Cyber security: Are consumer companies up to the challenge?

| 1

Cyber security: Are

consumer companies
up to the challenge?
A survey of webcast participants
kpmg.com

1 | Cyber security: Are consumer companies up to the challenge?

Cyber security: Its not just about technology

Technology has truly empowered the customer and is rapidly changing the consumer
industry. While all digital channels, as well as brick and mortar, are being integrated
to provide a seamless brand and shopping experience, the technological advances
making this possible are also making companies increasingly vulnerable. Threats from
cyber criminals and hacktivists are growing in scale and sophistication. Customers,
investors, and regulators are all demanding stepped-up efforts when it comes to cyber
security, and organizations are subject to increasing amounts of legislative, corporate,
and regulatory requirements.
From profit, customer, and data loss to operations disruption and reputation damage, cyber
crime has enormous implications to any business. Organizations need to take action to
reduce the risk of a data breach. And when a breach occurs, they need to act quickly and
efficiently to manage and resolve the issue with as little damage as possible.
Focusing on technology alone to address these issues is not enough.
In April 2014, KPMG held a webcast entitled Cyber security: Its not just
abouttechnology, which focused on assessing and effectively managing cyber
risk. Participants were provided with a concrete model they can use to assess their
organizations cyber maturity and to implement sustainable cyber securitypractices.
Our conversation covered:
Evolving cyber threats what is new?
The cyber landscape how consumer organizations are responding
The Cyber Maturity Assessment how to find answers to, Are we prepared? and,
How safe are we?
Immediate action items 10 key questions to determine next steps
To view a replay of the webcast, go to:
www.kpmg.com/us/CSWebcast

During KPMGs cyber security webcast, more than 100professionals

from the retail and food, drink, and consumer goods industry
responded to survey questions about their organizations and cyber
security. The results reveal that despite the fact that cyber threats
have received much attention from the media and industry
organizations, the majority of consumer companies have a long
way to go to effectively mitigate cyber risk and manage evolving
threats. Explore our findingsand the perspectives of our cyber
security specialiststo learn how your organization compares to those
surveyed in such areas as cyber readiness, and how you can effectively
address the complex challenge of cyber security.

Effectively managing cyber risk means putting in

place the right governance and the right supporting
processes, along with the right enabling technology.

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

Cyber security: Are consumer companies up to the challenge? | 2

Cyber security is front and center

In the last six months, more than 86 percent of survey participants
organizations have increased their focus on cyber security.
Survey question 1
Please select the statement below that best describes your organization in the
last six months.

There has been a significant increase in our focus on cyber security

44

86%
There has been some increase in our focus on cyber security

42

There has been no change in our focus on cyber security

Dont know

There has been less focus on cyber security

increased
their focus

KPMG insights: Cyber security is an important concern for every organization, and
consumer businesses are ideal targets for hackers trying to capture cardholder data
and steal customer identities. Clearly, the recent cyber breaches were a wakeup call for the industry. The majority of retailers and consumer packaged goods
companies have elevated cyber security to the top of their agendas.
Daily occurrences demonstrate the risk posed by cyber attackersfrom individual,
opportunistic hackers, to professional and organized groups of cyber criminals with
strategies for systematically stealing intellectual property and disrupting business.
The management of any organization faces the task of ensuring that its organization
understands the risks and sets the right priorities. While this is no easy task, it
is essential that leaders take control of allocating resources to deal with cyber
security, actively manage governance and decision making over cyber security, and
build an informed and knowledgeable organizational culture.

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

{Respondents: 107}

3 | Cyber security: Are consumer companies up to the challenge?

