Is digital transformation compromising security?

As companies scramble to embrace new technologies, security surrounding sensitive data remains an afterthought

Digital transformation brings exciting opportunities, allowing companies to collaborate, share data, and engage with employees and customers. However, it also opens new realms of risk, and there is evidence that businesses are struggling to keep pace.

The issue is that technology is moving faster than the ability of businesses to protect themselves from cybercrime

Howard Dickel, Step5

The recently published Thales Data Threat Report 2019, for example, makes for alarming reading, suggesting that more than two thirds of companies are not using encryption as part of their digital transformation. There are numerous areas of potential concern, says Howard Dickel, CEO of Step5, a consultancy that specialises in business transformation. He points to the type of key data that is shared through supply chains, such as displaying stock holdings at a wholesaler to enable just-​in-​time stock control.

“Sharing data beyond the secure boundaries of the organisation opens up new vulnerabilities,” he says. “The issue is that technology is moving faster than the ability of businesses to protect themselves from cybercrime.”

Zak Virdi, UK managing director at SoftwareONE, says it is important to have a cohesive strategy in place before introducing digital solutions; this can prevent problems further down the line.

“These tools are designed to connect employees more effectively, but they can have the opposite effect if, for instance, one department is using a particular tool but another one is completely unaware of its existence,” he explains. “Moreover, introducing new technologies that are not sanctioned for use by senior leaders – frequently known as Shadow IT – can lead to security issues that can be difficult to remedy.”

Building a digital workplace is not simply a matter of introducing technologies and hoping they take hold, Mr Virdi says, but having a specific lifecycle plan for every new tool that is introduced. “If businesses adopt and maintain this mindset, the long-​term benefits will be significant,” he says.

The Thales report found that half of companies spend just 6–15 per cent of their overall security budget on data security, and a mere 0.6–3 per cent of their overall IT budget.

“Whilst levels of digital maturity and cyber security maturity are closely linked, the trend we are seeing is that cyber security maturity is not keeping pace with digital transformation efforts underway in most companies,” says Tom Lemon, a managing director in the technology consulting practice at Protiviti, a consultancy. “This is a worrying trend that needs to be urgently addressed.”

Security must be at the forefront of all digital transformation initiatives, Mr Lemon says.

“All organisations must understand the link between new technology and increased cyber risk. They must instill a culture from the top down that cyber security is a must have and put in place practices that make it integral to all business change activity. It must be an enabler that will add value to business propositions, rather than as a blocker that slows them down.”

Ojas Rege, chief strategy officer at mobile device management specialist MobileIron, warns that security must be embedded in the architecture of a project.

“Companies will come up with really transformative processes but won’t give thought on the security until further down the line, and then whoever carries out the security review at that point identifies gaps,” he explains. “The entire value of digital transformation is that you’re digitising information, allowing that information to flow through the organisation and changing a business process.”

Embedding security retrospectively is impossible without causing significant disruption to the business being digitally transformed, says Mr Rege, using the analogy of buying a new home.

“The way I think about it is you have bought an incredible house, but didn’t realise until you moved in that you were in the worst part of town. Retrospectively, you can put locks on your door, install alarms, but you are still going to get mugged walking out to your mailbox,” he says. “You can fill in some of the cracks and address some of the most important things, but security has to be embedded in the architecture.”

According to Step5, roughly 90 per cent of the security focus to date has been on technical initiatives like securing digital platforms and networks. However, to truly embed security in their transformations, companies “need to be looking above ground,” says Mr Dickel.

Everything that makes digital transformation attractive for customers and users, such as speed and convenience, is equally attractive for cybercriminalse

Howard Dickel, Step5

“This means ensuring that cyber security is represented at board level and fully integrated into the way the organisation is run. The key is to create a digital strategy that embraces new technologies while securing the digital enterprise,” he explains.

“Everything that makes digital transformation attractive for customers and users, such as speed and convenience, is equally attractive for cybercriminals. Technology advances make it easier than ever for them to develop new tactics and break through traditional defences.”

As companies rush to embrace new technologies in the name of digital transformation, cybersecurity is often lacking. Before any organisation embarks on its digital transformation journey, it must ensure the security fundamentals are in place.