Businesses across the UK may be more aware of cyber security threats, but they still have a long way to go to balance the cyber crime odds back in their favour. A report released today by KPMG suggests that by learning from the intelligence approach adopted in the fight against terrorism, organisations can improve their safety-net and meet the ever-changing challenges of cyber attacks.
The report follows publication of data revealing that many organisations have failed to heed warnings in the media, leaving their data and staff vulnerable to hacking. KPMG’s Data Loss barometer, for example, shows that the hacking of information held by businesses has jumped globally from only 8% of total incidents in 2010 to a shocking 52% in 2012.
Malcolm Marshall, KPMG partner and head of the firm’s Information Protection & Business Resilience team, says: “Increased awareness of cyber security threats is a positive trend, but indications are that organisations now need to focus on putting into place the fundamentals of intelligence management to gain real value from what they know. It’s the absolute minimum required to instil confidence amongst Board members.”
According to KPMG’s thinking, much can be learned from law enforcement organisations and the report suggests a 3-pronged approach to tackling cyber crime. These revolve around creating an intelligence-led mindset within organisations, implementing an operating model similar to those employed by the intelligence community and building a decision-making process which is centred on a tightly controlled ‘information gathering programme’.
‘Cyber threat: intelligence and lessons from law enforcement’ argues that an intelligence-led mindset establishes a direct connection between the threats and vulnerabilities organisations face and the consequences of their compliance or inaction. It calls on the UK’s business leaders to ask questions ranging from the basic ‘what cyber threats do we face?’ to more searching queries around how effective past responses have been.
The report also goes on to argue that to embed intelligence-led decision-making, business leaders should follow the example set by law enforcement agencies. For example, rather than simply collating data, KPMG’s report urges organisations to set parameters for the type of information being gathered, so that haphazard approaches to analysis and actions can be avoided.
Malcolm Marshall adds: “No organisation can dedicate resources to counter every threat. With limited public funding, law enforcement agencies have learned hard lessons in how to prioritise threats and allocate resources. Cyber threats are no different. It should be possible to identify core vulnerabilities and the potential impact of loss or denial of access. In other words, intelligence collection should be informed by an understanding of the priorities of assets and constantly mutating threats and vulnerabilities.
“Just as law enforcement agencies use intelligence to protect the public, organisations should be doing the same to protect information assets, customer data and, ultimately, shareholder value.”
|