cyber security a topic for the board - mdbc · 23-5-2016 · —cybercrime-as-a-service...
TRANSCRIPT
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
1
Cyber security A topic for the BoardA new approach to Cyber Security
May 23, 2016
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
2
ProgrammeIntroduction to Cyber Security
Setting the scene on Cyber Security
Determining the Cyber Risk Profile
The human factor – social engineering
Legal and Regulatory requirements
EU Data Privacy Act
NL “Meldplicht datalekken”
Cyber in the board room
• Relevant questions
Cyber Crisis Management Game
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
3
Cyber Security - Definition
Cyber Security is the body of technologies, processes and practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized access.
Cyber security is not new, only the number and impact of cyber incidents increased dramatically;
Due this increase of impactful cyber incidents (with huge media intention), we see more and more attention from customers, media and regulators
1 Source: NCSS 2
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
4
Relevant TrendsOrganised crime, nation-states, cyber espionage, hactivism, insider threats.
Cloud computing, big data, social media, consumerisation, BYOD, mobile banking.
Hyper Connectivity – The Internet of Things, Information Availability, Anytime Anywhere, Scaleability, On-Demand
Data loss, privacy, records management, Governments / Regulators become more demanding on organisations in terms of cyber security
Strategic shift, situational awareness, understanding that cyber security requires more than technological measures
Slowly but surely society becomes more aware of the need to strengthen cyber security
EXTERNAL THREATS1
CHANGE IN THE WAY BUSINESS IS CONDUCTED2
RAPID TECHNOLOGY CHANGE3
REGULATORY COMPLIANCE4
CHANGING MARKET AND CLIENT NEED5
INCREASING AWARENESS6
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
5
Changes in Risk Ranking
2011 2014Loss of customers/cancelled orders
Talent and skills shortage
Reputational risk
Currency fluctuation
Changing legislation
Cost and availability of credit
Price of material inputs
Inflation
Corporate liability
Excessively strict regulation
1
2
3
4
5
6
7
8
9
10
1
2
3
4
5
6
7
8
9
10
High taxation
Loss of customers/cancelled orders
Cyber riskPrice of material inputs
Excessively strict regulation
Changing legislation
Inflation
Cost and availability of credit
Rapid technological changes
Interest rate changes
Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
6
FTSE 350 Cyber Governance Health CheckKPMG’s Top 10 findings
WHAT ABOUT THIRD PARTIES? WHAT DO YOU BASE
YOUR DISCUSSIONSON?
ARE YOU DOING ENOUGH?
25%
of respondents have never received
intelligence from their CIO on cyber threats
30%
of respondents regularlyreceive
cyber intelligence
48%have a basic understanding
of information assets shared with third parties
…but Chairsdid not have a strong
understanding of how they dealt with third-party risk 74%
think their board colleagues take cyber very
seriously
48%
of chairs had IT security/cyber training in
the last 12 months
HOW ARE CYBER RISKSPERCEIVED
IN YOUR BUSINESS?
58% of respondents expectcyber risk to increase
29% of chairmen are anxious about cyber risk
WHO IS IN CHARGE?
89%see responsibility for cyber threats sitting with the board executive or audit committee
15%see the CIO as the senior cyberrisk owner; nearly half say it is the CEO or CFO
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
7
Managing Cyber Risk - Past vs Present
Risks of user error and insider fraud
PAST PRESENT
ORGANISED CRIME GLOBAL, DIFFICULT TO TRACE AND PROSECUTEMotivation: financial advantageImpact to business: theft of information
STATE-SPONSORED ESPIONAGE AND WARFAREMotivation: political advantage, economic advantage, military advantageImpact to business: disruption or destruction, theft of information, reputationalloss
HACKTIVISM HACKING INSPIRED BY IDEOLOGYMotivation: shifting allegiances – dynamic, unpredictableImpact to business: public distribution, reputation loss
THE INSIDER DISGRUNTLED BY CHANGE AND UNCERTAINTYMotivation: grudge, financial gainImpact to business: distribution or destruction, theft of information, reputationloss
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
8
Determining Cyber Risk Profile
Cyber risk
profile
Business environment
Possibletargets
(crownjewels)
Threat ActorsVulnerability/ Resilience
Legal & regulatory
requirements
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
9
CHANGING “BUSINESS MODEL”
FAST TECHNOLOGY DEVELOPMENTS2
1Increased digitalization, offline to online (customer as active actor in online business proces), doing business in risk countries, new services
Cloud computing, big data, social media, consumerisation, BYOD, mobile banking
CUSTOMER EXPECTATIONS3
Customer expects that his data is protected when stored / processed byleading organizations.
