For a technology perspective on cyber security, we chatted with Usman Wahid, Partner, KPMG Law, KPMG in the UK, and Isabel Ost, Director, KPMG Law, KPMG in the UK, who discussed today’s cyber security trends, how technology can help in fighting cybercrime, and the possible cyber impacts businesses should be aware of in the current environment.
What trends are you seeing in the cybersecurity space?
Isabel: Because of the increase in working from home and the different access routes of individuals, the biggest trend that we're seeing at the moment is the fear of a data breach. Organizations are now prioritizing their security and data privacy, specifically when looking at personal data.
Usman: The one thing that is very relevant in the current environment is the fact that we are all working from home with our work laptop, but with that comes ‘shadow IT,' where employees do not use the tools provided and licensed by their organizations. In today’s environment specifically, certain organizations may not have been ready for the COVID-19 pandemic, forcing employees to use additional tools that can create a threat. Whether that actually creates a breach is a separate question, but it does create a situation where an organization's policies around information, classification, data, and data governance don't get followed. This puts us in a different situation compared to the way in which those policies were meant to regulate individuals when they're physically in the office.
Isabel: Yes, and organizations are now much more aware of their security requirements and the need to have a resilient cyber security program to ensure that they don't suffer either a data breach or worse.
So based on what you're saying, would you then agree that the increase in working from home has created new threats to corporations?
Isabel: Definitely. I think that some individuals weren’t equipped with the right technology at home to be able to work in the same way, and so that makes room for human error.
There's also an increased cyber risk because of where people are working. What we have found and what our cyber security practices have found is that when individuals are in the office, they're not quite as careful because they felt like they are in a safer IT environment. There was a real change when they moved home and felt like they had to be hyper-vigilant around security and not opening external e-mails.
So yes, it's increased the threat, but in lots of different ways that we didn't quite expect in the beginning
Usman: The other thing that I wanted to talk about, which I think is equally relevant, is that corporates typically tend to rely on their own employees, but also third and fourth parties.
When everyone is working from home there is a natural increase in threat. It's undeniable. You have individuals who might be working at home dealing with confidential information on calls when other family members are around, who might be working in the same industry. That’s a threat on its own.
The other issue is that organizations who outsource and use third parties have developed a certain protocol around security measures. For example, if you work for an outsourcing supplier in an offshore location like India, the Philippines, South Africa, Romania, or Bulgaria, you go into the service delivery center and are required to leave your mobile phone at security. The reason for that is the possible security threat of visitors taking photos of confidential computer screens. There's now no regulation in this instance as people are working from home.
What the future holds for third-party engagements remains to be seen, but I would say that the outsourcing industry is one that is able to adapt quite well as the typical players are large, well-organized businesses. One of the things that they may do is stop servicing clients from centralized locations to harness the talent that's available in remote locations. From a security perspective, that can be a really bad thing because you might be harnessing talented but remotely located individuals, but you have no idea what environment they're working in, who's sitting behind them, or who's accessing client information.
So I would say that actually there is an increase, not just in regards to employees, but also to third-parties. When you think about the number of third-party staff that work for large global corporates, it potentially dwarfs the actual employees that these large corporates have. I think this is a big area that needs to be thought through.
Isabel: And I would also say there is obviously a huge difference between having to be accountable for yourself and the people around you, and there are controls in place to keep you accountable.
I think the challenge of working remotely is having the right controls in place to make sure that people are not putting organization’s information at risk, whether it's their employer or their customer.
Usman: Yes, and I think the jury is still out as to whether you can establish efficient and effective controls when you're not physically working in an environment that you can control.
Has the rise in online and contactless retail increased the Fintech industry’s exposure to risk?
Usman: I think the number of contactless payments has increased, but I wouldn’t say it’s increased the risk because that industry, and the requirements that regulators have in each of the jurisdiction, make it second to none in terms of security, resilience, etc. I think that industry is quite resilient, and it’s been set up in a way where security risks are mitigated, so I don’t see it as a big issue.
So, Usman, how can cloud-based storage help protect data?
Usman: This question is quite relevant for organizations that may be in the cloud but may also have on premises arrangements. I think the reality is that a lot of organizations have servers sitting in different rooms in their actual offices, so to move to the cloud where you are typically engaging with certain cloud providers is a step up in terms of security.
