Cybercrime: The end of innocence

Cybercrime: The end of innocence

The Head of Cyber Security services at KPMG in Greece gives commentary on related issues and advises businessess. The interview was published in FORTUNE magazine, July 2016

Picture of Effie Katsouli


KPMG in Greece


We have been hearing and reading a lot about cybercrime and hackers, lately. What is cyber crime and who engages in it?

Cyber crime is all illegal digital actions intended to cause damage to businesses or individuals. The term is used to denote a wide range of attack methods and those who support or perform them are divided into four broad categories: 

  • individuals, acting alone wanting to show what they are capable of doing; 
  • activists, who want to promote an ideology or a political position, often causing fear and unrest;
  • organized crime, which focuses exclusively on economic benefit through a multitude of mechanisms, such as ‘phishing’ or the sale of stolen corporate data; and 
  • governments, that aim at improving their geopolitical position and/or serving their commercial interests. These categories of attacks differ in their characteristics, in terms of type of target, methods of attack, and the scale of impact.

After all these major scandals that have come to light, is there an effective way to shield a company against cyber attacks?

In the same manner that we can protect ourselves against more well-known and traditional forms of attacks (e.g. theft), so too we can protect ourselves against cyber attacks. Integrated protection covers four areas: we must prepare and protect ourselves, while also detecting/identifying and properly responding to the attacks when they occur. Preparation means that each company should know what kind of attacks it is exposed to and what assets are the most vital to protect. Protection includes technological measures, processes, organization and awareness, through adequate and continuous briefing of the company’s employees.  Detection refers to the continuous monitoring and checking for signs of possible attacks, and their identification as soon as possible and while they are still in progress. Finally, response requires an action plan that will help the company minimize the impact of a cyber attack when it happens. Based on KPMG’s experience, the majority of organizations limit themselves to protection only and especially on the technological aspect.

Can we estimate the cost, in money and reputation that a business will suffer if it experiences an attack to its information systems?

Yes, it can be estimated to a significant extent through IT risk assessment. There are specific methodologies that we use in order to assess risk and its consequences. This assessment, though based on preset standards, is specific to each company and requires the active participation of the company’s personnel; this is the first step of response to attacks.

Padlock on closed metal door

What is the required cost for a business to protect itself against cyber attacks?

Based on KPMG’s experience, investment in cyber security ranges between 3% and 5% of IT’s annual budget. As stated above, the evaluation of information risks and their business impact constitutes best practice when it comes to determine the necessary level of security investment. In any case, investment in cyber security should be reviewed on an annual basis.  Moreover, investment should not be limited to the technological dimension or the mitigation of past problems, it should also concern the integration of security in the developing information systems (security by design). Still, investing in safe technology is not sufficient in itself. Without proper governance, effective processes, and the adoption of an appropriate culture and attitudes, technological solutions will not be worth the money spent. Let us not forget that programs are implemented, processes are adhered to, and technologies are operated and maintained by the people in the organizations.

Has the necessity to enhance cyber security been understood by firms in the Greek market? Which sectors are more ‘conscious’ and which ones need to be more mobilized?

The scale of cyber attacks in recent years and the visibility that they enjoy by the media have now awakened many Greek businesses. Traditionally, the sectors governed by a strict regulatory or legislative framework (e.g. financial institutions, telecommunications) have made significant investments to address cybercrime. We do however, see companies from other sectors taking steps to protect themselves.

What are the first steps that an organization needs to take in order to have information systems security? Does strategy change depending on the size of the company?

The first step is to identify the risks to which the company is exposed and what it wishes to protect more, and then to assess whether the existing security mechanisms adequately protect the organization against these risks. This differs in scope and complexity, depending on the size, activity and operating model of the company. In any case, the cyber security strategy should be an item on the management’s agenda, and not regarded as a matter for the IT to handle alone. This is the only way to keep the organization alert and ensures protection from cyber attacks and becomes part of corporate culture.

How can an organization evaluate its existing security mechanisms?

An important evaluation criterion is successful security breaches that were detected. Organizations however, should not be complacent in this respect. According to KPMG’s model of intelligent management of cyber risks, the success of security violations is based on the following dimensions: expertise, resources, motives, and the time available to cyber criminals. These dimensions vary continuously and are strongly influenced by the profile of the organization. In addition, the recording of these events by the organization may not be complete nor objective. Organizations should perform penetration tests regularly. These tests should be carried out by independent companies in the field, without the organization’s employees’ prior knowledge, and should simulate the attackers’ profile for each new dimension (know-how, resources, motives, and time).

With increased frequency, we hear that cyber security is among the strategic priorities of businesses internationally. How does KPMG respond to this growing need?

KPMG, having recognized this need of businesses has made cyber security one of its six growth initiatives, strengthening and deepening the scope of the relevant services through significant investment in R&D and acquisitions of companies specializing in cyber security. As a result, we have been recognized as a leader in this area Forrester’s new report titled ‘The Forrester WaveTM: Information Security Consulting Services, Q1 2016’.

© 2023 KPMG Advisors Single Member S.A., a Greek Societe Anonyme and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

Connect with us