When digital transformation projects are well underway, significant risks remain
In a competitive business environment, companies are under increasing pressure to cut costs and improve efficiency. Over the last few years, this has resulted in a digital transformation drive with firms embracing technologies such as cloud, internet of things and artificial intelligence (AI).
Create a culture of ‘it’s OK to make a mistake; let’s learn from it’ and that starts right at the top
Digital can boost a company’s bottom line, but the area also comes with increased risks. While the European Union’s General Data Protection Regulation has generally improved data governance, it’s still a challenge for firms to manage their growing digital estates.
The issue lies in the fact that data managed by businesses is vast and disparate. Indeed, software-as-a-service applications intended to drive efficiency are being used across the organisation, often without IT’s knowledge, and data can spiral out of control.
Products and processes which offer oversight are crucial
Amid this complex environment, there is a growing need for company-wide oversight in digital transformation. Visibility is an important first step; firms must identify which departments are most at risk and apply a policy across the business.
For example, developers can pose a big problem for organisations, according to Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK and Ireland. “Their devices might not be as locked down as a typical user’s. A system administrator might download products from the internet to have a play with, but they could lack the security controls on their devices required to have that level of access,” she says.
Making things worse, companies often have no idea exactly how many apps are running throughout the business. “A company might think they are using 200 apps and services, but find after an analysis across their estate there are 4,000,” says Ms Armstrong-Smith. “It is even possible that some applications are based on an older version of the same product, which opens backdoors to the estate for attackers to exploit.”
To gain visibility, Karl Foster, legal director at Blake Morgan, advises firms to consider software solutions in a market segment dubbed regulatory tech or regtech. These products can help a business assess risk while managing and putting data in an understandable form. “It will take away some of the difficulties,” he says. “It makes people think before they send out that email.”
Organisations need to know the “why” behind digital actions
Strategic thinking taking the security risks into account should be in place from the start of any digital transformation project, says Carolyn Crandall, security consultant at Attivo Networks. “If it’s not possible to secure a product through the vendor, are you confident you can do so in-house? It takes leading-edge thinking,” she says.
Lisa Hamilton, Deloitte UK cyber associate director, concurs. She emphasises the importance of clear communication. “Educating teams and increasing awareness within the business is one way to help identify the associated digital risks,” says Ms Hamilton.
As part of this, firms should try to understand users’ motives. Ms Armstrong-Smith asks: “Is there a reason why they are downloading extra things from the internet? Are the corporate systems not good enough to do their jobs?
“Understand the business context of ‘why’, then see if there should be any lockdown on those devices. If you allow your developers different levels of accessibility, could you put that on a separate network? Understand the business need versus the risk.”
It makes sense to implement a firm policy outlining who has access to what, says George Gerchow, chief security officer at Sumo Logic. He advises: “Create a culture of ‘it’s OK to make a mistake; let’s learn from it’ and that starts right at the top.”
Digital oversight should not be left solely to the CIO
It’s also important to note that fixing the issue isn’t just the chief information officer’s job, says Rob Lamb, chief technology officer at Dell EMC UK and Ireland. “The CIO is at the heart of it, but it’s about engagement with all lines of the business, including the board,” he says.
Better and more frequent communication with senior leadership is therefore important. “We know senior executives perceive security as a leading threat; more regular briefings will help better align the cybersecurity provision to business needs,” says Paul Taylor, partner, cybersecurity, at KPMG UK.
A more measured approach to digital transformation can make a difference, but it will take time. Firms also need to take into account any challenges that might arise when implementing a risk management plan. For example, employees might be resistant to changing the way they use technology.
To avoid this, communication and careful planning is key, says Mr Lamb. “Inevitably with any large change or transformation there will be naysayers. Mandates and policies are an effective tool, but communication is important, so people understand,” he says.
Mr Lamb advocates a programme including cultural and organisational change. “You have to tear down some cultural and operational barriers,” he says. “Imbed skills and capabilities in teams that wouldn’t normally be seen together.”
In an age of frequent and sophisticated cyberattacks, security must be at the forefront of any digital transformation project. Getting this right will ultimately impact the bottom line, says Mr Foster. “In some industries, the growth of AI greatly improves customer service. That is why this technology is worth managing from a risk and security perspective,” he concludes.
Three business functions with high levels of cyber-risk
As businesses strive to transform digitally, any part of the business can pose a risk. However, three key areas often create a surprising number of issues
01 Human resources
HR departments are among the most likely to use software-as-a-service (SaaS). If risk and security haven’t been factored into this, it can lead to the exposure of employee data and be in breach of the General Data Protection Regulation (GDPR), says Rob Lamb at Dell EMC UK and Ireland.
People can take their eye off the ball when it comes to internal back-office platforms, such as SaaS payroll, says Sarah Armstrong-Smith at Fujitsu UK and Ireland. “Those HR systems are rife with personal data, including all the diversity and inclusion information which under GDPR is protected: disabilities, sexual orientation, it’s really sensitive,” she says. “It’s easy to buy off-the-shelf products, but think about access controls and the security of these services, and how they are being managed.”
02 Legal and commercial teams
Another area of potential risk is legal and commercial teams. These will often handle data on contracts or disputes that a firm would not want in the public domain. “If that’s on an open email cloud platform, attackers might be able to access these types of documents,” says Ms Armstrong-Smith.
Marketing departments deal with vast amounts of data on a day-to-day basis, but it’s easy for companies to lose control of this information, including marketing plans, trends and even intellectual property rights. If an attacker was able to access this data, they could try and sabotage a firm’s approach, warns Ms Armstrong-Smith.