Cyber Security Australian Financial Review special report
Produced in association with the Australian Financial Review Cyber Security Australian Financial Review special report November 2014 kpmg.com.au Cyber Security KPMG in association with The Australian Financial Review hosted a roundtable event on cyber security. Content originally produced by the Australian Financial Review online edition on 24 November 2014. PANELLISTS INCLUDED: Troy Braban, CISO, Australia Post Tara Cahill, GM Risk Group Services, Westpac Diona Rae, CRO, GPT Tim Thurman, CIO, ASX Group Simon Smith, CIO, Lumo Energy Mark Tims, Partner, Technology Risk & Assurance, KPMG Gary Gill, Partner, Forensic, KPMG Adaptability key to cyber security ANDREW BIRMINGHAM Businesses find themselves needing to innovate quickly in a market place increasingly disrupted by digital technologies but where consumers are increasingly aware of the importance and value of their own data. That puts a premium on securing both the data and the intellectual property spawned by innovation. Traditionally companies applied perimeter defences to keep the bad guys out, and policy and forensics to keep the bad guys inside the organisation from getting out. But the threat profile is evolving. With tens of thousands of new malware variants entering the IT ecosystem every day the technical responses have evolved to include continuous detection and investigation. External threats meanwhile have become more sophisticated and sinister with attacks by organised crime and state backed agencies increasing. For security professional like Australia Post’s chief information security officer Troy Braban that means that the complexities of his role have kicked up significantly. “On a day-to-day basis it’s different every single day.” “The pace has changed and so have the adversaries, and what they are trying to do. “The situation is constantly in flux ,” he says. 1 | Cyber Security | Australian Financial Review special report Cyber security has emerged as a key risk for companies, which is why Mr Braban is in regular contact with both the CIO and the chief risk officer. Indeed leadership engagement extends all the way to the board. “We talk to our executives and our board about different types of people or organised entities that want to attack us.” While amateurs looking to test the membrane have always been a nuisance, in recent years hacktavism has also emerged, most notably in recent times through organisations like Anonymous. At the other end of the spectrum there is are organised crime and [nation] states. “So in the last two years we have invested a lot of time in both of those two areas.” And in the middle – inside operators – employees who through malfeasance or ignorance pose a threat. “The inside threat is one that we’ve talked about where the risk profile stays the same but what actually changes is the value of the information and the value of the interaction you’ve got with your customer. That threat trend has effectively stayed the same but the impact has changed.“ FRONT LINE For the staff on the front line of cyber security, the threat is ever present. “We’re constantly patching. I’ve got a team and all they do is look after those firewalls,” says ASX chief information officer Tim Thurman. He characterises the ASX as being on the front foot but he says he also saw the alternative during his time in investment banking in Canada where there were often gaping holes, especially in legacy systems, to which security staff were constantly responding. One specific area of technology that features increasingly highly in the conversation is cloud computing and opinions are mixed about its impact and security – depending on the types of applications involved. GPT’s chief risk officer Diona Rae says, “We have gone to the Cloud for our systems and infrastructure and it’s been a very positive move for us. We are a small IT user compared to a bank for instance. We’re never going to be able to spend the kind of money that is needed to have a very robust environment but we can get that with a cloud provider because that’s their job.” Ms Rae says it takes time for executives to be comfortable. “The Cloud is seen as something that’s quite scary and it has potential to be dangerous for us. However it probably was a great solution for us from a cyber-security perspective.” Regulation is often seen as a barrier to cloud adoption, although less so these days. “We’ve had a few conversations with APRA around the cloud over the last 12 months and they are very supportive of us,” says Tara Cahill, GM risk, group services, Westpac. The regulator is treating issues around the engagement, communication and transparency much as they did with previous discussions around outsourcing and off shoring says Ms Cahill. “They want to make sure that it’s done properly, in a risk based way with the right controls in place.” But not for everyone is on board yet, as Mr Thurman makes clear. “It is it’s hard for us to utilise that service. There are latency issues in terms of how fast we need to be.” That said the ASX does use some cloud based apps such as Salesforce. But for its core business, Mr Thurman isn’t quite ready to buy story the industry wants to sell, “So I build my own internal private clouds and I offer that service to my clients within my data centres” Cyber Security | Australian Financial Review special report | 2 he pace has changed and T so have the adversaries, and what they are trying to do. The situation is constantly in flux. TROY BRABAN CISO, AUSTRALIA POST 3 | Cyber Security | Australian Financial Review special report UPSTAIRS DOWNSTAIRS DR NO Given the risks involved and the business impact, many companies have evolved beyond treating cyber security as a technical issue. Instead boards and executives view it is a key business risk. Operationalising cyber security is important for another reason – companies need to be able to innovate quickly to respond to changed circumstances as new insurgents enter their markets and disrupt old ways of doing business. CIO’s are clear that technology can’t solve 100 per cent of the problems, instead organisations need to develop a security-aware culture and build upon this culture. Education is a critical tool