Innovation and transformation: rewards worth the risk

Participants indicate that business model and operational changes along
with new technologies are having a significant impact on their organizations.
Survey question 2
Which of the trends listed below is having the most impact on your organization?
Change in the way business is conducted: Cloud computing,
big data, social media, consumerization, BYOD, mobile banking

46

External threats: Organized crime, nation-states,

cyber espionage, hacktivism, insider threats

27

Regulatory compliance: Data loss,

privacy, records management

18

Rapid technology change: Critical national infrastructure,

smart/metering, Internet of all things

Dont know

Changing market and client needs: Strategic shift,

situational awareness, intelligence sharing, cyberresponse

None of the above

1
{Respondents: 111}

KPMG insights: Most consumer companies are not being driven by fear, uncertainty, or
doubt. They see the potential that rapidly advancing technology has and continue to explore
new ways of doing business, new ways of running a business, and new ways to better
understand and engage with consumers. However, technology does not come without
challenges. Companies must balance a relentless pursuit of innovation with assessing and
effectively managing risk.
Cyber crime risks can be controlled. The key is to embed security and risk management
processes in technology and related initiativesright from the
get-go. By treating cyber security as business as usual and balancing investment
between risks and potential impacts, an organization can be
well-prepared to combat cyber crime.

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

Cyber security: Are consumer companies up to the challenge? | 4

Unprepared for a data breach

Only 36 percent of survey participants indicated that their
organization has a formal cyber incident response plan.
Survey question 3
Does your organization have a formal cyber incident response plan?

20
36
16

Yes
Not yet, but in the process of defining the plan
No
Dont know

33

KPMG insights: The majority of consumer companies are not yet considering
how they will respond to a data breach before it occurs. When companies do not
have a formal cyber incident response plannow considered a standard of care
across industriesthey are forced to rely on the ad hoc action of their people,
leaving the outcome unpredictable and unreliable. Mishandling an incident is a
major liabilitypotentially costing billions of dollars and having the potential to
destroy a brand virtually overnight. In some cases, not having a plan may even be
perceived as negligence and become a legal liability.
Additionally, should an incident occur, organizations need to ensure that they
are evaluated in such a way that lessons can be learned. In practice, however,
actions are driven by real-time incidents and often are not recorded or evaluated.
This destroys the ability of the organization to learn and put better security
arrangements in place in the future.

{Respondents: 105}

Organizations can reduce the risks

to their business by building up
capabilitiesin three critical areas
prevention, detection, and response.
Prevention
Prevention begins with governance
and organization. It is about installing
fundamental measures, including placing
responsibility for dealing with cyber crime
within the organization and developing
awareness training for key staff.
Detection
Through monitoring of critical events and
incidents, an organization can strengthen
its technological detection measures.
Monitoring and data mining together form
an excellent instrument to detect strange
patterns in data traffic, to find the location
on which the attacks focus, and to observe
system performance.
Response
Response refers to activating a wellrehearsed plan as soon as evidence of a
possible attack occurs. During an attack,
the organization should be able to directly
deactivate all technology affected. When
developing a response and recovery plan,
anorganization should perceive cyber
security as a continuous process and not
asa one-off solution.

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

5 | Cyber security: Are consumer companies up to the challenge?

Cyber security demands attention

Less than 20 percent of survey participants have a chief information security
officer dedicated to overseeing cyber security at their organization.
Survey question 4
At your organization, who is responsible for cyber security?

44%

Chief information officer

19%

Chief information security officer

16%

There is shared responsibility between several departments

8%

Other

7%

Chief financial officer

6%

Dont know
{Respondents: 105}

KPMG insights: Across the marketplace, we are seeing chief information security officers
taking on much more prominent roles. Survey results reveal that consumer companies
are moving slower in adopting this approach than other industries. Given the complexity
and multidisciplinary nature of the problem, cyber security demands direct management
attention. Companies should be evaluating their leadership models to ensure effective
oversight of security operations and support of risk and compliance functions.
High-profile data breaches of retail and CPG companies exposed the massive drop
in shareholder value which can result from ineffective cyber security. In other words,
defending against cyber crime became a board problem. As a result, cyber security
initiatives in the consumer industry are being driven from the top down. From boards, to
audit and risk committees, to CEOs, CFOs, CIOs, and CISOs, leadership is under immense
pressure to show progress in securing systems and managing risk and compliance, and they
are seizing control of cyber.

