Organisations need to be pumping more time and energy into cyber protection and resilience, rather than rolling back their efforts.
That’s the opinion of David Ferbrache, technical director of KPMG in the UK, who has sent out a stark warning to companies that a cyber attack is a matter of when, not if.
“The changing nature of these attacks mean that no business which operates online is completely safe,” Mr Ferbrache wrote on KPMG’s blog section.
He warned that the very survival of some organisations could depend on how they consider the potential cyber risks and the impact an attack could have.
Cyber attacks now cost the global economy an estimated $450 billion a year and that figure will only rise over time as attacks grow in their frequency and ferocity.
Mr Ferbrache – who has over 25 years of cyber and information security expertise and was previously the Ministry of Defence’s head of cyber – suggested it was time for organisations to approach cyber security from a different angle and to “think like a criminal”.
“Cyber criminals are rational business people, who are looking for a return on their investment in the tactics and tools they use to steal, to commit fraud and to extort money,” he explained.
“One thing they do not do is think in is organisational silo structures – and so neither should the IA (internal audit) team.”
The KPMG man added that cyber’s basic controls and governance hadn’t changed in the past 20 years yet many organisations were still failing to get the basics right or to apply their controls and governance consistently, urging companies to concentrate on operational resilience.
Mr Ferbrache signed off by imploring companies to employ credible attack scenarios to test the adequacy and integration of controls.
“Think about what your organisation needs to do to survive and rebuild after a major cyber attack – your future could depend on this,” he concluded.