Cloud providers that offer storage services are able to provide security, however as a customer the risk is that you are responsible for ensuring your own security within the cloud with things like usernames, passwords, procedures, etc.
So again, I think moving data to the cloud is a step up, but it’s not the panacea because organizations have to deal with their own procedures around who can access that information.
Are you seeing an increase in claims against businesses by parties that have been exposed to data leaks/theft?
Isabel: Yes, and I think there is a number of drivers behind that. Firstly, people – individuals are becoming more and more aware of their rights around data protection, and they are holding organizations accountable for complying with those rights.
We also have had a situation during COVID-19 where people are in lockdown, dedicating more time to trying to bring organizations to account. I think with people working from home as well, everybody has become much more aware about cyber security and technology, and the fact that they are receiving extra training in trying to keep information secure. So again, they are going to hold organizations accountable.
So we’ve certainly seen an increasing change, an increase into the access request, and in content over the last six months.
What technical support can KPMG Global Legal Services provide clients to help protect their data and address cyber security concerns?
Isabel: The KPMG network has an international group of data protection and technology lawyers that can help organizations become more compliant with their data protection obligations, but also when negotiating contracts with technology suppliers. This allows organizations to have the right contract in place and a certain level of protection.
In addition to that, we work very closely with our cyber security colleagues to bring clients both a legal solution and a technical solution to help them with their cyber security concerns.
Usman: To add to that, data is a key asset in so many different sectors now. It’s also a global asset in the sense that you can have cloud-based arrangements where your data is residing in a particular jurisdiction.
We also have situations with data sovereignty issues, where countries are saying they don’t care where the data sits as long as they can access it. It’s a complicated area – you need advisors who are both regulatory experts as well as advisors who have more of the non-legal skill set like data security, processes, etc. At KPMG, we’re in a good place as we are both global and multidisciplinary.
How can technology help businesses fight the issue of cybercrime?
Isabel: When talking about fighting cybercrime and the combination of things that you need, it’s important to have the right combination of people, process, and technology.
The issue with cyber is that cybercrime has increased exponentially, so there’s a talent shortage of professionals capable of fighting cybercrime. So, what organizations are able to do is to use technology to help bridge that gap. KPMG’s A.I. capabilities are a good example of technology that they can use, which connects the learning of the A.I. to help fight cybercrime.
The other thing is using technology to check whether the organization is having attacks, to alert if an attack has taken place, and to monitor the amount of external emails that are going out to unsecured email accounts as well. So, there several different technologies that you can use to fight cybercrime.
How do organizations use technology to identify and mitigate their risks in relation to overseas data transfers?
Isabel: There are two sides to this. Organizations can use technology to assess the level of data security being provided when being transferred internationally, but they can also use technology to record their assessments of where data is traveling and the kind of data that is being transferred internationally. Using technology in that way helps organizations to assess the risk associated with international data transfers.
Usman: I also think it’s a mindset thing. For example, until quite recently, European organizations have had a level of certainty and predictability about the data transfer mechanism being legally compliant. So, over the last few years we’ve seen a real chipping away at the different transfer mechanisms that the European commissioner has said are legal.
There is a lot of uncertainty and being able to use additional technical means for organizations to feel secure with their data when it goes to overseas locations is a very helpful thing. Using technology to identify where their data is going and thinking about what additional security measures should be put in place in those different locations is also a helpful thing.
Overall, we're moving from a situation where we had a macro view about what you can do in terms of transferring data overseas because it was all set out in European guidance, laws and regulations. However, given the judgements over the last few years, it is now organizations’ responsibility to take a slightly more legal and individualistic perspective when looking at where their data is going, why it's going there, whether it’s a safe location, and more.
Insights on cyber security from a technology, data and legal, and financial services perspective.
Insights on cyber security from a technology, data and legal, and financial services
With Marc Martínez, Head of Cyber security, KPMG in Spain and Francisco Uria Fernandez, Head of Financial Services in EMEA and Spain.
With Marc Martínez and Francisco Uria Fernandez.
Throughout this document, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.
Certain member firms of the KPMG global organization, including the US firm, KPMG LLP, do not provide legal services or have KPMG Law service entities. Some or all the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.