ebook img

Tech Risk Radar PDF

35 Pages·2016·2.34 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Tech Risk Radar

Technology risk radar Third edition 1 Contents Introduction 2 1 Media-reported events: key findings 3 What happened? 4 What were the causes? 5 Which industries were affected? 7 Sectors at a glance 8 2 A n industry view on key 9 technology risks Banking 10 Insurance 12 Investment management and funds 14 Consumer markets and retail 16 Technology, media, telecoms 18 Healthcare and pharmaceuticals 20 Energy and natural resources 22 Industrial manufacturing 24 Central government 26 Education 28 3 Our data analytics methodology 30 Media–reported events: data analytics 31 Contact us 32 © 2016 KPMG LLP , a UK limited liability partnership and a member r� m of the KPMG network of independent member r� ms afl� iated with KPMG International Cooperative (“KPMG International”) , a Swiss entity. All rights reserved. 2 Introduction What are the current and emerging technology- We all know there is a universal shift to a more digitally related risks that businesses face? What types of connected world. This means businesses need more advanced risk governance and management. The increased incidents have been reported in the press? What speed of technology developments and their impact on are the trends in different industries? And what business models and operations means businesses have to are the risks on the horizon facing businesses keep a constant eye on evolving risks, taking a rolling view on what is relevant to them. tomorrow? And, as organisations increasingly partner with other KPMG’s Technology Risk Radar seeks to provide answers to organisations and service providers, they need to consider such questions by combining extensive analysis of reported risks from the ‘extended enterprise’ perspective. The value technology incidents with qualitative insight from industry chain is only as strong as the weakest link. specialists. It provides a broad-ranging view of the global technology risk landscape by offering insight into what’s On the plus side, IT investment is back in vogue and many going on, and what’s going wrong, across the market. organisations are replacing legacy systems to allow them to keep up with competitors and new entrants. The best way to The Technology Risk Radar enables risk and audit succeed with new IT investment is employing the right level professionals to make better informed decisions about the of assurance over the right risks – for which this edition of risks they should address while providing insight into where Tech Risk Radar should help. reputational risks may lie. Clients have told us that they have found this information invaluable in audit and risk planning exercises as it helps point them towards where the risk lies and what’s driving it. This third version is a refresh from 2015 and is based on another year of research covering numerous publications and web sources around the world. We fltered these for duplication, categorising and cross-referencing them to produce an overall analysis and a view sector-by-sector. Andrew Shefford Kiran Nagaraj KPMG member frms’ industry experts then complemented this data by providing a narrative. Across most sectors we saw new topics emerge such as digital labour and social media. But KPMG member frms continue to see well-known risks around cyber security, use of third-party services and legacy systems. Paul Holland Priya Mouli © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member frms of the KPMG network are affliated. 3 Media-reported events: Key f indings © 2016 KPMG LLP , a UK limited liability partnership and a member r� m of the KPMG network of independent member r� ms afl� iated with KPMG International Cooperative (“KPMG International”) , a Swiss entity. All rights reserved. 4 What happened? IT did not meet Cyber security incidents continue to be the attention- c ustomer need grabbing element of technology risk within business today. But here is something interesting that our research IT did not behave uncovered - only a little over half of the 700+ surveyed IT as expected incidents were security related, with most being attributed An IT service or system was to data being stolen or compromised intentionally. About not available when required 36 percent affected the availability or performance of a key IT service. And an additional 9 percent affected the quality of 3 a key IT service with IT either not behaving as expected or not meeting customer need. 6.5 The proportion of incidents related to security, availability 20.7 and quality followed the same order across all ten industries surveyed, i.e., security related