KPMG in the UK embarked on a journey of transformation during 2013, in pursuit of our strategic goal to dominate professional services. Our Annual Review highlights how we bring real benefits to our clients, our people and society as a whole.
We are proud to be partnering with Action for Literacy and Shelter to enable us to play a greater part in tackling the key issues of literacy and homelessness in the UK today.
Reinvention of UK Banking highlights that, as the cost of remediation continues to dominate results presentations, banks face an uphill battle as they try to radically transform in a timeframe that is acceptable to all stakeholders.
Explore why technology firms should choose to invest in the UK. We consider what the UK currently has in its favour as it battles for technology investment.
Technology has revolutionised the day-to-day lives of individuals and organisations alike. But if we're to continue to benefit and to profit from it, and if we're to minimise the potential downsides, we're going to have make some choices.
We help our clients understand current issues and future trends in the world of work, and identify how they can enhance organisational performance through their people.
Explore your options in our e-zine, where you’ll find out more about whether our Audit, Risk Consulting or Gap Programme is for you.
If you’re not a little bit scared, you’re not paying attention. Find out more about our graduate programmes in audit, tax, advisory and central services.
Keep up to date with the latest news and views from KPMG in the UK by following our twitter feed.
KPMG’s leadership blogs brings you insight, opinion and debate from our senior partners and industry experts.
The 2013 edition of our Alumni magazine, Connected, features Alumni profiles, as well as articles about Cyber Security and Tax Transparency. Regional variations for Scotland, North, Midlands and South are also available
Over 11,000 of our alumni are registered on LinkedIn. We have established the KPMG UK Alumni group to enable you to contact many of our past and current people who are members.
Listen to Martin Jordan, Head of KPMG’s Cyber Response Team, discuss the findings of the report below.
Hello all and welcome to the webex of the KPMG 2012 Data Loss Barometer. The KPMG Data Loss Barometer 2012 exposes some of the latest trends and statistics for globally lost and stolen information in 2012 as well as a view of trends over the last five years. Over 82 countries are represented in our barometer in 2012, with over 96 countries represented over the last five years. The report reveals causes of data loss, types of incidents, as well as specific trends by sector. Over the next 15minutes I will take you through the highlights of the report. We will explore the industries at greatest risk and suggest reasons as to why certain types of threat are on teh increase. Finally we will conclude with some suggestions on how to prevent data loss discussing mitigating controls
Now for a look at the breakdown for the 2012,You can see form the info graphic that no sector is immune, form law, health case to financial services, although te figures would suggest that financial services has improved dramatically. This should not come as a surprise to us given the focus the regulator has show over the past year years.The healthcare industry, which has previously struggled between 2010 and 2011 has shown dramatic improvement in 2012. More positive news was also seen from within both companies and public sector organisations whose efforts to tackle security from the inside looks to be bearing fruit as internal security breaches more than halved from 435 in 2011 to 198 in 2012. However the cost of human carelessness and systems errors still accounted for 4% of data loss and physical theft of PCs, hardware and mobile devices accounted for 11% of all data loss this year. “Several of the world’s largest companies have been targeted over recent months by hackers who have grown in sophistication. It is now not just a lone hacker sitting in their bedroom but, in many cases, serious organisations backed by nation states who are leading this new phenomenon.”
Over the past five years, more than 1 billion people globally have been affected by data loss incidents. In the last two years, there was a jump of 40% of the publicly disclosed data loss incidents. Given the SEC disclosure requirements in the US this should not come as a surprise. On the right and side the graphic shows that hacking represents a whopping 65% of all types of data loss over the past 5 years, sadly this figure increased to 67% in 2012 and I do not see this upwards trend slowing as our ability to detect malicious activity on our network increases. We feel that this is only the tip of the iceberg, these statistics typically only include incidents where there is an obligation to report or where the breach has entered the public domain. “Incidents which involve the loss or theft of commercial data that does not relate to individuals goes largely unreported. Hacking is now widespread and the attackers range from the intellectually curious through to sophisticated nation states, the targets range from safety-critical processing systems through to price sensitive deal data.The graphic on the left hand side highlights the technology sector as a hotspot for dataloss.
Whilst the Technology industry over the last five years have had fewer number of incidents than the Top 5 worst performing industries Government, Healthcare, Education, Financial Services, and Retail, the percentage of people affected by the Technology incidents remains highest accounting for 26% of total number of people affected between 2008 -2012. The Technology industry is also at greatest risk from third party incidents, suggesting it is an active target of external malicious perpetrators.