in this regard. According to Ms Rae, while employees have a high awareness when it comes to their pin numbers on their bank accounts or other personal information they don’t always bring that level of awareness to the workplace. “Staff will want to do things like email secure documents to their Hotmail accounts, or use common passwords and even share them at work, which they would never do with their own information. “ “Our challenge at the moment is to get them to understand that they need to apply the same sort of rigor to what they do at home. Our IT guys have a good infrastructure and they are knowledgeable about security but these vulnerabilities probably come from mistakes or things that our staff can do.” The old paradigm where security concerns are an excise to do nothing no longer wash. “We’ve got a mantra, we never say no, it’s always no but,” according to Simon Smith CIO, Luma Energy who says it is important to work closely with business managers to help them build security into the product offering early. “We work across industries, with the government, with education and academics. When I asked our chief information security officer for a list of the organisations with whom we interact globally on this the list ran to three pages of organisations” The bank works closely with other financial services companies and it makes sense to do so she says as the our attacks are going to be very similar. “You want to know where those weak links are and how that all interacts. “ Collaboration is another key weapon in the cyber security arsenal. Companies may compete fiercely in the market but when it comes to repelling new and dangerous threats cooperation is the order of the day. According to Westpac’s Ms Cahill collaboration necessarily casts a wide net given the systemic risk of threats from aggressive and sophisticated adversaries. Cyber Security | Australian Financial Review special report | 4 How much does business know? ANDREW BIRMINGHAM As business becomes increasingly connected to its customers, partners and even devices, and as operations become more digitised company boards and leadership teams have moved cyber security onto the top tier of business risk considerations. Regulatory compliance on the one hand, and consumer expectations for security and privacy on the other mean that the days when cyber security could be ignored as an arcane consideration for technical specialists have past. Small wonder. A recent World Economic Forum report highlighted the growing systematic threat to business and government from highly sophisticated networks run by organised crimes and even nation states. The WEF’s somewhat alarming conclusion – the world is one disruptive technology development away from losing the cyber war. In its ninth Global Risks report the WEF flagged the risk of what it called ‘cybergeddon’ as a result of sophisticated cyber attacks. Just as importantly the research identified an erosion of public confidence as government’s themselves start penetrating networks and trawling data as part of law enforcement or any counter-terrorism initiatives. Facebook’s recent Transparency Report for instance revealed that government calls of its data are increasing. It is little wonder then that the country’s biggest companies are taking such systemic challenges very seriously. 5 | Cyber Security | Australian Financial Review special report According to Tara Cahill, GM risk, group services Westpac, cyber security is hugely significant for the bank. “Trust is obviously core to the banking proposition. With the amount of data we hold and the type of data we hold we take it extremely seriously. “ Mark Tims Partner, Technology Risk & Assurance , KPMG, said Westpac is not alone in this regard. “We have certainly noticed over time there has been a lot more education occurring within organisations and in the general market in terms of the awareness about cyber security. Boards, he says, tend to be worried about what they don’t know. That can be a problem with a topic like cyber security which can naturally be very technical “So education and awareness are actually quite important. “ Companies are increasingly investing in programs to continuously monitor and protect themselves . There are a lot of organisations that are spending large amounts of capital to ensure that protection, said Mr Tims. Even those businesses that might not have previously considered themselves at significant risk are having to adjust. According to Diona Rae, CRO of property group GPT the organisation’s leadership now recognises that while they may not be as heavily system dependent as other companies there are vulnerabilities. Furthermore GPT’s clients in the retail space increasingly want to use There are always conversations about personal data and increasingly about IP where either insiders are targeting the information or outsiders are targeting people inside to get to the trade secrets of the business. GARY GILL, PARTNER, FORENSIC, KPMG customer data to personalise the consumer experience and GPT needs to understand the issues around that. “Up until about a year ago I don’t think GPT really thought of itself as having cyber risks. We’re not a high profile public brand, we don’t carry our cash in transactions so I don’t think people generally thought we were really a target. But now we’ve realised we are,” she said. “The challenge for us it that probably one of our biggest vulnerabilities is what our staff members do.” This growing realisation of the risk was a common theme to emerge at a recent KPMG AFR cyber security roundtable. Simon Smith, CIO Luma Energy said that when he first joined the company awareness of the issues was very limited. “One of the first things I did was to get the executives to sponsor a program. Then we brought in a third party to help implement it. Having the CEO and the board engaged was important and that generated a lot of buy-in through the organisation.” The change at Luma is significant and indicative of the growing importance companies attach to the issue. The majority of the leadership team is now part of the security council ensuring the issue gets visibility from the top level, said Mr Smith. “The board is now pushing for a hardening of the network and