United Kingdom


  • Service: Advisory, Risk Consulting
  • Type: Business and industry issue
  • Date: 28/09/2012

Secure All Areas: A CriticalEye and KPMG article on board-level considerations for cyber attacks 

This article appeared on the website on CriticalEye , the Network of Leaders in September 2012


Organisations are investing enormous amounts of money in cyber security as they come to terms with the scale and sophistication of digital attacks perpetrated by everyone from anarchic individuals to state-sponsored cyber units and criminal fraternities.

The situation was summarised neatly by Robert Mueller, Director of the FBI: “There are just two types of organisations: those that have been hacked and those that don’t yet know they’ve been hacked.”

Cyber crime costs the UK £27 billion a year, according to the UK Cabinet Office. The size of the threat is matched by its variety, which can include:


  •  Theft of intellectual property 
  • Disruption to business or critical systems 
  • Theft of personal customer data 
  • Viruses 
  • Implicating your business in an attack on a customer or supplier


The reality of cyber crime means that is now reckless for a board not to factor it in to an organisation’s risk management strategy. Malcolm Marshall, KPMG’s Global Leader for Information Protection and Business Resilience, says: “Cyber crime is simply becoming more of a mainstream tool. What was previously in the domain of specialist geeks is now a normal part of a regular criminal toolkit.”

Not that the tools are just the preserve of criminals. “Organisations have only recently realised the extent to which state-sponsored players are conducting economic espionage,” says Malcolm. “There are instances where governments or businesses are verifying what is being said to them in negotiations, doing background research, or even directly seeking information for their economic benefit.

“You can look at the worst case scenarios – and certainly everyone expects the threats to get worse and more numerous. There are already examples of countries using cyber espionage to benefit their national companies, and given that this has been seen to be successful, you will see the use of cyber espionage spreading and more, often less stable, countries taking it up.”

The idea of state-sponsored cyber warfare has received huge coverage since the revelation that the global Stuxnet worm was originally designed to target a specific industrial unit in Iran. It certainly adds another layer of complexity to how to tackle crime and what constitutes a safe level of defence, especially for corporates.

Malcolm says: “The second big risk is that those sophisticated tools developed by governments fall into genuinely criminal hands, they then could use it to attack or hold to ransom commercial businesses, as we’ve seen with the attack on Saudi Aramco, the world’s largest oil company which is owned by the Saudi government.”


Fundamentally, boards need to be on the front foot and devise a robust strategy to combat cyber crime. Malcolm explains: “People are reactive to it, but the reality is that most large organisations have had some
incident of varying degrees of severity. The recent press release from MI5’s [Director General] Jonathan Evans saying that one UK company had lost £800 million to cyber espionage shows a number which is hard to calculate, but is feasible.”

Unfortunately, the reality is that many businesses have a long way to go in catching up with the hackers. In its analysis of the state of security in 2,000 top private businesses around the world, KPMG’s ‘Publish and be Damned, Cyber Vulnerability Index 2012’ reveals that across the sample group (with combined assets of over $31 trillion), rudimentary methods of accessing public data could glean an average of 210 usernames, 52 network folders and 171 email addresses at a business.




The most effective weapon against the cyber threat in a business is its people. Malcolm says: “Staff are your strongest defence, because you can invest in technology forever and you’ll still be vulnerable. There needs to be a focus around behaviours and ensuring that your contractors and those in the supply chain understand what the threats are and how they might be targeted. Then they will know how to spot something suspicious, know what, for example, phishing attacks are (see jargon box below), and will therefore be more alert to the dangers. Although most organisations have an array of risk and compliance messages that people need to follow, we found it most effective to avoid a generic awareness campaign and have a targeted approach, with categories of staff given specific education programmes that catered for how they use data and the risks that it presented.”

It means having a person in the company who is directly responsible for ensuring the safety of the organisation. Malcolm says: “It is essential for a large organisation to have a Chief Information Security Officer. It is standard in large financial institutions and we’re seeing it increasingly in large corporates, either on the same level as CIO, or a level down… In a heavily internet-dependent-business, then arguably that pushes the role onto the executive board.”

The fast changing nature of the threats means that businesses need to invest, strategically and financially, in order to stay ahead of the criminals. “Two years ago people were worried about accidental loss of data on an item like a laptop or a memory stick,” says Malcolm. “That’s embarrassing, but losing intellectual property or losing deal data has potentially much greater financial consequences.”

Tactics for beating Cyber Crime

  • Take a position. Who are your enemies and what are their motivations? What tools and techniques will they use and what will the impact be? 
  • Select your defences. Those you put in place for hacktivists could be quite different to those for state-sponsored corporate espionage. Know what threats you are going to defend against – if you try to prevent them all it gets very expensive 
  • Get the basics right. Fundamental security weaknesses account for 70 - 80 per cent of cyber attacks. Unpatched and out-of-date software has known vulnerabilities that leaves you susceptible to attack 
  • Alarm systems. Antiviruses and firewalls aren’t sufficient defences against sophisticated attacks. If you think you are at risk, you need to get a better monitoring system and do a network compromise analysis to uncover evidence of any breaches, and you will need specialists to analyse the output and respond to attacks 
  • Behaviour and education. Make sure that your contractors and those in your supply chain recognise what the threats are, how to spot something suspicious, what phishing attacks are and how they might be targeted

Cyber Jargon

APT (Advanced Persistent Threat)
This is characterised by the covert penetration of systems by unauthorised individuals to illegally exfiltrate information of political, military or economic value from an organisation over a sustained period of time, typically using information for competitive advantage

A method of gaining persistent access to resources which typically bypasses security controls

Denial of Service
Attacks involving attempts to render IT resources unavailable or unusable by legitimate users

Industrial Control Systems Cyber Emergency Response Team


Malicious software, deliberately written with malicious intent, to gain unauthorised access or cause damage to computers and networks

Information within a document ‘about’ the document and its properties

Sending out emails from fake addresses in order to trick people into revealing important information

Script Kiddies
A young person with limited technical skills who uses programs developed by more technical individuals to attack networks and websites

Social Engineering
Process of manipulating or fooling individuals into divulging information (phishing can be a form of this)

A weakness or flaw in a system or process that, if exploited, might result in a compromise of resources



Share this

Share this


Malcolm Marshall

Malcolm Marshall

Global Head of Information Protection

020 7311 5456


Malcolm is global leader for KPMG’s Information Protection and Business Resilience services. He has over 20 years’ experience in advising clients on information risk management, including several of the world’s largest corporations and Central Government departments.