United Kingdom


  • Service: Advisory, Risk Consulting, Insights
  • Type: Business and industry issue
  • Date: 29/08/2011

Managing e-crime risk in a changing business and technology landscape 

E-crime Image

Recent reports of cyber attacks launched against large companies  demonstrate that protecting and securing data is more important now than ever before. Cyber attacks can have a negative impact on  brand value, reputation and the ability to generate revenue. Identifying how a data compromise could occur and ensuring adequate incident response procedures are in place are key to reducing the risk of suffering from a data breach.

As sponsors of the e-Crime Report 2011, KPMG in association with the e-Crime Congress surveyed over 200 senior security decision makers globally across all industry sectors to explore three key areas:


  • Their views of the threat landscape today
  • The impact of new emerging technologies and business models on the level of e-crime risk
  • How organisations can structure a response to the threat of e-crime


Download the full report here (PDF 3.5 MB)


Managing IT risk is now vital to maximising commercial potential

Ensuring the continuity of business operations and protecting sensitive data is not just about how much you spend, but whether you understand your risk profile and spend effectively.  Managing technology and information risk is now a vital part of protecting your brand and reputation.

Over the past few years, big changes have occurred in the cyber threat landscape.  Recent incidents demonstrate that the emergence of ‘hactivism’ and the increased prominence of state sponsored cyber attacks have serious implications for all industry sectors.

In the recent e-Crime Survey, only 6% of respondents indicated that the overall level of e-crime risk their organisation faces has decreased over the past year. In addition, over 80% of respondents identified that, in the next 12 months, the use of smart phones, social networking, and consumer devices use are set to increase e-crime risk for their organisations.

Frameworks must evolve to meet changing business models

Despite having to deal with a constantly evolving risk landscape, information security strategies should still be based around a common framework that delivers the following core pillars of capability: prevent, detect and respond. However, strategies must be structured so that they are sufficiently flexible and agile to adapt as circumstances change.

Threat modelling, risk assessment techniques and an understanding of the threat landscape should be incorporated to provide intelligence that can ensure available resources are targeted to the right areas. It is increasingly difficult to predict the nature and severity of attacks. Testing and updating incident response capability to make sure it is fit for purpose is therefore vital. There is no point in putting your seatbelt on after the crash has happened.

Cyber defence a board issue for every organisation

Cyber security is now on almost all board agendas and frequently at the top.  Many CEOs at large companies have been briefed by intelligence agencies and have a better understanding of the severity of the threat landscape.

It is important that cyber defence is not just thought of as a security issue or a technology issue. It is at the very heart of how a business builds trust with customers, as well as how it builds and protects brand value.  The issues at stake are sufficiently important that the definition of strategy and investment needs to sit with the board. The level of investment needs to reflect business appetite for risk and support business goals. This is still very rare. Heads of Security and CIOs often second-guess the board’s risk appetite and willingness to spend.

A business led approach is required to reducing risk

Effective risk and security management frameworks need to be corporate wide, proactive, forward looking, closely integrated with other risk disciplines and have board-level engagement.  Approaches that attempt to measure and manage risk in silos will fail.

A successful strategy requires risk, security and technology teams to work alongside colleagues in sales, legal, fraud prevention and crisis management functions, as well as those in charge of procurement, marketing and press relations.


Malcolm MarshallMalcolm Marshall


UK Head of Information Security

020 7311 5456 | malcolm.marshall@kpmg.co.uk


Watch video

Malcolm Marshall Video


UK Head of Information Protection, Malcolm Marshall, KPMG LLP discusses the key findings from the e-crime 2011 report.