Take a corporate approach to growing cyber threats
The sobering assessment of cyber threats is that they are here to stay.
But cyber security experts speaking at the Bermuda Captive Conference yesterday urged companies to take a corporate approach to the problem, as opposed to just an IT approach, because cyber intrusions are a threat to the entire organisation.
They highlighted a paradigm shift in thinking that is bringing new layers of protection and emergent expectations for employees — new behavioural expectations from the CEO on down.
This is a part of the message that KPMG Bermuda is using to brief their clientele. They hosted more than 30 clients at a luncheon seminar at their Par-la-Ville offices on Tuesday to hammer home the same points.
The BCC presentation — the last educational session of the Conference — was made by KPMG senior manager, advisory Fred Oberholzer and KPMG seconded director, advisory Dennis van Ham.
They also spoke separately to The Royal Gazette, making the point that companies that don’t evolve their thinking on cyber security from the age of simple antivirus protection, are at greater risk.
Mr Oberholzer said: “Anti-virus software is an important component in the fight. But it is not the only one. It is important if you are to have antivirus technology for example, that you keep it up to date.”
But he said there’s been a shift in focus.
Mr Ham pointed out: “Until quite recently, investment against this threat was somewhat focused in one area. There was a huge investment into preventive technologies: antivirus, firewalls and that sort of thing.
“But what you see now is the shift of investment and deployment of tools and processes that more quickly detect issues.
“The thinking is that it is no longer a case of ‘if you will be hacked’, but ‘when you will be hacked’.
“It’s kind of a military approach — a crisis management approach.
“The earlier you can detect an attack, the more prepared you may be to act to contain the problem and protect your network.
“These are the measures we are seeing that are useful for our clients.”
Mr Oberholzer added: “But your people and your processes are also critical to the solution. You should ensure, for example, that all employees are more security aware.
“To begin with you don’t just click on a link, but hover over that link to see where you are being taken.
“So you have the technology layer, the individual accountability layer and there is a third, which is about processes.
“Organisations involve specific processes and assign accountabilities to ensure that security is handled in a very co-ordinated and organisation-wide fashion.
“A cyber threat is no longer seen as just IT’s problem, but something that can fundamentally disrupt business operations. This is not an IT issue, but a business issue.”
Mr Ham said, “So now, the leaders of the company are getting involved, which means new dialogue for very technical people who have to talk to the business about this risk.
“You want to talk about a perfect storm? At the same time, that very business is trying to tap into new technologies, such as mobile phones, the cloud and social media. But these new technologies introduce new vulnerabilities.”
He said: “A lot of it is leading by example, because executives, VIPs and those who travel a lot are more likely to be a victim than anyone else. A lot of this is really about individual awareness.
“One of the things I learned from working in the oil and gas sector was about health, safety and security. If you are walking on a rig, it is ingrained in you to hold the rail. It is simple processes like these that can be used to better prepare and prevent problems.
“There are potential threats — events and incidences happening all the time. They are just not all data breaches, but stuff is always happening that we can learn from.
“So the challenge for us is that in any organisation, it only needs one e-mail, one click from one person.
“Not all e-mails can be trusted. If it looks too good to be true, it probably is not true. But unfortunately, younger people are less afraid to share information and we live in the age of social media.”