Your first email of the day is - to say the least - strange and disturbing. The anonymous message demands bitcoin payment in exchange for access to your organization's confidential customer data - which has just been encrypted and `taken hostage' by a ransomware attacker.
Cyber-attacks like this are on the rise, as many organizations are discovering amid the rising sophistication, stealth and persistence of cyber criminals. The loss of intellectual property, customer data and confidential records - and the resulting business disruption, financial cost and reputation damage - can take a costly toll.
A multinational client in the retail industry recently facing a similar cyber-attack involving its critical payment-card processing systems required us to quickly deploy a cyber-incident response team to conduct a cyber forensics investigation. It was a race against the clock to avoid business disruption by successfully unlocking data and determining if it had been accessed or ex-filled, while also identifying all personally identifiable information that may have been accessed.
Unfortunately, we witness many businesses lacking the discipline needed today to strategically address the scope and potential impact of cyber threats like these and others. KPMG's* new report - Consumer Loss Barometer-The economics of trust - reveals that many businesses still view cyber security and breach response as an IT issue rather than a critical business issue that can affect operations, customer trust and future growth. The key message to these organizations is clear: enable and integrate cyber security in all verticals of your business.
About one third of executives we surveyed admit that their cyber security budgets are less than adequate. Fewer than a third cited concerns about the impact of a breach on customer relationships and trust, while merely 8 percent viewed this as a priority to prove to customers that a threat or breach had been resolved. Only about a third consider it a priority to provide regular public updates on a breach - or even acknowledge that a breach has occurred.
Today's increasingly security-conscious consumers voiced markedly different priorities regarding breaches, including proof that a threat or breach has been resolved (35 percent), frequent updates on a breach (28 percent) and compensation for any losses (42 percent). Mobile consumers are also aware of today's threats, citing theft or misuse of personal information via Apps (78 percent) or Wi-Fi links (74 percent) as top-of-mind regarding their security.
Our survey also reflects the ransomware trend that's posing issues for businesses, their customers and the trusted relationships that drive growth. Business leaders cited phishing attacks (50 percent) and ransomware attacks (31 percent) as having the biggest impact on their organization in the last fiscal year. Ransomware, typically launched through online phishing expeditions, could cost businesses an estimated US$11.5 billion globally this year and up to US$20 billion by 20211 - while unfolding at a rate of every 14 seconds.
In today's digital world, where change is the new normal, a 'one-size-fits-all' approach to dealing with cyber breaches is a thing of the past and a risky one to embrace. Today's new reality is that the threat landscape each business faces is unique. Decision-makers therefore need to move boldly and strategically to develop precise cyber defences and recovery capabilities that protect their business, its customers and future growth.
It's no longer enough to simply rely on regulatory requirements governing cyber security. Organizations need to demonstrate greater discipline to ensure, for example, that their employees are educated on how to utilize their cyber security technology and tools - consistently avoiding human error and protecting their large-spend investments.
Today's smart, forward-looking businesses realize this and are customizing and baking cyber security into their overall risk-governance structure. They are getting in front of the issue and ultimately using smart cyber security as a differentiator that sets them apart in today's increasingly security-conscious market.
These players are listening to customers and paying attention to the new business reality - that cyber security needs to be inextricably intertwined across all elements of their organization. Along the way they are sharpening their focus on the risk that the `human factor' poses to security and educating employees and customers on best practices that play a huge role in combatting threats.
*Throughout this blog, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.