Business environment
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
10
What is being stolen? Possible targets(crown jewels)
Information That Is Valuable
Business Critical Information
Critical Business Transactions
Intellectual property
Business processes
Customer, supplier and personnel data
Financials
Business plans
New products
New markets
Raising finance
M&A
JV
Divestitures
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
11
Threat Landscape Each threat actor has their own motivations, capabilities and targets
Threat Actors
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
12
Threat Landscape Threat Actors
Organised Crime –global, difficult to trace and prosecute
+ Financial assets
+ Personal data, including financial records
TYPICAL ASSETS THEY TARGET
Nation States –cyber espionage and warfare
+ Intellectual Property
+ Strategic/Operational Plans
+ M&A activity
+ Critical Infrastructure (for cyber warfare)
Hacktivists –hacking inspired by ideology
+ Reputation – public and media perception
+ Publications – websites
+ Services – disruption
The Insider –disgruntled by change and uncertainty
+ Customer and client lists
+ Processes and plans
+ Services – disruption
Journalist –Investigative reporting
+ Confidential information through leaks and hacking
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
13
Vulnerability / ResilienceAssess the level of vulnerability / resilience for relevant threat actors
—Assess vulnerability: - Assess whether your organisation is vulnerable for specific attack
vectors used by specific attackers – based on Kill Chain approach
- Assess whether your organisation was able to detect such attach vector (knowing that most organisations detect advanced attacks only after 200 days after the attack itself occurred)
—Build / Assess resilience:- Build crisis plan for these types of attacks and test this plan
periodically!
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
14
The approachCyber kill chain methodology
BEFORE THE HACK T-1 AFTER THE HACK T+1T0
YOUR GOAL: MOVE DETECTION AND RESPONSE UP THE KILL CHAIN
ReconWeaponi
zeDeliver Exploit Install Control Execute
Select targets and determine attack
methods
Transmission of the attack via
physical, email, web, or social engineering
Install “malware” to gain remote
control
Complete actions and achieve the
red flags
Develop the attack methods
Successful penetration –access gained
Establish command &
control throughout the
network
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
15
Social EngineeringWhat is social engineering?
You and your employees are the weakest link..
.. but when well trained, can be the strongest weapon of the organisation against social engineering attacks.
Technology
Process
People
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
16
Social Engineering Evolution of the attacks—Attacks are getting more complex and difficult
to recognize.
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
17
Social Engineering Evolution of the attacks—Malware creation tools that can be used in
social engineering attacks are today available “off the shelf”.
—Cybercrime-as-a-service marketplaceEnables fraudsters to cash in without the need for technical knowledge
Cybercrime “service providers” must improve the quality of malware more then ever to keep and win customers
Many attacks are easy to perform and low cost
- Phishing attacks: 500.000 email addresses costs $ 30,-
- Hosting a phishing site can be done for free
- 1000 credit card numbers cost $ 100,-
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
18
Social EngineeringPsychological concepts (that are used by social engineers)—Six basic principles from Robert CialdiniLiking (Sympathie)
Authority (Autoriteit)
Social Proof (Sociale bewijskracht)
Consistency (Consistentie)
Reciprocation (Wederkerigheid)
Scarcity (Schaarste)
—Other conceptsSimilarity (gelijkheid)
Do the unexpected (het onverwachte doen)
Perceptual contrast (verschil in perceptie)
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
19
Real life examplesKPMG attack simulation: using USB sticks
Vulnerability / Resilience
Dit is een van de USB sticks zoals afgelopen donderdag uitgedeeld door “Brasserie Mimicry”
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
20
Real life examplesKPMG attack simulation: using USB sticks—Within 40 minutes after initiating the attack we had full access toThe “crown jewels” of the bank. We could read and edit financial details of al their clients.
As we had access to multiple desktops segregation of duties did not exist anymore.
Network shares full with further sensitive internal information on clients and employees.
—But we could also:Use the compromised systems to perform further attacks. E.g. use the mailbox of the victims as trusted source to spread malware further on the network.
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
21
Real life examplesKPMG attack simulation: Hide in plain sight—Dutch Sinterklaas on assignment…
Vulnerability / Resilience
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
22
Legal and Regulatory changes
DNB / DUTCH CENTRAL BANK EUROPEAN UNION
• Cybercrime: theme 2014/2015
• Mandatory periodical self-assessment –required maturity level 3 / 4
• ECB: similar scheme
• On 12 August 2013, Directive 2013/40/EU on attacks against information systems (the Cyber Crime Directive) came into force.
• The Cyber Crime Directive requires Member States to bring into force laws, regulations and administrative provisions by 4 September 2015 in order to provide a pan European approach to cyber crime.
• Focus on critical infrastructures.