Have you considered

Having an on-call expert forensic team to provide on-demand
response, analysis, containment, eradication, and investigation of any
threat, concern, or incident?
Establishing a relationship with outside counsel to mitigate potential
exposure of a data breach?

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

Cyber security: Are consumer companies up to the challenge? | 6

Merely average at cyber security

Nearly three-quarters of survey respondents rate their organizations
cyber maturity level as average or below.
Survey question 5
On a scale where 1 indicates informal and 5 indicates industry leading,
where would you rank your organizations cyber maturity level?
50

45

40

<1
1-2
2-3
3-4
4-5
Don't know

30

22

22

20

10

9
5

0
{Respondents: 107}

KPMG insights: Cyber security has historically been a neglected area in consumer
companies. Its no wonder that only five percent of organizations believe they have
industry-leading levels of cyber maturity. With the growth of omni-channel retailing
exposing new risksand regulatory watchdogs sharpening their teeththe industry
needs to play catch-up. Now is the time to increase the focus on cyber security.
At KPMG, we consider six key dimensions that together provide a wide-ranging and
in-depth view of an organizations cyber maturity.
Leadership and governance
Is the board demonstrating due diligence, ownership, and effective management
ofrisk?
Human factors
What is the level and integration of a security culture that empowers and ensures the
right people, skills, culture and knowledge?
Information risk management
How robust is the approach to achieve comprehensive and effective risk
management of information throughout the organization and its delivery and
supplypartners?
Business continuity
Have we made preparations for a security event and the ability to prevent or minimize
the impact through successful crisis and stakeholder management?
Operations and technology
What is the level of control measures implemented to address identified risks and
minimize the impact of compromise?
Legal and compliance
Are we complying with relevant regulatory and international certification standards?

2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
memberfirms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Printed inthe U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of
KPMGInternational. NDPPS 259750

About KPMGs cyber security services

With award-winning, global cyber security specialists who are at the forefront ofthe
cyber agenda, KPMG helps the worlds leading organizations solve the biggest
cybersecurity challenges of today and tomorrow. Our capabilities cut across the
entirecybersecurity spectrum: information protection, privacy, and security;
threat intelligence and cyber investigations; business resilience and continuity;
riskmanagement and compliance; and governance, strategy, and operations. Through
our global network of KPMG member firms, we have the deep consumer industry
insight and vast knowledge on the evolving cyber landscape and regulatory environment
necessary to help you manage cyber risk across a broad spectrum of evolving threats.
Contact us
Tony Buffomante
Principal
Information Protection and
BusinessResilience
E: abuffomante@kpmg.com

Ronald Plesco, Jr.,

Managing Director
Cyber Investigations,
ForensicServices
E: rplesco@kpmg.com

Dennis Van Ham

Director
Information Protection and
BusinessResilience
E: dennisvanham@kpmg.com

Tony Buffomante is KPMGs US leader

for Cyber Security Assessment and
specializes in information security,
privacy and business continuity. Over
the past 20 years, he has managed
and executed Information Technology
security strategies, assessments
and implementations for some of the
largest global organizations. Tony
is a recognized industry leader in
information protection, frequently
speaking at industry conferences and
instructing at training seminars both
nationally and internationally.

Ron Plesco is an internationally known

information security and privacy attorney
with 16 years experience in cyber
investigations, information assurance,
privacy, identity management, computer
crime, and emerging cyber threats
and technology solutions. Ron is the
National Lead of the KPMG Cyber
Investigations, Intelligence and Analytics
practice. He joined KPMG in 2012 after
a distinguished career in the private
and public sectors, and is a frequent
speakernationally.

Dennis Van Ham focuses on

transformational projects and on overall
strategy and governance in cyber
security and threat intelligence. In
2012, he joined KPMGs US firm from
the Netherlands office and is currently
responsible for the execution and the
ongoing development of the firms Cyber
Security Assessment services. In his
15-year tenure, he has acquired deep
industry experience in Retail, Oil & Gas,
Financial Services and Healthcare.

kpmg.com

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information
without appropriate professional advice after a thorough examination of the particular situation.
2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in the
U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.
NDPPS 259750