systems which is a different experience to hearing “no” because of the implication on cost and complexity.” REGULATORY INCENTIVE Like the energy sector, the banking sector is subject to significant regulation around data which provides further impetus for leadership team engagement around security. However, according to Westpac’s Cahill while regulation is a key consideration and a driver, decisions can’t begin and end with the regulation. “Generally we look at what’s the minimum requirement we’d want as an organisation anyway. Because at the end of the day it is about the customer, and it’s about the customer data.” issue that is brought into sharp relief when stories about data breaches make it into the public domain. “You always get two questions. One is what happened, and then the second is ‘can it happen to us? ‘ Having the answer to both of those is incredibly important.” While many discussions often centre of the risk of a breach that exposes customer data, increasingly companies are starting to appreciate a wider danger - the theft of intellectual property. Gary Gill, partner, forensics, KPMG, “There are always conversations about personal data and increasingly about IP where either insiders are targeting the information or outsiders are targeting people inside to get to the trade secrets of the business.” Andrew Birmingham is the editor of Which-50.com Australia Post’s chief information security officer Troy Braban, says it is a matter of understanding what customers want and care about. It’s an Mergers & Acquistions Outlook | Australian Financial Review special report | 6 Juggling customer privacy and service ANDREW BIRMINGHAM Great customer experience drives loyalty, and according to multiple studies, stronger profits and revenues. But great customer experience comes at a price. In order to execute, companies need access to customer data such as personal preferences and web behaviour in order to better personalise the outcome for the individual. The natural tension between the consumer’s right to privacy and their quest for the best deal creates a strong sub-current in the debate around data privacy and security. And importantly it is a key consideration for companies as they build out their cyber security infrastructure. In the retail industry for instance, data on customer behaviour is a key competitive advantage says Diona Rae, chief risk officer at GPT. “If you want a good relationship with your customers and consumers, part of that is building trust with them.” The paper also noted research suggesting most consumers are happy for companies to use their data so long as they do responsibly and for their benefit. However, says Tara Cahill GM Risk, group services, Westpac, “But it still comes back down to the fact that the organisation has an obligation to the customer. It doesn’t really matter whether we’ve got a demographic that are quite happy for us to use their data or a different demographic that is very concerned about the use of data. Our obligation is to maintain the security of all customer data, to use it appropriately and to take into consideration the regulation and the laws around the use of data. If we maintain that then we maintain the trust of the customer that we’re doing the right thing with their data.” Companies also need to understand the consumer’s reaction to too much personalisation. A discussion document by David Jones and Brad Paton published in a Reactive whitepaper earlier this year called Perspectives 2014 argues that consumers are willing to concede some privacy rights, where the pay off is better levels of service or lower pricing. Luma energy CIO Simon Smith recalls his experience working in the retail sector. “We had the best personalisation engine on the website, to the point where we could actually know when you’re about to buy just by analysing your historical trends. But the thing is we tipped it. We did a lot of multi-variant tests and found if we got too personal people backed off because it was to spooky.” The authors wrote “We are in an era of convenience. There is a level of expectation in the amount of value that a product will immediately provide users, catering to their needs.” While consumers also want and expect that their data will be kept securely and used transparently, they may not have the same concerns about where the data physically resides. 7 | Cyber Security | Australian Financial Review special report According to Australia Post chief information security officer Troy Braban, “We’ve done some research and there’s been some other papers around this. If you give customers two choices, do you want a secure offshore location or an insecure onshore location then of course they’re going to pick the secure offshore. Then if you ask the question do you want a secure offshore or secure onshore, the answer is almost certainly always ‘ I don’t care as long as it’s secure.’ It is less about storage location, and sovereignty, customers just want to know their data is secure.” BREACH HEAD Companies also have to consider the implication of data breaches, sadly a fact of life in online commerce. While Australia lacks the mandatory disclosure laws found in jurisdictions like California, many IT security and risk management professionals still hold to the view that it’s better to tell the customer sooner rather than later. out you had a breach six months month later I think that damages the reputation quite badly. But obviously you’ve got to be careful about what you say and when you say it.” Gary Gill, Partner, forensics, KPMG asks “If you think about it from a reputational risk, how does it impact your reputation? If you wait too long and don’t disclose and then it comes Our obligation is to maintain the security of all customer data, to use it appropriately and to take into consideration the regulation and the laws around the use of data. TARA CAHILL, GM RISK GROUP SERVICES, WESTPAC Cyber Security | Australian Financial Review special report | 8 The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise). © 2014 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (“KPMG International”). Liability limited by a scheme approved under Professional Standards Legislation. November 2014. VICN1248MKT.
© Copyright 2024