Legal & regulatory
requirements
DUTCH GOVERNMENT UNITED STATES
• National Cyber Security Strategy 2- Government will act if required. If required, regulations and
standards will be proposed – as a consequence of the implementation of the EU Cyber Risk Directive
• Primary focus: critical infrastructures
• CBP / Privacy: maximum fine EUR 800.000, after implementation of EU Privacy Regulation: maximum fine 2% to 5% of global turn over
• Obama’s Executive Order February 2013 aimed at increasing the cyber resilience of US organisations
- Focus critical infrastructures.- Development of NIST Cybersecurity Framework.
• PCAOB issued guidelines for financial auditors related to cyber crime / cyber security
- NBA is working on a Public Management Letter
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
23
Draft EU data privacy regulationOverview With over 4,000 requested amendments to be
negotiated between the European Parliament and the Council of Ministers, there are
likely to be significant changes between nowand the 2016 target date for adoption…
Legal & regulatory
requirements
HARMONISE PRIVACY LAWS ACROSS EUROPE REFLECT THE DIGITAL AGE
EU DATA PROTECTION DIRECTIVE 95/46/EC GENERAL DATA PROTECTION REGULATION
“Our current data protection rules were adopted in 1995, when only 1% of the EU population was using the internet…and the founder of Facebook was only 11 years old”
Viviane Reding, European Commissioner of Justice, 2010-2014
Applicabilitynon-EU
controllers
One StopShop
PrivacyOfficer
( > 5,000)
Fines of€1 mio. or2% of TR
AdditionalSubjectrights
BreachNotification
PrivacyImpact
Assessment
Processor’sLiability
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
24
Privacy in the Netherlands…Dutch data protection act
STATUS QUO 1st January 2016
Supervision On Data BreachesLaws & RegulationsEUROPEAN DUTCH
EU DATA PROTECTION
DIRECTIVE95/46/EC
CBP
COLLEGE BESCHERMING
PERSOONS-GEGEVENS
ACM
AUTORITEIT CONSUMENT EN
MARKT
MISC.
Wet BRP, Wpg, Wjsg,
Gedragscodes
MELDPLICHT DATALEKKEN
WET BESCHERMING
PERSOONS-GEGEVENS
(Wbp)
EU DATA RETENTION DIRECTIVE
2006/24/EC
E-PRIVACY DIRECTIVE
2002/58/EC
TELECOMWET(Tw)
COOKIEWET
COOKIEDIRECTIVE
2009/136/EC
AP
AUTORITEIT PERSOONS-GEGEVENS
Legal & regulatory
requirements
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
25
Dutch data privacy changesCurrent regulation?— Dutch changesThe bill ‘Meldplicht datalekken en uitbreiding boetebevoegdheid CBP’ was passed by the Tweede Kamer on February 10th 2015 and passed by the Eerste Kamer on May 26th 2015. This law will is enforced as of January 1st 2016.
— Key changes:Data Protection Authorities (‘Cbp’) should be notified of data breaches without delay.
Penalties up to €810k in case of not reporting a data breach, the careless processing of (sensitive) personal data, storing personal data too long, inadequate protection, or failure to comply with disclosure requirements.
Penalties up to 10% of annual sales (a.o. if binding instructions are not followed, to relate the height of fine to the size of the organization, i.e. Google, Facebook)
In case of data breaches the data controller should inform involved persons and society and provide information on:
- Nature and scope of data breach
- Harmful effects of the infringement
- Required effort for recovery actions
The Cbp’s name is changed to Autoriteit Persoonsgegevens and is authorized supervisor of the Telecommunications Act
Wet Persoons-Registratie
(WPR)1989
WetBescherming
Persoonsgegevens(Wbp)2001
+ MeldplichtDatalekken &
UitbreidingBoetebevoegdheid
2016
EU General Data Protection
Regulation2016 (exp.)
Legal & regulatory
requirements
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
26
Cyber risk is driven and managed by more than technology
The drivers of inherent Cyber risk include the threats, your vulnerabilities, your assets and the regulatory and business environment in which you operate.
This inherent risk can be mitigated by deploying controls and having response capability and plans. In the worst case, resiliency and contingency planning will reduce the impact of significant cyber incidents.
The readiness of technical systems to protect, detect and react to an attack is important but in many organisations the people are the weakest link but can become the greatest asset for defence if properly informed and trained.
Threats Regulations VulnerabilitiesBusiness drivers
Assets
Threat ActorActor
CapabilityAttack
ImmediacyPeople Process Technology
Information Assets
Systems Applications
Business Resilience and contingency
Protect and Defend
Technical ControlsBehavioural
Controls
Respond
Immediate Incident Response
Investigations
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
27
Lessons learned: how to mitigate the risks?Protect &
Defend
Technical Controls
Behavioural Controls
Respond
Immediate Incident
ResponseInvestigations
Human factor is weakest
link, unless…
Cooperation is required
ISAC, Sector, NCSC, (IT-) partners
Shift fromprevent todetect & respond
How to reactif you are
hacked (andyou will)…
PROTECT YOUR “CROWN JEWELS”
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
28
Five Steps to Minimize your ExposurePerform a cyber maturity assessment to look at areas such as Leadership and Governance, Human Factors, Information Risk Management, Business Continuity and Crisis Management.
