Greg Bell is principal and services leader of Information Protection at KPMG.
Kieran Norton is principal and U.S. leader of Deloitte & Touche’s Cyber Threat Management practice.
According to the Ponemon Institute, the number of successful cyberattacks on companies more than doubled over a two-year period, and the resulting financial impact increased nearly 40 percent. What kind of growth in attacks are your clients experiencing?
Norton: Clearly, many companies are seeing a greater degree or intensity of attacks. The focus of the attack may differ by industry (e.g., credit card data in retail, intellectual property in technology, and exploration data in oil and gas) and the nature of the attack may differ by targeted outcome (e.g., theft of sensitive data or disruption of operations); however, the risk is pervasive. I have noticed a specific uptick in concern over intellectual property theft.
Bell: Our clients are seeing a similar increase in both attempts and in the recognition of successful cyberattacks. Even more alarming is the target of these attacks. While the traditional focus of identity theft (e.g., personal financial or health information) and financial fraud (e.g., credit card numbers, bank accounts) continues to be a concern, we also are seeing an increase in the targeting of very strategic information, including intellectual property, unreleased financial statements, operational and pricing data, and competitive insight such as data regarding mergers, acquisitions, or product launches.
Are your clients more concerned with internal or external attacks?
Bell: The general focus over the past 24 to 30 months has been largely on external attacks such as those driven by multinational criminal enterprises, foreign national threats, or "hacktivist" organizations. However, the recent six to nine months have seen an increase in reconsidering the insider threat of trusted employees and business partners, largely driven by the Edward Snowden situation.
Norton: It's both. The line between internal and external attacks is blurring as attackers increasingly leverage stolen credentials and remote access systems to obtain sensitive information. Organizations need to focus on building a secure infrastructure, vigilant monitoring capability, and resilient program that enable rapid identification, response, containment, and recovery, regardless of the source of the attack.
Are your clients focusing their security efforts in the best direction? Is it possible to totally protect an organization from cyberattacks?
Norton: There is no single, best direction. Each company should understand its ecosystem, the threats facing the organization, which data matters most, and the best approach to protecting the company and its stakeholders. In that context, many clients are focusing their efforts in meaningful ways — although some have further to go than others.
Theoretically, total protection is possible, but practically speaking, it's not. Threats are rapidly evolving, attackers are increasingly sophisticated, and their methods have continued to improve. Pragmatically, organizations should assume at least a small number of attacks will be successful to some degree and focus on developing a well-rounded — secure, vigilant, and resilient — cyberrisk program.
Bell: Unfortunately, it is impossible to totally protect from a cyber incident. The discussion is turning to one of risk management that considers elements of prevention, detection, and response. In my experience, the key elements of an effective security approach are: leadership and governance of the program, technical and operational controls, employee/business partner training and awareness, information risk management, response planning and crisis management, and legal and compliance management. Significant focus is placed on designing and implementing controls that exist solely in the technical infrastructure of organizations. As IT evolves, it's important to realize that organizations are processing more and more critical transactions outside of their technical environments, so controls need to be designed and implemented with that consideration in mind.
What concerns do companies have about disclosing the risks of an event?
Bell: The primary concern regarding disclosure is the potential impact to brand and confidence that can be evidenced by market share drops or negative customer perception after a stated incident. This is particularly problematic when the issue does not include information that requires disclosure (e.g., theft of intellectual property or nonpersonal financial information). There also is some trepidation that comprehensive or detailed disclosure can provide a clear roadmap for others to leverage to conduct additional or related attacks. Disclosures on risks that haven't occurred are more difficult to identify, as there are no effective or highly accurate methods to predict the likelihood or potential impact of such a breach.
Norton: The obvious concerns are regulatory and legal implications — given penalties, fines, and lawsuits are common following a breach — and exposure of sensitive information. Additionally, companies are concerned about reputation/brand damage, negative impacts on relationships with customers and partners, and financial losses. Some companies are rightfully concerned that premature disclosure also can impede law enforcement activity. Organizations have a complicated range of factors to consider.
What should internal auditors be focusing on in cybersecurity? How can they help?
Norton: Internal audit should start by gaining a deeper understanding of the company's current posture via a cyberrisk assessment, including external input on the threats facing the industry, current attack methods, etc. Next, internal audit should focus on the people, process, and technology controls in high priority areas and evaluate the incident response program. Internal audit also can help drive a robust discussion around the risks and mitigation strategy with leadership and the audit committee.
Bell: Internal audit should help to independently assess and prioritize cyberrisks against other critical enterprise risks. They can help to assess effectiveness of preparation and, with the right skills, work to help optimize the controls to prevent or detect cyber issues. Internal audit often provides a critical and ongoing monitor to these changing cyber-related risks. As businesses evolve their processes and enabling technology, internal audit should help evaluate if the key cyber controls are still effective as designed and implemented or if a change or update to the control environment may be required. Internal audit also helps identify and monitor issues and risks related to emerging technology deployments, such as cloud, social media, and mobile, and ensure that new controls are implemented completely.
How useful will the recently released U.S. Framework for Improving Critical Infrastructure Cybersecurity be to the average organization seeking to improve its cybersecurity?
Bell: The National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity provides a solid foundation to help organizations consistently and effectively evaluate and compare their current security processes, procedures, and technologies. The framework includes a core structure that embodies the concepts of identification, protection, detection, response, and recovery in a way that provides a consistent view and links to other well-established security standards and approaches. While an effective tool for evaluation, the NIST framework, like many other frameworks and even current regulations, does not ensure security or provide comprehensive protection that critical data will not be lost, destroyed, or modified.
Norton: The NIST framework is very useful as a baseline of solid practices. Many companies have both strengths and gaps in their cybersecurity programs, and the framework can serve as a way to identify the gaps and raise the bar overall. Many companies, though, ultimately need more advanced/mature programs beyond what the framework calls for to mitigate especially sensitive risk areas.