incidents were most prevalent, IT infrastructure followed by availability and quality related incidents. w as misused o r abused 22.8 These statistics are alarming, as these incidents must arise from a failure of internal controls – checks that should be a Figures are % basic element in any security control system, technological 15.5 or otherwise. Cyber security therefore, continues to be a key Performance area of concern for organisations. Later in this document, o f an IT service KPMG member frms technology risk specialists provide o r system w as some practical insights on how organisations can protect 5.3 degraded themselves and better prioritise their investment in this area. 26.2 Data was lost or e xposed unintentionally Data was stolen or compromised i ntentionally © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member frms of the KPMG network are affliated. 5 What were the causes? Over half (60 percent) of the total incidents across all Human error - policy violation, data entry industries were caused by specifc attacks, including hacking, Ineffective programme roll-out unauthorised access by an insider/third party provider, Human error - lost device malware, phishing, and website defacement. Physical theft Software For example, Technology, Media and Telecommunications (TMT) was primarily impacted by incidents caused by hacking followed by unauthorised access by an insider/third 4.6 party provider. As organisations in this industry increasingly Hardware outsource their IT service development and delivery, a number Denial of 1.8 2.3 0.8 15 of third parties have greater access to the IT systems and service the data housed, thereby exposing these organisations to 1.7 substantial risk. 3.5 Network In Energy and Natural Resources (ENR) almost 50 percent of Hacked - incidents were caused primarily by specifc attacks such as no further hacking and malware. Though there is a high level of cyber details 9.2 Other or security awareness in the ENR sector, organisations are often 29.1 Figures are % unknown unable to allocate suffcient budget to effectively manage IT risk due to the complex system footprint, huge IT inventory, 0.3 4.9 speed-to-market considerations, lower crude prices and 2 compliance obligations, resulting in reduced proftability. Backup 0.2 system Around 54 percent of total incidents in the education sector 2 5.2 were due to hacking and unauthorised access. These statistics seem high but make sense as the education sector manages H waecbkseitde -d efaced 2.8 11.6 3.1 Database ap elorst oonf aPl einrsfoornmalalyti oIdne onft isftaubdle nIntsfo, rinmtealtlieocnt u(PalI Ic) aspuictahl ,a asn tdh e Power Protected Health Information (PHI), as universities are often system affliated to hospitals. Additionally, smartphones used by the Phishing Malware student community prove to be easy targets for cyber-crime. Of the total incidents across all industries, about 30 percent Exploited a known were caused by glitches associated with software, network, vulnerability Unauthorised hardware and backup systems. access COMPONENT FAILURE OR ATTACK SPECIFIC ATTACK QUALITY © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member frms of the KPMG network are affliated. 6 What were the causes? We found that a shockingly high proportion of incidents system development processes: implementation of better were caused by factors generally considered “avoidable” testing practices and better software quality management in the TMT and Government sectors. Avoidable causes, approaches (including for outsourced services) can reduce the such as component failures contributed to by software risk presented by component failures. However, the increased and network glitches, led to around 35 percent of investment focus for such companies is to scale up their incidents in these sectors. These are avoidable as operations and innovate, to keep up with the competition and they can generally be prevented by taking the right disruption in the industry. precautions, exercising rigour when testing systems and The remaining 10 percent of the total incidents across building the right level of resilience to enable failover. all industries were attributed to avoidable errors such as Though specifc attacks continue to be a major threat, many ineffective program rollouts. Though many organisations organisations are still not getting some security basics right. invest in security related training, measuring its effectiveness is more than merely a measure of the training attendance ENR had almost 20 percent of incidents attributed to power and assessment success rates. Organisations need to think system failures. This is interesting