Australia

Details

  • Service: Audit, Audit Related Services, Audit Committee Institute, Advisory, Management Consulting, Technology Advisory, Data Analytics & Information Modelling, Risk Consulting, Board Advisory Services
  • Type: Business and industry issue
  • Date: 13/12/2013

ACI Roundtable Insights

ACI Roundtable Insights
Key issues and insights discussed at KPMG's Audit Committee Institute (ACI) Roundtable series.

ACI Discussion Summary: Series 2, 2013

Issues discussed include cyber security, data sovereignty, big data and data analytics.

The war on terabytes: getting serious about data protection 

What is your digital data worth? To some it can be virtually priceless.

When thinking of cyber threats, business can no longer just view it as hackers looking for financial gain, notoriety, or to cause disruption.

Today’s cyber threats are much more than that. They’re quickly turning into increasingly sophisticated and coordinated attacks to steal information. And their impact on business can be extreme.


For directors and senior management, this means placing a stronger emphasis on cyber security and proactively finding ways to protect one of their most valuable assets, their data.


Where then are these threats coming from and what are the motivations behind them?


Criminals and organised crime (including insiders) may be looking for financial gain, destruction of evidence, coercion or blackmail. Growing nation states can be looking for economic advancement, to promote their philosophical viewpoint, or advance their military. Various groups may be looking to make a statement or promote their cause.

 

Competitors could be looking for commercial advantage, while hackers (sometimes positioned within your own organisation as contractors, employees or service providers) could be using your company as a 'middleman' to access information about your business customers or your own major projects, plans and initiatives.


This is by no means an exhaustive list. Basically, if you have any information that could be worth something to someone, it will be at risk. Sometimes information you hold can be more valuable to somebody else than it is to you.


So you need to protect it and by doing so, protect your business.


It should also come as no surprise that data protection is increasingly on government agendas. Not only is it an issue around the protection of their own assets and infrastructure, but also that of the organisations within their country and the national economy.


Many governments will (naturally) have their own local laws regarding access to data, how they can use it and/or ability to seize it. For example, the US Patriot Act empowers its government to impound or restrict access to facilities suspected of hosting data used for terrorism purposes. If your data is housed in such a location then it could be temporarily impounded along with the other targeted data just because it sits in the same data centre.


For any organisation operating globally and/or storing its data overseas, this is an essential consideration. Those involved in protecting your data need to be fully aware of and up-to-date on local laws and regulations (in Australia they need to know the Privacy Act 1988 and the need to soon comply with 13 new Australia Privacy Principles under the Act that regulate the collection, holding, use and disclosure of ‘personal information’ that will come into force in March 2014).


These matters can become additionally complex when you use Cloud technologies. These can include online storage, ‘open’ email platforms such as Gmail, social networking websites and various cloud computing solutions (software as a service). Do you know where your information is stored? What laws regulate it there? How safe is it from physical theft or disruption (keeping in mind that all web-based data resides on physical servers)? When you outsource your IT and utilise cloud technologies, how well do you trust those service providers – and what do you know of their suppliers, investors and customers?


And what about the risks to your data when you or your employees travel? By putting measures in place to improve the security of your data (including using a Virtual Private Network (VPN) to access and communicate with your servers when outside of the office), not storing sensitive company information on local devices, and ensuring that all executives and directors take ‘clean’ computers and phones with them, you can dramatically reduce the chance of data theft.


Further steps to protect your data

  • Define who is responsible for managing your data security, which may mean closely linking your IT, Risk Management and Internal Audit teams.
  • Identify risks to both your data and your company – these can now spread to suppliers, customers, service providers, contractors who have interaction with the company, its systems and its data.
  • Establish and enforce policies around staff, contractors and visitors bringing their own (often unsecured) devices to your workplace, which can be used to extract information.
  • Give equal consideration to securing your company data along with your customer’s data. In addition, consider the damage to your reputation if the public becomes aware that your data has been compromised.
  • Identify what is your critical and/or valuable data and ensure appropriate resources are directed towards protecting it.
  • Arrange for independent evaluations of your data security and undertake security maturity assessments. If your business is international, determine where your IT systems are based and if they are centrally controlled/administered when completing their cyber security assessment.


There’s little doubt that securing your valuable information is a business necessity. It must, however, be done throughout your organisation and made a part of its culture.

 

Share this

Share this

 In this series

Business Intelligence & Analytics

KPMG's Business Intelligence & Analytics helps businesses leverage their data to create value, enhance competitiveness and drive business decisions.

IT Advisory

KPMG's IT Advisory group can assist organisations enhance the return from their IT investments and more effectively manage their IT risks.