Cyber Security – Advances to the more complex level
34
Cyber Security – Advances to the more complex level Audit Committee Forum May 2018
Transcript of Cyber Security – Advances to the more complex level
Cyber Security – Advances to the more complex levelCyber Security –
Advances to the more complex level Audit Committee Forum
May 2018
2© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
• Audit Committee Roles towards Cyber Security • Cyber Threats In Focus • Future Technology Disruptors • Building Cyber Resilience
Agenda
Audit Committee Roles towards Cyber Security
4© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security
Source: The KPMG 2017 Global Audit Committee Pulse Survey
“Audit Committee should be aware of critical risks, cyber security, and major threats that the Company are facing while the expectation of Audit Committee towards Cyber Security are growing”
5© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security “Audit Committee has the critical role to play in ensuring that their organizations have the robust cyber security preparedness program and review the Company’s internal control system and internal audit system which has to focus the Company’s key risks beyond financial reporting and compliance”
Quick Questions to consider asking the management regarding cyber security:
Have the Management identified cyber security as a threat or risk to the Company? If not, why?
How do we ensure that the Company have enough safeguard over cyber security risks? Who is the responsible person?
When was last time the Company assess the cyber security system? What is the result? Any subsequent development?
Roles of AC have evolved over time far beyond normal financial reporting, internal controls and compliance
1 AC can liaise with management to set the right level of risk appetite and tolerance including appropriate control activities
2 AC oversees internal audit to maximize the value by focusing on risk management and key risk factors
3 AC can help foster a culture of risk and compliance – Tone at the top
4 AC can be involved in the risk management process to review and oversee the company’s risk assessments
Cyber Threats In Focus
7© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
The Global Risks Landscape 2018
Source: Global Risk Report 2018 by The World Economic Forum
8© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus
Cloud technologies
While the potential benefits of cloud computing are compelling, the use of cloud computing services is driving new risks, security and privacy concerns, and opportunities that impact all elements of the business ecosystem.
Internet of Things
The Internet of Things is not just some fancy futuristic world. It’s here today: a complex world full of connected things ranging from personal gadgets and household appliances to medical devices and critical infrastructures that are all networked.
Low hanging fruit
The human factor was, is, and will always be, the weakest link. Data breaches can often be traced to social engineering and human error. That's not just a matter of careless users. It's also a design problem.
9© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware/Ransomware – An undetectable threat
Source:Emsisoft
True Fileless malware is non-persistent - All traces of it disappear when the system is rebooted, making forensic investigation difficult.
10© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware/Ransomware – An undetectable threat
True Fileless malware is non-persistent - All traces of it disappear when the system is rebooted, making forensic investigation difficult.
1. User visit website which store malicious file
2. Malicious content execute
using built-in Windows tool
3. Antivirus could not detect and user computer was compromised
11© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling Cryptocurrencies Mining
Malicious hackers can target the websites you visit and implement the Coinhive script. It has happened to more than 4,200 websites in many countries spanning the globe, including governments, organizations, and schools.
12© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling Cryptocurrencies Mining
More than a half of the websites engaged in using in-browser cryptocurrency mining scripts focus on 4 countries : US, India, Russia and Brazil.
13© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Phishing
Bypassing Microsoft's Advanced Threat Protection (ATP) feature (Safe Links) of Microsoft Office 365 which lead attacker to send malicious website as secure URLs.
14© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Shadow Cloud
A large volume of data totaling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords.
15© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
A misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon.
16© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
Financial giant Dow Jones & Company has inadvertently leaked the sensitive personal and financial details of millions of the company’s customers.
17© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
Over 970 million records was lost or stolen since 2013, ONLY 4% of breaches were “Secure Breaches” where encryption was used and the stolen data was rendered useless. The new EU General Data Protection Regulation (GDPR) coming into effect from 25 May 2018, will require any business that experiences a data breach to report it to the ICO within 72 hours
Source: Breachlevelindex Administrative fines up to 20 million Euro or 2-4% of worldwide annual revenue.
18© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of Things
Critical RCE vulnerability found in over a million GPON Home Routers by South Korea-based DASAN Zhone Solutions.
Cyber Threats In Focus - Internet of Things Internet of Things
Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.
20© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of Things
Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.
Future Technology Disruptors
22© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Main disruptors and highlights the security risks Technology is evolving at a rapid pace while this presents opportunities for innovation, it also spawns potential cyber security risks that need to be understood, managed and mitigated.
Blockchain
Third Party Risk Assessment
Intelligence
Building Cyber Resilience
24© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Organizations must have
mapping their crown jewels is
key to building a successful
cyber strategy
25© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Where are you on your security journey ? Measuring your maturity
26© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks
27© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Cyber Essentials
Basic guidance such as ‘Cyber Essentials’ is an important first step on the cyber security journey – as its focus is on establishing core operational security controls that will mitigate many of the commoditized attacks (such as the WannaCry and NotPetya ransomware attacks) that have impacted organizations.
The scheme provides organizations with clear guidance on implementation, as well as offering independent certification for those who want it.
28© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Center for Internet Security (CIS) Critical Security Controls
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
29© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) provides a model for measuring the maturity of cybersecurity within organizations. It should be considered more of “maturity framework” than a “standard” (e.g., ISO 27000 series or NIST SP 800-53).
30© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Key steps to improve cyber secur ity
Third party management
Cyber security risk
Key Steps
Everyone on the Board needs a level of understanding of the issues so that they are able to engage in credible discussions. It helps to either have someone on the Board with technology and security experience or to have an advisory panel of external experts who can support the Board.
It is also key to be clear about the organization's cyber security risk appetite. What tolerance levels are there, for example, around acceptable downtime for digital channels? Mature organizations make conscious choices about their tolerance limits, which need Board-level endorsement and oversight.
It starts with building a culture of security awareness, which has to come from the top. Basic good behaviors have to be instilled, such as not sharing passwords or clicking on unknown links which could lead to Cyber Hygiene. For example, if you run phishing tests internally, you might have a “Hall of Fame” for members of staff that have helped identify and report phishing emails.
To do this, you need to know who all of your third parties are, what access they have to your data, and where their connections are into your network. You also need to understand who your fourth and fifth parties are – the organizations that your supply chain relies on.
Make sure that the right provisions are included in contracts with suppliers, and that you have an effective on-boarding process for new ones that includes consideration of cyber security.
No matter how much you invest in your defences, cyber- attacks will happen. It is therefore crucial that you are able to detect when you are being attacked, so that you can then respond and recover. Clearly, you need to be able to respond as quickly as possible to an incident in order to limit its impact.
Mature organizations have invested in developing a cyber response framework which contains clear policies in the event of different forms of cyber-attacks.
Source: https://assets.kpmg.com/content/dam/kpmg/uk/pdf/2018/04/building-cyber-resilience-in-asset-management.pdf
31© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Treat your passwords l ike your underpants
32© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Allocate accountability for cyber security risk to a Board member.
Appoint a person into a senior role with responsibility for managing cyber security.
Develop a cyber security strategy and seek board approval.
Perform regular cyber security risk assessments of your business.
Educate all staff on their cyber security responsibilities and train those in high-risk roles.
1
2
3
4
5
33© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Implement logging and monitoring on your network and critical systems.
Document your cyber incident response plans and perform regular simulation exercises.
Identify and assess the cyber security risks in your supply chain.
6
7
8
9
Document Classification: KPMG Confidential
This presentation was produced for the AC Forum at KPMG. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation
© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
kpmg.com/socialmedia kpmg.com/app
KPMG in Thailand
KPMG in Thailand
Agenda
Cyber Threats In Focus
Cyber Threats In Focus
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Future Technology Disruptors
Building Cyber Resilience
Slide Number 24
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Action Plan
Action Plan
May 2018
2© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
• Audit Committee Roles towards Cyber Security • Cyber Threats In Focus • Future Technology Disruptors • Building Cyber Resilience
Agenda
Audit Committee Roles towards Cyber Security
4© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security
Source: The KPMG 2017 Global Audit Committee Pulse Survey
“Audit Committee should be aware of critical risks, cyber security, and major threats that the Company are facing while the expectation of Audit Committee towards Cyber Security are growing”
5© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security “Audit Committee has the critical role to play in ensuring that their organizations have the robust cyber security preparedness program and review the Company’s internal control system and internal audit system which has to focus the Company’s key risks beyond financial reporting and compliance”
Quick Questions to consider asking the management regarding cyber security:
Have the Management identified cyber security as a threat or risk to the Company? If not, why?
How do we ensure that the Company have enough safeguard over cyber security risks? Who is the responsible person?
When was last time the Company assess the cyber security system? What is the result? Any subsequent development?
Roles of AC have evolved over time far beyond normal financial reporting, internal controls and compliance
1 AC can liaise with management to set the right level of risk appetite and tolerance including appropriate control activities
2 AC oversees internal audit to maximize the value by focusing on risk management and key risk factors
3 AC can help foster a culture of risk and compliance – Tone at the top
4 AC can be involved in the risk management process to review and oversee the company’s risk assessments
Cyber Threats In Focus
7© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
The Global Risks Landscape 2018
Source: Global Risk Report 2018 by The World Economic Forum
8© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus
Cloud technologies
While the potential benefits of cloud computing are compelling, the use of cloud computing services is driving new risks, security and privacy concerns, and opportunities that impact all elements of the business ecosystem.
Internet of Things
The Internet of Things is not just some fancy futuristic world. It’s here today: a complex world full of connected things ranging from personal gadgets and household appliances to medical devices and critical infrastructures that are all networked.
Low hanging fruit
The human factor was, is, and will always be, the weakest link. Data breaches can often be traced to social engineering and human error. That's not just a matter of careless users. It's also a design problem.
9© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware/Ransomware – An undetectable threat
Source:Emsisoft
True Fileless malware is non-persistent - All traces of it disappear when the system is rebooted, making forensic investigation difficult.
10© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware/Ransomware – An undetectable threat
True Fileless malware is non-persistent - All traces of it disappear when the system is rebooted, making forensic investigation difficult.