given that this is the very increasingly about enabling and promoting a ‘Risk Culture’ to industry that provides electricity and power for its customers. increase risk-conscious behaviour and this needs to be driven As mentioned above, some organisations in this sector are from the top. unable to invest suffciently to manage IT risk. Financial services (composed of banking, insurance and investment management and funds) suffered almost half of incidents caused by component and system failures with the leading culprit being software. Organisations in this industry could consider investment in improving their application and © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member frms of the KPMG network are affliated. 7 Industries affected F Sienravniceiasl MCaorRnkseutasmi laenr,d HeaPlthacramrea and ERneesUrogutyirl,ic tNeiesas taunradl MIannduufascttruiariln g TMeTcehldenicaoo laomngdy, Government Education Tthheei rt oppo stiwtioon isn dhuasvter icehsa anfgfeecdt:e Tde cwhenroel otghye, sMamedeia a asn ldas Tte yleecaor,m amlthuonuicgaht ion, and Government, in order. • Technology now has the dubious privilege of being the industry most affected by IT incidents, according to our research. The 12.1% 5.3% 9.8% 1.5% 15.1% 25.0% 22.8% 8.4% growing shift to a digitally connected world with the pervasiveness of the Internet of Things (IoT), social media and digital labour, and the ubiquity of devices suggest that this industry will keep this top spot for some time. • Government comes in at number two. We believe that the government sector has this high ranking due to the public nature of its operations, increasing third party risk and ineffective project management. • The fnancial services industry has moved from the fourth most affected industry to the seventh among the ten industries surveyed. This may be attributed to the heavy regulatory environment within which FS organisations have built risk management capabilities that have arguably matured over the years. Interestingly the Fintech sector, which is a hybrid of Technology, media & telecoms – the most affected industry, and FS, is expected to face similar regulatory scrutiny. What is also interesting is that specifc types of incidents are affecting some industries more than others. For example: • Industrial manufacturing had a higher proportion of availability related incidents than any other industry. Availability also appeared to be signifcant problem in the fnancial services industry with 40 percent of incidents related to availability. • Quality issues continue to be a problem in the Government sector with almost 17 percent of incidents related to quality. © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member frms of the KPMG network are affliated. Energy and natural resources 8 Sectors at a glance TOP 10 RISKS IDENTIFIED FOR EACH SECTOR HIGRIHSEKST 10 9 8 7 6 5 4 3 2 1 LORWISEKST Overall avg Risk i nim d PpeEascRet SnaEdnCidnT gpO rooRrbdaebr ility Banking Insurance MaInnavgFeeusmntmdesennt ta nd MCaorRnkesetutasmi laenrd TelecTMoemcehmdniaou lnaoingcdya, t ions PHheaarlmthaccaereu taicnadl Enerrgeys oaunrdc ensatural maInudfuascttruiarli ng GoCvernntmrael nt (UEndivuecrastitoiens ) s(ctcrhoiter ise clc aotlowh aerec emrr otohsrese industries) aPcorors rsis okr gmaannisaagteiomn eantd a pligroncmesesnt 1 6 4 9 6 4 4 6 9 9 1 5.8 uDnedpernsduepnpcoert eodn liengfeaxciyb lsey satnedm s 2 4 6 4 6 6 4 4 6 9 6 5.5 P anodo ru cnyabuetrh oseriscuerdit ay,c ceybsser-crime 3 3 4 4 4 4 6 6 6 4 9 5.0 aNnodn -lecogmislpaltiaonc, ee w.gi.t hp riveagcuylation 4 4 3 4 6 4 9 4 2 6 6 4.8 bLaocakrd o rfe IpTr setsreantetagtyio and lack of 5 6 6 6 4 2 2 6 2 4 9 4.7 I cnaapdaebqiluitayt eto d laetvae rqaugaeli tdya atan dto l amcka noaf ge risk 6 4 2 9 2 9 6 2 2 4 1 4.1 I enmabeirlgitiyn gto t edcehpnloylo agnyd exploit 7 6 9 1 9 4 1 2 2 2 4 4.0 F bauiludr ein tcoo dnetrliovle, r epsrioligernacme maneds saencdu troit y 8 3 4 2 2 2 6 6 4 9 2 4.0 R coenlitarnocl ein o, nve, nanddo rpso/tohrir sde pcaurtiteys and 9 9 3 6 6 2 2 3 1 6 1 3.9 I anedf fdeecltiver yservice management 10 6 2 6 4 2 2 2 2 2 1 2.9 Ineffective IT asset management 11 2 2 2 2 3 3 2 3 3 4 2.6 I dnisaadsetqeur arteec orevseirliye ncacpea abnildit y 12 3 2 2 2 2 2 2 4 2 2 2.3 © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member r� ms of the KPMG network are afl� iated. 9 An industry v iew on key technology r isks © 2016 KPMG LLP , a UK limited liability partnership and a member r� m of the KPMG network of independent member r� ms afl� iated with KPMG International Cooperative (“KPMG International”) , a Swiss entity. All rights reserved.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.