Digital transformation is not a choice; it is a process that all firms must go through. But as companies transform their business by taking advantage of technologies such as mobility, internet of things (IoT) and cloud, there are security risks in digital transformation to consider.
It is clear the move to digitally-based services widens the attack surface substantially. For example, the IoT trend increases business efficiency, but it also adds billions of unsecured devices to the network.
At the same time, cloud is seeing firms turning to third-party providers for a range of services. But without proper due diligence, third parties can form the basis of major cyber-attacks.
Take, for example, the 2018 Ticketmaster breach which saw card skimmers Magecart exploit a weakness in a supplier’s code.
“Companies are turning to digitisation to stay ahead of their competitors. Yet this often-major shift can see firms implementing new technologies without first ensuring proper safeguards are in place,” says Emma Stevens, associate solicitor, Coffin Mew.
“Security of business and customer data is considered to be of paramount importance, but there is often a danger that the protection and ownership of this information can be overlooked when implementing new systems,” she says.
Digital transformation: Three top questions answered
This can result in inadvertent problems, says Stevens – and in some cases, following the implementation of GDPR, “unexpected consequences”.
Changing outlook in the security risks in digital transformation
Technology including IoT creates a need to change your corporate security outlook, says Etienne Greeff, CTO and co-founder at SecureData. “There is no longer a traditional perimeter: instead it’s a disparate network of endpoints.”
Adding to this, many connected devices adopted within enterprises are not designed with security in mind. “Some IoT manufacturers might not have software patching processes and vulnerability management programmes in place at all,” Greeff warns. “Yet these endpoints are always on, can be connected to a corporate network, and become an open door through which attackers can infiltrate.”
To secure IoT Greeff advises firms to research their vendor’s policy on vulnerability disclosure and management. “The British Standards Institution has introduced a kitemark for IoT devices which includes enterprise and ‘enhanced security’ categories. This gives IT buyers the ability to spot which companies are keeping to these standards when manufacturing devices.”
Another technology often part of a firm’s digital transformation is artificial intelligence (AI) and its subset, machine learning. Machine learning can and should be employed to solve very specific problems, Greeff says. Therefore, when looking for a cyber security partner, don’t fall for the “machine learning cure-all trap”, he advises.
Of course, part of a company’s digital transformation incorporates new and agile ways of working dubbed “DevOps”. Among the benefits, this approach helps firms implement and deliver digital transformation programmes, says Darron Gibbard, chief technical security officer EMEA North at Qualys: “It helps developers put the software side together faster and get the results out to the IT operations team.”
However, he points out, problems can occur when teams collaborate without bringing security in at the start, in this way the security risks of digital transformation become clear.
In addition, firms should also be aware of their supply chain – and the risks that come with it. Ashley Hurst, partner at Osborne Clarke points out: “Businesses are increasingly partnering and sharing data with technology companies – for example, software-as-a-service (SaaS) platforms and cloud providers – which opens up further supply chain risks in relation to data and information security.”
The risk is compounded by the fact that most third-party tool providers don’t have enterprise-grade security systems, making them easy targets for supply chain attacks. “This most often results in user data theft”,” Pedro Fortuna, CTO and founder at Jscrambler says.
RPA and digital transformation: Blue Prism says it can help you sprint
Security risks in digital transformation: Examining security practices
In general, other simple steps can improve your security. Mark Hill, CIO at recruitment company Nelson Frank has experienced the security issues that can arise in digital transformation first-hand. He advises firms to take “a long, hard look at your security practices”.
He points out: “The big risk in digital transformation is, your attack vector is now much larger. Data is everywhere, and no longer hidden behind your firewalls.”
Focus slightly less on the ‘castle walls’— your data centre and its perimeter — and more on the ‘treasure in the chest’— your actual data
Greater access from more devices means companies need to focus on two key areas, Hill says. “Firstly, acknowledge that users are your biggest threat: they make mistakes, and they get duped by sophisticated scams. Educate to reduce your risk.
“Secondly, focus slightly less on the ‘castle walls’— your data centre and its perimeter — and more on the ‘treasure in the chest’— your actual data. Think about access management, data loss prevention (DLP), encryption, and strong authentication. Get all this right and you’ll be better off than most.”
Overall, firms undergoing digital transformation need to look at security in a different way, says Jason Hart, CTO of data protection at Gemalto. “You need to understand what your risks are. People might do penetration testing but for me that doesn’t equate to strong visibility and control around governance and security.”
What is digital transformation in business: Everything you need to know
Kicking off Information Age’s Digital Transformation month, we look at everything you need to know about what is digital transformation in business; the challenges, the technologies and above all, how to succeed
Hart advises companies as part of the transformation process to ensure data visibility in order to categorise it and control who has access. In addition, says Hart: “Let’s eradicate static passwords and replace with multi-factor authentication.”
Meanwhile, according to Gibbard, third-party accounts should be audited. “And the organisations responsible for them have to meet your rules on security standards,” he says, adding: “This isn’t just best practice: The EU Update to General Data Protection Regulation (GDPR) states that any third party has to handle your customer information in a way that complies with security and data protection standards.”
However, at the same time, says Terry Storrar sales director at MCSA, firms need to ensure users have the tools they need to do their jobs. “From the start of taking on a project, examine how you manage the risk. Make sure everyone sings the same song, and you measure security in a uniform way, using the same processes.”
Taking this into account, Simon McCalla, CTO at Nominet says that when embracing new services, firms should ask: “What is the data policy; what is the risk; where is data being stored – and does this add to the risk of GDPR non-compliance?”
Meanwhile, George Gerchow, chief security officer at Sumo Logic advocates looking at “progressive ways of doing security”. For example, he advises the use of bug bounties. “Open the door to the hacking community to try and breach you. This helps you to better secure your code.”
At the same time, staff training is especially effective when including techniques such as gamification. “The biggest single mistake is to punish people who download malware or click on the wrong link,” McCalla, says. “If users start to benefit, it becomes something they look out for and forms part of the foundational culture.”