Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

KPMG calls for fresh approach to IT security

by
13th Sep 2011
Save content
Have you found this content useful? Use the button above to save it to your profile.

The UK head of information security at KPMG has called for companies to completely refresh their risk assessments in light of the perceived “massively different” threat landscape.

In a lengthy statement, Malcolm Marshall said the criminal landscape is now made up of two additional players to more traditional criminal organisations: Hackivists and state sponsored attacks, both of which have increasingly come into the mainstream consciousness over the last year.

“There are two potential developments that people worry about in particular,” Marshall explained. “The first one is around the cascading of sophisticated techniques from the state sponsored attackers into the criminal world...The second area is around the democratisation of hacking, hacking is now much easier to do than it was 5 or 10 years ago, there are techniques that almost anyone can pick up.”

He warned such techniques meant companies no long know who their attackers could be: “Anybody who takes dislike to you and your organisation could perpetrate an attack on you and predicting that is really difficult.”

Three technologies were highlighted by the KPMG infosec chief as offering a potential threat to company information security: the consumerisation and mobility of the workforce (specifically the increasing use of tablet PCs brought into the office from ‘daily life’; secondly, Cloud Computing, which Marshall said providers would “need to get security right” if companies are to buy their services; lastly, the increasing use of social media, which he argued opened the door to targeted “spear” phishing attacks.

Marshall said in light of the changing environment companies should “completely refresh” risk assessments, arguing since “the actors in this space have changed” so too has the data and infrastructure they go after has changed.

“[Companies] have to work out what the risks are again and where you need to spend money on putting up your defences,” he added.

Refreshing monitoring and “industrialising” the approach to security are two further areas Marshall argued companies should look to implement, together with the need to “fundamentally get the basics right”.

He described it a “sad fact” the most successful cyber-attacks exploit “very simple loopholes in an organisations defences,” and that companies need to make sure they understand they’ve got the basics right.

Specifically discussing the topic of information security within the financial services sector, Marshall claimed it was now a board level issue. As such, “only the board can make the decision about the risks they are undertaking in the area.”

“In the past IT function or security professionals have second guessed what they think the board would decide if they fully understood the risk,” he added. “[Companies] need to make sure the chief executive, CFO, the COO fully understand the threat landscape, level of risks the organisation is facing, and the levels of investment in terms of capital and operational expenditure [that are needed to be undertaken].”

The results of the KPMG e-Crime Survey 2011 have also been released, with over a quarter (27%) of the 200 respondents confirming they had “definitely” taken out ‘hacker insurance’ in case of they experience an interruption of business by hackers.

Discussing the survey results, Marshall said explained: “Businesses should be acutely aware of e-crime risks after various recent high-profile cyber-attacks against big organisations, but they aren’t taking out insurance for a number of reasons."

Marshall continued: "Not many out there know or understand what insurance is available. Many are also sceptical about the effectiveness of current policies, and whether or not insurers will actually pay out against e-crime claims.” 

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.