Identify your critical assets but remember that what you consider to be of no value, may be considered valuable to an attacker. Take a look at the lifecycle of your critical information assets from creation all the way to destruction.
Based on your assessment and your critical assets, select your defenses. Know what threats you are going to defend against – trying to prevent them all gets very expensive
Everyone in the organization – from the boardroom to the mailroom –must understand the value and sensitivity of the information they possess and, more importantly, how to protect it.
Being able to adequately respond to a security incident through established tested processes should not be taken lightly. Supported by a security monitoring platform and good threat intelligence, you can get a better grip on monitoring and responding to cyber crime.
ASSESS YOUR READINESS TO RESPOND / RESILIENCE1
HONE IN ON YOUR CRITICAL ASSETS2
SELECT YOUR DEFENSE3
BOOST YOUR SECURITY AWARENESS AND
EDUCATION4
ENHANCE MONITORING & INCIDENT RESPONSE 5
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
29
Cyber risk discussion The board gains assurance that cyber risks are well managed through key questions
How secure are you currently?
What have been the most serious security and privacy incidents that you (and your peers) have faced in the past 12 months, what have you learned from those experiences, and what are you now doing differently to prevent them from re-occurring?
Are you getting more or less secure?
What key indicators are on your security dashboard, how is the organisation achieving those objectives, and how does this compare to your peers?
How do you set priorities and risk appetite ?
What is your organisational risk appetite for downtime, data loss and privacy incidents, how do you set your appetite level, and how are you tracking against that?
What are the 'crown jewels' that require the highest levels of protection? Which business processes are critical to survival of the organisation?
How are you organised to manage the issue?
How is your first line and second line of defence set up? How do you report on the risk? How do you co-ordinate across multiple responsible functions?
Are you spending at the right level? And getting value for money for that spend?
What are you spending on security over the next three years? Is it enough to appropriately respond to the threat? Where are you under-invested and where can you make savings? Can you defend your investment compared to your peers?
How do you manage third party suppliers?
How do you ensure your suppliers (and their suppliers in turn) do not expose you to unacceptable cyber risk?
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
30
John HermansPartner
John Hermans
Partner
KPMG Advisory N.V.
Laan van Langerhuize 1
1186DS Amstelveen
Function and specialization
• Cyber Security Lead Partner, Advisory KPMG The Netherlands
• EMA Cyber Security Lead Partner and Member of KPMG global Cyber Security leadership
Education, licenses and certifications
• Bachelor degree in Information Management
• Post Graduate EDP Auditing -Certifications as chartered IT auditor (RE).
— Background
John is partner of the Amstelveen practice of KPMG IT Advisory and member of KPMG’s Global Leadership on Cyber Security. In his current position he is heading the Cyber Security Services of KPMG in the Netherlands and, covering the following services:Security Strategy Services / Cyber Security In the Board RoomIT Governance, Risk and ComplianceTechnical Security ServicesCyber Security ServicesIdentity & Access ManagementBusiness Continuity ServicesData Privacy Services
Furthermore, John is leading KPMG’s Strategic Growth Initiative on Cyber Security services within the Netherlands as well in Europe, Middle East and Africa, and member of KPMG’s global Cyber Security Leadership.— Professional experience
John worked for numerous International and National organisations in most industry sectors, such as Financial Services, Oil & Gas, Retail and Government and is considered as one of the leaders in his field of expertise. John was involved in more than 100 national and international information security projects across the world. John’s major involvements were in advising and supporting our clients in developing, defining and implementing their overall Information Security strategy, building the required business cases for Executive Boards as well as Supervisory Boards, and performing multiple program management activities as well as executing quality assurance
assignments.
Next to being involved in many information security and cyber security programs and projects, John is involved in multiple Cloud Computing projects in both the private and public sector. John’s major involvements relate to advising and supporting our clients in developing, defining and implementing their cloud computing strategy as well as advising on cloud security/assurance advisory topics.
— Industry experience
Financials Services: Insurance, Mortgages and Banking
Oil & Gas
Telecommunications
Government
Health Technologies
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.
Document Classification: KPMG Confidential
31
© 2016 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks of KPMG International.
John HermansPartner, Risk Consulting
Laan van Langerhuize 1 1186 DS Amstelveen
Tel: +31 20 656 8394 Mob: + 31 6 51 366 389Email: [email protected]
Thank you
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia kpmg.com/app
© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act 1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.