The last few months have tested cyber security professionals in unexpected ways. We've seen the rapid launch of thousands of new consumer facing web applications, cloud facilities and internal collaboration tools to facilitate remote working. But in this effort to regain productivity and support customers, secure configuration has been an afterthought.
But it's not just that security hasn't been embedded in the design of these new cloud environments. It's also that when those deficits are exploited, teams have had to respond to incidents under unfamiliar modes of working, and with limited access to resources and tooling.
We've seen a variety of incidents in our clients recently. From experience, transparency is one of the most powerful positions an organization can take over incidents. Sharing, collaboration and inter-organizational trust could be the silver lining of this pandemic. A trust culture lets us all learn and improve from each other's experiences, and it's critical this be nurtured post-pandemic.
Analyzing what went wrong
Its good practice to analyze what went wrong after major incidents. Not with the traditional and often rushed 'lessons learned' approach, but with a broader and more thoughtful analysis. Why did we get it wrong as defenders, as an organization or even as a community? Did we understand what the 'worst-case scenario' meant when we were practicing drills? What were the attackers after? Did we see every byte of data that they stole? What were they able to exploit? Was it as simple as a basic configuration error or a vulnerable piece of software? Or were there deeper issues? What made them successful, and why did it take so long to spot and respond to their activities? Did we have a lucky escape?
Other questions worth asking the cross-function incident response teams include: How did we miss it? Why didn't we see the whole picture and what failed? Did someone have pieces of the puzzle and not know it or maybe they didn't know what to do with it?
The reality is many teams can contribute to the response effort — IT, digital, data analytics, robotics and automation, broader technology, fraud management, revenue assurance, customer service, risk management, finance, audit, and security. Although the focus is on security controls — we're missing a broader opportunity to scope out the bigger picture.
Exploiting the hybrid world — from the 'old-school' business to the digitally enabled business
Organizations worldwide face increased competition, regulatory scrutiny, and margin and cost efficiency pressures. They're looking for a streamlined operating model, hybrid in nature that moves swiftly to digitally enabled business models. But this hybrid operating model can create further silos within the organization. Certain processes are designed for the new digital world, while others remain heavily entrenched into the old world. The lack of linkages, coherence and communication is what cyber threat actors exploit — often quickly.
Surprisingly, over the last year, there have been many cyber incidents on new digital channels that repeat the common fraud patterns previously observed over traditional channels. Although this time, it's faster, more distributed and impacts at scale.
A new layer of controls
Embedding cyber security into this new digital world requires that the analysis done by traditional controls and processes be recalibrated for new technology, new environments and new ecosystem partners.
But this approach won't work for everything - you can't always graft old world security processes to new technologies that work in different environments. We need a new layer of controls, built to be forward looking, nimble, adaptive and tailored to the new landscape.
How do we do that? That's the subject for our next article.
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up todaySign up today
Throughout this article, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.