Does cyber security feel too hard to handle? Our four-step process can help get your strategy back on track
Many businesses feel overwhelmed by the cyber challenge. But a simple, four-stage process can help bring clarity to the issue and help firms take a cost-efficient approach to closing the security gap.
Cyber security is higher on business leaders’ agendas than ever. This is partly about the rapid evolution of technology. It is partly about compliance, for example with the incoming General Data Protection Regulation (GDPR). But most of all, it is about risk. The latest survey of large UK firms shows that 65% detected cyber security breaches or attacks during the course of a year - and even this figure fails to capture undetected breaches.
The good news is that board and C-level executives are increasingly aware that they will be held to account over cyber breaches by investors and the media. Understanding the need to build cyber security into everyday decision making and risk management is also growing.
The bad news is that many companies are experiencing cyber fatigue. Business leaders without technical skills often feel overwhelmed by the scale of the potential threat. After all, the UK’s newly created National Cyber Security Centre, launched in 2016, investigated 188 high level attacks during its first three months of operations. The continuous flow of negative external news is another factor.
But, an unfocused deluge of internal briefings is the leading driver of cyber fatigue. In some cases, technology professionals have contributed to the problem. Fearmongering intended to accelerate investment in cyber security can often have a counterproductive effect.
Scroll down to continue reading...
It is vital for companies to bounce back from cyber fatigue. Fortunately – and contrary to the expectations of many - taking control of the cyber agenda does not have to be complex or costly. In our experience, a simple four-stage approach can be a highly effective way of bringing clarity to the issue.
The first step is to conduct a discovery exercise. This identifies a firm’s highest value data, where it is stored and how it is protected.
The second step is to conduct a risk assessment. Who are the possible threat actors and what are the potential attack channels? This involves reviewing a company’s business and operating models, together with its links to partner organisations such as suppliers, agents and advisors.
The third step builds on the results of the first two, by comparing a firm’s current level of cyber risk and controls with the level it is willing to tolerate. This establishes the size of the cyber security gap; the fourth and final stage develops a strategy to reach that target state.
This should not be viewed as a one-off process. Regular reviews are vital to keeping spending well-prioritised and responsive to evolving threats, preventing a recurrence of cyber fatigue. The basic principles can also be customised to suit organisations of all shapes, types and sizes. For instance, one non-profit following this approach detected vulnerabilities to its data ‘crown jewels’ arising from third party relationships. Another client identified gaps in its data protection compliance. A third discovered that business-critical systems, vulnerable to attack, had been overlooked by previous resilience reviews.
The overall message for companies suffering from cyber fatigue is: don’t panic! A common sense approach allows firms to take control of the cyber agenda in an affordable way.That will help executives focused on the transforming potential of technology and - just as importantly - to keep cyber risks in perspective.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.