1. User visit website which store malicious file
2. Malicious content execute
using built-in Windows tool
3. Antivirus could not detect and user computer was compromised
11© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling Cryptocurrencies Mining
Malicious hackers can target the websites you visit and implement the Coinhive script. It has happened to more than 4,200 websites in many countries spanning the globe, including governments, organizations, and schools.
12© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling Cryptocurrencies Mining
More than a half of the websites engaged in using in-browser cryptocurrency mining scripts focus on 4 countries : US, India, Russia and Brazil.
13© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Phishing
Bypassing Microsoft's Advanced Threat Protection (ATP) feature (Safe Links) of Microsoft Office 365 which lead attacker to send malicious website as secure URLs.
14© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Shadow Cloud
A large volume of data totaling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords.
15© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
A misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon.
16© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
Financial giant Dow Jones & Company has inadvertently leaked the sensitive personal and financial details of millions of the company’s customers.
17© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and Privacy
Over 970 million records was lost or stolen since 2013, ONLY 4% of breaches were “Secure Breaches” where encryption was used and the stolen data was rendered useless. The new EU General Data Protection Regulation (GDPR) coming into effect from 25 May 2018, will require any business that experiences a data breach to report it to the ICO within 72 hours
Source: Breachlevelindex Administrative fines up to 20 million Euro or 2-4% of worldwide annual revenue.
18© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of Things
Critical RCE vulnerability found in over a million GPON Home Routers by South Korea-based DASAN Zhone Solutions.
Cyber Threats In Focus - Internet of Things Internet of Things
Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.
20© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of Things
Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.
Future Technology Disruptors
22© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Main disruptors and highlights the security risks Technology is evolving at a rapid pace while this presents opportunities for innovation, it also spawns potential cyber security risks that need to be understood, managed and mitigated.
Blockchain
Third Party Risk Assessment
Intelligence
Building Cyber Resilience
24© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Organizations must have
mapping their crown jewels is
key to building a successful
cyber strategy
25© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Where are you on your security journey ? Measuring your maturity
26© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks
27© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Cyber Essentials
Basic guidance such as ‘Cyber Essentials’ is an important first step on the cyber security journey – as its focus is on establishing core operational security controls that will mitigate many of the commoditized attacks (such as the WannaCry and NotPetya ransomware attacks) that have impacted organizations.
The scheme provides organizations with clear guidance on implementation, as well as offering independent certification for those who want it.
28© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Center for Internet Security (CIS) Critical Security Controls
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
29© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) provides a model for measuring the maturity of cybersecurity within organizations. It should be considered more of “maturity framework” than a “standard” (e.g., ISO 27000 series or NIST SP 800-53).
30© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Key steps to improve cyber secur ity
Third party management
Cyber security risk
Key Steps
Everyone on the Board needs a level of understanding of the issues so that they are able to engage in credible discussions. It helps to either have someone on the Board with technology and security experience or to have an advisory panel of external experts who can support the Board.
It is also key to be clear about the organization's cyber security risk appetite. What tolerance levels are there, for example, around acceptable downtime for digital channels? Mature organizations make conscious choices about their tolerance limits, which need Board-level endorsement and oversight.
It starts with building a culture of security awareness, which has to come from the top. Basic good behaviors have to be instilled, such as not sharing passwords or clicking on unknown links which could lead to Cyber Hygiene. For example, if you run phishing tests internally, you might have a “Hall of Fame” for members of staff that have helped identify and report phishing emails.
To do this, you need to know who all of your third parties are, what access they have to your data, and where their connections are into your network. You also need to understand who your fourth and fifth parties are – the organizations that your supply chain relies on.
Make sure that the right provisions are included in contracts with suppliers, and that you have an effective on-boarding process for new ones that includes consideration of cyber security.
No matter how much you invest in your defences, cyber- attacks will happen. It is therefore crucial that you are able to detect when you are being attacked, so that you can then respond and recover. Clearly, you need to be able to respond as quickly as possible to an incident in order to limit its impact.
Mature organizations have invested in developing a cyber response framework which contains clear policies in the event of different forms of cyber-attacks.
Source: https://assets.kpmg.com/content/dam/kpmg/uk/pdf/2018/04/building-cyber-resilience-in-asset-management.pdf
31© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Treat your passwords l ike your underpants
32© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Allocate accountability for cyber security risk to a Board member.
Appoint a person into a senior role with responsibility for managing cyber security.
Develop a cyber security strategy and seek board approval.
Perform regular cyber security risk assessments of your business.
Educate all staff on their cyber security responsibilities and train those in high-risk roles.
1
2
3
4
5
33© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Implement logging and monitoring on your network and critical systems.
Document your cyber incident response plans and perform regular simulation exercises.
Identify and assess the cyber security risks in your supply chain.
6
7
8
9
Document Classification: KPMG Confidential
This presentation was produced for the AC Forum at KPMG. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation
© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
kpmg.com/socialmedia kpmg.com/app
KPMG in Thailand
KPMG in Thailand
Agenda
Cyber Threats In Focus
Cyber Threats In Focus
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Future Technology Disruptors
Building Cyber Resilience
Slide Number 24
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Action Plan
Action Plan