Taking a broader look across industry we can seen that hacking is a common theme of data loss.One point to note is that whilst overall we have seen social engineering fall, The Insurance industry appears as the sector at greatest risk from social engineering attacks and system/human error incidents, ranking # 1 with 33% of all incidents and 25% accounted for by this sector respectively.Within industrial markets dataloss is dominated by hacking and malware – quite often both are inextricably linked. With remotely deliver / deployed malware being the weapon of choice for modern hackers who want to maintain that stand off capability,
Surprisingly for the first time over the last five years, the threat from malicious insiders has dropped from an average of 24% in previous years to an all time low of 6.5% in 2012. This may be explained by enhanced internal governance controls, education, culture and leadership investmentsIf we look at portable media - the loss of DVD/CD is on the increase as well as mobile devices.A key headline is that Despite a fall in reported incidents between 2009-2010 compared to 2008, the trend has reversed with a higher number of incidents reported in 2011, and total incident numbers in 2012 almost back up to similar levels as 2008.
Taking a global view teh US jumps out as the major source of data loss world wide.This is both understandable from a regulatory point of view, listed companies in the US must disclose to the SEC if they suffer a breach,But also understandable form simply the amount of consumers in America.
Looking forward to future trends, as i mentioned before we expect to see an increase in hacking related data loss incidents simply due to the fact that most corporate now recognise that their network may already be compromised. This is the first step on the road to detection, quantification and ultimately eradication, but this will take a few years. As case in point KPMG see on average a 4% botnet infection rate when we perform network intrusion analysis– used both by criminals and hackers alike to extract data from networks. None of the botnet related malware we discover is recognised by traditional antivirus controls, so we expect this infection rate to rise along with associated data loss.The use of Mobile devices is rising at an alarming rate, facebook reported a rise in mobile access users of 67% between 2011-12. rising from 325 million devices as of June 2011 to 543 million devices as of June 30, 2012. this will start to have an impact on us all as more companies move to a “choose you own device” model.We live in a market where regulators are becoming increasingly intolerant of dataloss, we feel its just a matter of time matter of time before Mandatory reporting of data loss will be enforced across Europe, not just for personal data but for company sensitive data as well.
Many of our clients our clients are already preparing for regulatory change and are deploying new technologies and process to detect and react to loss.
Tactics for combating dataloss – as hacking is on the increase we need to adjust the way we think of data loss – its no longer accidentalTake a position. Who are your enemies and what are their motivations? What tools and techniques will they use and what will the impact be? Select your defences. Remember Policy before technology, Those controls you put in place for hacktivists could be quite different to those for state-sponsored corporate espionage. Know what threats you are going to defend against – if you try to prevent them all it gets very expensive Get the basics right. Fundamental security weaknesses such as patching is still an issue. Unpatched and out-of-date software has known vulnerabilities that leaves you susceptible to attack . Review the amount of data leaked online and through metadata in public acing documents, thses are easy picking for hackers performing reconnaissance on your networkFit an Alarm systems. Many of us live with cyber alarm system which where deployed using 10 year old technology. Antiviruses and firewalls are not sufficient defences against sophisticated attacks. If you think you are at risk, you need to get a better monitoring system and do a network compromise analysis to uncover evidence of any breaches, and you will need specialists to analyse the output and respond to attacks. Behaviour and education. Make sure that your contractors and those in your supply chain recognise what the threats are, how to spot something suspicious, for example what phishing attacks are and how they might be targeted . Educating everyone within the organisation about the value and sensitivity of the information they possess and how they can protect it physically and online. Backing up employee training with procedures and a corporate culture that takes the SECURITY of information, seriously.
Security Consultancy of the Year two years running – 2011 and 2012Winner of MCA Strategy Award for security projectFull range of capabilities, from assessment to £25 million + transformation programmesOver a hundred people in the UK, over a 1,700 globallyThe only Big 4 firm authorised to assess security in critical UK government systemsA market leading thought leadership capability through I-4, the International Information Integrity Institute
Last slide contact details
Martin Jordan KPMG
Director KPMG LLP+44 7768467896
KPMG Cyber Indexwww.kpmg.com/uk/cyberindex
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative ("KPMG International") is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.