United Kingdom

Details

  • Service: Advisory, Risk Consulting, Management Consulting
  • Industry: Technology
  • Type: Business and industry issue
  • Date: 14/06/2011

KPMG's top 10 tips for defending against cyber attack 

Recent headlines about cyber attacks leading to data loss serve as a timely reminder of the danger posed by ever more sophisticated ‘hackers’, with ever changing motives.

 

No longer is e-crime driven by profit alone – the evolution of the criminal hacker into state-sponsored attackers and politically motivated hacktivists means that money is often no longer the object. This raises the stakes significantly and means that simply defending systems against attack is not a sufficient strategy for today’s threat environment.

 

A complete approach needs to cover defence, detection, reaction and recovery. As data loss becomes a more frequent and costly problem, here are KPMG’s top 10 tips for defending an organisation:

1) Prepare for war

As motives have changed, levels of determination have increased – these are more than one-off threats and require a different mindset. Ring fence priority areas but prepare for a worst-case scenario.

 

2) Prioritise

This new breed of hackers has time to burn and will persist until every potential vulnerability has been exposed. To combat this, defend ‘crown jewel assets’ first but stay alert – areas perceived as low risk often provide an easier route in for patient attackers.

 

3) Brace for impact

Discover if you are a target and assess your capacity to ‘catch’ threats.

 

4) Strategy

Thoroughly review your current defence strategy, mechanisms and risk landscape. Assessing your vulnerability and existing security capabilities can highlight weaknesses in processes, systems and controls.

 

5) Learn from your mistakes

Organisations that are successful at avoiding security breaches are often highly focused on managing data security and learn lessons from their own, and others’, experiences. 

 

6) Watch and learn

A rushed reaction can give the perpetrator more information about the organisation and its defences. Watch and learn rather than giving away vital information with an immediate response.

 

7) Don’t go it alone

Include all stakeholders and regulators in the security process and work together to evade and prepare for attacks. Create a cross-organisational incident management plan involving HR, Risk and PR. Take the data loss issue to the very top of the business so that executive level support is secured. 

 

8) Caution

Educate users to avoid sharing confidential information on social networking pages and to be wary of unknown links or contacts.

 

9) Plug the mobile leak

The rise of sophisticated personal mobile devices in the workplace can create a potential security ‘gap’. Educate users and embed effective security software and management to protect from leaks within (through employees themselves) and from without.

 

10) Accept the consequences

In the event of a breach, notify all customers, regulators and stakeholders early and detail the action being taken. Ensure that investigation and crisis management capabilities are comprehensive and fast to protect reputation, as well as data.

 

Contact Us

Malcolm Marshall

 

Malcolm Marshall

UK Head of Information Security
KPMG LLP

020 7311 5456 | malcolm.marshall@kpmg.co.uk

 

Mark Waghorne

 

Mark Waghorne

Head of the I-4 Program
KPMG LLP

020 7311 5220 | mark.waghorne@kpmg.co.uk

Find out more