- Business needs to learn lessons from law enforcement
- new mindset required for organisations to move from ‘guarding to gathering’
Businesses across the UK may be more aware of cyber security threats, but they still have a long way to go to balance the cyber crime odds back in their favour. A report released today by KPMG suggests that by learning from the intelligence approach adopted in the fight against terrorism, organisations can improve their safety-net and meet the ever-changing challenges of cyber attacks.
The report follows publication of data revealing that many organisations have failed to heed warnings in the media, leaving their data and staff vulnerable to hacking. KPMG’s Data Loss barometer, for example, shows that the hacking of information held by businesses has jumped globally from only 8% of total incidents in 2010 to a shocking 52% in 2012.
Malcolm Marshall, KPMG partner and head of the firm’s Information Protection & Business Resilience team, says: “Increased awareness of cyber security threats is a positive trend, but indications are that organisations now need to focus on putting into place the fundamentals of intelligence management to gain real value from what they know. It’s the absolute minimum required to instil confidence amongst Board members.”
According to KPMG’s thinking, much can be learned from law enforcement organisations and the report suggests a 3-pronged approach to tackling cyber crime. These revolve around creating an intelligence-led mindset within organisations, implementing an operating model similar to those employed by the intelligence community and building a decision-making process which is centred on a tightly controlled ‘information gathering programme’.
‘Cyber threat: intelligence and lessons from law enforcement’ argues that an intelligence-led mindset establishes a direct connection between the threats and vulnerabilities organisations face and the consequences of their compliance or inaction. It calls on the UK’s business leaders to ask questions ranging from the basic ‘what cyber threats do we face?’ to more searching queries around how effective past responses have been.
The report also goes on to argue that to embed intelligence-led decision-making, business leaders should follow the example set by law enforcement agencies. For example, rather than simply collating data, KPMG’s report urges organisations to set parameters for the type of information being gathered, so that haphazard approaches to analysis and actions can be avoided.
Malcolm Marshall adds: “No organisation can dedicate resources to counter every threat. With limited public funding, law enforcement agencies have learned hard lessons in how to prioritise threats and allocate resources. Cyber threats are no different. It should be possible to identify core vulnerabilities and the potential impact of loss or denial of access. In other words, intelligence collection should be informed by an understanding of the priorities of assets and constantly mutating threats and vulnerabilities.
“Just as law enforcement agencies use intelligence to protect the public, organisations should be doing the same to protect information assets, customer data and, ultimately, shareholder value.”
Mike Petrook, KPMG Press Office
020 7311 5271 (t), 07917 384 576 (m) or firstname.lastname@example.org
Notes to Editors:
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with over 11,000 partners and staff. The UK firm recorded a turnover of £1.7 billion in the year ended September 2011. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 152 countries and have 145,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. KPMG International provides no client services.