The new age of cyber security
From prevention to intelligence and proactive detection
Over the past decade, the focus on cyber security has grown rapidly, with cyber attacks escalating in both size and complexity.

Just over the last couple of months, the world has witnessed at least three massive cyber security breaches with impact on a global scale.

Last December, Target, one of the world’s largest retailers, confirmed a massive data breach of 40 million credit and debit card accounts. As of February 2014, the breach has cost Target $US61 million.

In February, a Distributed Denial of Service attack designed to knock a company’s systems off the internet, broke the 400Gbps mark. This cyber tsunami smashed the record of 300 Gbps a year ago.

Shortly after, in March, an internet security firm stumbled upon 360 million accounts and 1.25 billion email addresses up for sale in the black market. Again, this surpassed the previous record of 153 million credentials stolen from Adobe Systems in 2013.

These high-profile cyber attacks all point to a fact which can no longer be ignored: it is not a question of whether systems will be breached, but when.
Cyber risk high on board agendas
Cyber security breaches are no laughing matter. They threaten entire financial systems and in some instances, have resulted in extensive damage of physical infrastructure across critical national and corporate systems.

The World Economic Forum (WEF) has also identified cyber attacks as one of the top global risks since 2012.

In a report released earlier this year, the WEF noted that major technology trends could create between US$9.6 trillion and US$21.6 trillion in value for the global economy.

Conversely, failure to defend against cyber attacks will lead to new regulations and corporate policies, which will cost the global economy some US$3 trillion by 2020.

It is no wonder then that organizations today are finding themselves under heightened scrutiny. They are increasingly subjected to legislative, corporate and regulatory requirements which demand evidence that confidential information is being protected and managed appropriately.

Cyber risk has also risen in prominence on the board agenda. Investors, governments and regulators are increasingly challenging board members to actively demonstrate diligence in this area.

Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks.
The current cyber security landscape
KPMG's analysis of the current technology and security landscape reveals several key megatrends.

For one, organizations are increasingly losing control over the computing environment.

Consumerization of information technology (IT) and the rapid adoption of disruptive technologies increase the attack breadth and thus, strains existing defenses.

Changing work patterns including remote access, big data, cloud computing and mobile technology among others all increase organizations’ exposure to cyber threats.

Cyber security systems are also in a state of continuous compromise. The rise of sophisticated, determined and well-funded attackers performing advanced attacks capable of bypassing traditional protection mechanisms have further increased security challenges. In some instances, threats persist undetected for extended periods.

Another major issue is right-spending and capabilities.

This has challenged the ability of many organizations in acquiring, retaining and enhancing relevant talent in their workforce.
Understanding the Cyber Adversary
Cyber criminals are, of course, also aware of these vulnerabilities. The motives of cyber criminals are various, from pure financial gain, to espionage or terrorism.

Understanding the adversary, or the person or organization sponsoring or conducting the attacks, is the first step essential for effective defense.

Adversaries can be divided into four categories:
  • An individual hacker, generally acting alone and motivated by being able to show what he or she can do;
  • The activist, focused on raising the profile of an ideology or political viewpoint, often by creating fear and disruption;
  • Organized crime, focused solely on financial gain through a variety of mechanisms from phishing to selling stolen company data; and
  • Governments, focused on improving their geopolitical position and / or commercial interests.
Attacks by these different adversaries have a number of different characteristics, such as the type of target, the attack methods and scale of impact.

Understanding the adversary will go a long way towards establishing intelligence, a vital component to effective cyber security.
Intelligence is key
Threat intelligence is growing in importance because solely relying on defense is no longer viable. The determined adversary will get through eventually.

Intelligence will help organizations to know and understand the larger cyber environment out there. This is so that they can quickly identify when an attack has taken place or when an attack is imminent.

An intelligence capability enables organizations to identify potential threats and vulnerabilities in order to minimize the 'threat attack window' and limit the amount of time an adversary gains access to the network before they are discovered.

Organizations that take this approach understand that threat intelligence is the 'mechanism' that drives cyber security investment and operational risk management.
Prevent, detect, respond
Having a strong intelligence capability will allow organizations to effectively prevent, detect and respond to threats.
  • Prevention - This begins with governance and organization. It is about technical measures, including placing responsibility for dealing with cyber attacks within the organization and awareness training for key staff.
  • Detection - Through monitoring of critical events and central safety incidents, an organization can strengthen its technological detection measures. Monitoring and data mining together form an excellent instrument to detect strange patterns in data traffic, find the location on which the attacks focus and to observe system performance.
  • Response - This refer to activating a plan as soon as an attack occurs. During an attack, the organization should be able to directly deactivate all technology affected. When developing a response and recovery plan, an organization should perceive information security as a continuous process and not as a one-off solution.
Managing cyber threats as part of risk management
Cyber threats should be considered as part of the company’s risk management process.

Companies should start with identifying the critical information assets they wish to protect against cyber attack – the crown jewels of the firm – whether financial data, operational data, employee data, customer data or intellectual property.

More importantly, companies should focus on the perspective of the attackers and understand through a robust intelligence framework, what the threats are after and the value of assets to cybercriminals.

Companies should also determine their cyber risk tolerance and implement controls to prepare, protect, detect and respond to a cyber attack – including the management of the consequences of a cyber security incident.

Finally, organizations should monitor cyber security control effectiveness and institute a program of continuous improvement, or where needed, transformation, to match the changing cyber threat – with appropriate performance indicators.
Conclusion: transforming your cyber security
Dealing with cyber threats today is a complex matter. As the threat landscape is continuously evolving, a shift of focus from relying solely on preventive defense to a more detective and responsive stance is critical.

Intelligence and the insight that it brings is at the heart of next generation information security.

In many large, complex global organizations, moving from a reactive to proactive operating mode requires transformative change. Technological vulnerabilities are only part of the problem. Organizations must also address core people processes, culture and behaviors so that cyber security becomes a company-wide approach.
The author is Lyon Poh, Head of IT Assurance and Security, KPMG in Singapore. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG in Singapore
© 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.