Study: Global Analysis published by the Ponemon Institute, the cost per breached customer record ranges from US$78 to US$233, depending on the sector involved.

Organizations have mostly focused on preventive measures but this is proving insufficient. Instead, organizations need to start playing to their strengths rather than their fears of what might happen.

When approaching cyber security, organizations should consider five of the most common cyber security mistakes organizations make.
Mistake 1: "We have to achieve 100 percent security"
Reality: 100 percent security is neither feasible nor the appropriate goal
Almost all airlines emphasize flight safety as their highest priority in addressing the inherent risks of flying. Should data safety not similarly be the focus of organizations managing the risks of handling large amounts of data?

However, just as flying risks can never be mitigated 100 percent, neither can protection against cyber crime be foolproof. However, there are choices you can make about your defensive posture.

Perfect security is just as much an illusion as completely eliminating the risks of flying. Just as 'business as usual' among airlines involves mitigating the risks by knowing them, greater emphasis must be placed on cyber security intelligence with a focus on early detection and preparing robust response measures.
Mistake 2: "When we invest in best-of-class technical tools, we are safe"
Reality: Effective cyber security is less dependent on technology than you think
Having security tools integrated into the organization’s technology architecture are essential as a starting point. However, having tools is no substitute to having a coherent plan.

A holistic and robust cyber security policy and strategy should therefore drive the selection of tools in the toolbox, rather than the analogy of buying the tools then figuring out the appropriate toolbox.

Good security starts with developing a robust cyber defense capability. While generally led by the IT department, the knowledge and awareness among end users is similarly critical. The human factor therefore often remains the weakest link.

Returns from investing in the best tools are limited by the people who understand their responsibilities in keeping their networks safe. For example, social engineering, where hackers manipulate employees to gain access to systems, remains one of the biggest risks organizations face.
Mistake 3 : "Our weapons have to be better than those of the hackers"
Reality: The security policy should primarily be determined by your goals, not those of your attackers.
The fight against cyber crime is a race that cannot be won, as defense is often by definition one step behind. A threat has to be first established.

While it is important to be aware of the latest techniques, these should not distract from protecting one’s most important assets. Organizations need to understand the relative value of their information assets and the implication of its loss on their core business.

More importantly, organizations need to consider the value of their assets relative to the perceptions of potential cybercriminals. A business case for cyber security can then form the basis for investment and resource allocation.
Mistake 4: "Cyber security compliance is all about effective monitoring"
Reality: The ability to learn is just as important as the ability to monitor
Being capable of understanding external threat trends and using this insight to formulate policy and strategy are both critical to long term prevention.

While it is understandable that cyber security measures are often driven by compliance to rules and policies, compliance cannot be the ultimate goal of the cyber security policy. That’s doing, for the sake of doing.

Organizations need to understand how threats evolve and how to anticipate them. More cost-effective and focused, this goes beyond cyber security monitoring.

Rather, this involves a smart analysis of external and internal threat patterns to understand various threats, and the short, medium and long term risk implications. This insight may lead to more sensible security investment choices, reducing overall cost.

In reality, many organizations are not collecting or even using the internal data available to them. For instance, any security incidents should be evaluated with a view to what can be learned and how security arrangements can be improved.

Any monitoring needs to be underpinned by intelligence requirements, and is only as effective as knowing what and where to look for risks. Organizational methods to assess and report cyber security risks have to be developed, involving protocols for determining risk levels and escalation procedures.

Having strategic insight into cyber risks and understanding the impact on your core business is paramount.
Mistake 5 "We need to recruit the best professionals to defend ourselves from cyber crime"
Reality: Cyber security is not a department, but an attitude
Delegating cyber security responsibility to one organizational department of specialists is akin to delegating flight safety only to aircraft mechanics in our earlier example.

Air crews ignoring safety procedures would be the analog to people in organizations developing an attitude that cyber security is "not my problem". This may increase the risk of a cyber crime.
The importance of an organization-wide approach
Making cyber security an organization-wide approach is never easy. For example, it may involve cyber security becoming a part of Human Resource policy and the approach to developing new IT systems.

However, it should never be an afterthought as is often the case, gaining attention only at the end of such projects.

There are six key dimensions which should be considered when assessing your organization’s cyber maturity. These are:
  • Leadership and Governance – Is the board demonstrating due diligence, ownership and effective management of cyber security risk?
  • Human Factors – What level and integration of a security culture helps ensure you have the right people, skills, culture and knowledge?
  • Information Risk Management – How robust is the current approach to a comprehensive and effective information risk management in the organization, and its interactions with business partners?
  • Business Continuity and Crisis Management – Are you prepared for cyber security incidents and have the ability to prevent or minimize the impact through successful crisis and stakeholder management?
  • Operations and Technology – What level of control measures exist to address identified risks and minimize the impact of compromise?
  • Legal and Compliance – Are you complying with the relevant regulatory and international certification standards?
Ultimately, a holistic approach to cyber security is paramount. Your management, board, shareholders and clients all expect this, and paying sufficient attention to this issue is therefore not something to be ignored.
This article was contributed by Lyon Poh, Head of IT Assurance and Security, KPMG in Singapore. The views expressed are his own.
© 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.