To think that Digital Transformation will mean avoiding cyber risks is naive and we need to turn our attention to how we manage the risks presented to us as a result. Chris Miller, Regional Director – UK & Ireland at RSA Security, suggests four strategic steps to help manage digital risk.
Digital Transformation is impacting every industry. It is helping companies to create new and improved customer experiences, deliver new products and services, optimise operations, reduce costs and ultimately increase margins. On top of this, we are seeing new business models emerging, such as the gig economy, along with dynamic new partnerships that expand business borders. We are assured at every turn that the possibilities are endless – sounds great, right?
There are always two sides to every story. Digital Transformation is increasing the complexity of the IT ecosystem, creating a web of interdependencies between internal and external stakeholders and supply chain parties, increasing third-party risk. Add to this the huge pressure to be first-to-market and unprecedented need for speed, our increasing reliance on data and technology, and the disappearance of the perimeter, and you have a potent cocktail of digital risks. In this context, it is vital that organisations fight fire with fire by creating a strong digital risk strategy that will help Digital Transformation become a success.
As the game gets harder, we need to get smarter
Managing digital risk is harder than ever, because digital ecosystems have become so much more complex. Once upon a time, you may have just looked after your network perimeter and stored all your critical data on physical servers; that has all changed. Today, even financial services organisations will be using cloud to some degree and the number of applications that rely on customer data have exploded. The perimeter has also expanded; some would say that there is no perimeter anymore. An enterprise cannot exist in a vacuum. Successful organisations have evolved into hybrid beasts that are reliant on technology providers and partners to exist and operate. It’s not enough to just protect your own, the threat from within can often be an external partner that you have welcomed into the fold.
Added to this, with so much change happening across enterprise networks, it is harder than ever to determine what is good versus bad; is a network anomaly being caused by a malicious actor, or is it just a harmless consequence of a new system upgrade? Either way, ultimately, the attack surface and opportunity for hackers to find a weak link in the chain is dramatically increased. The threat landscape is evolving too. Hackers are constantly looking for ways to evade detection; building malware that appears innocent to security scanners or exploiting zero-day vulnerabilities that are yet to be made public. The tasks of protecting our organisations from external and internal threats grows every day, so we need to mirror our adversaries and work smarter rather than harder, to defend against them.
Speed is essential to diffuse issues
Digital Transformation is creating so many new doors into the enterprise that it is almost impossible to ensure that nothing gets through. It is increasingly likely that your organisation has been breached – you just don’t know about it. By assuming that you have already been breached you can refocus teams on finding the threat within. Speed is of the essence here. The longer the dwell time – i.e. the time that an attacker has access to your systems post-breach – the more damage they can do testing systems, inserting back doors, and exfiltrating data. Therefore, it’s vital to find them quickly.
Once a threat has been identified, the pressure is on to fix the problem fast as well. IT ecosystems have become hyper-connected and work at hyper-speed, so when something goes wrong the ripple spreads like wildfire. If systems are taken offline, then the disruption to the organisation can be very painful, disrupting customers and partners and creating huge cost and reputational damage. Once the news goes public, the clock is ticking to provide answers – what data was affected? How did the hackers get in? What else did they do when they had access to systems? Being able to get answers to these questions quickly could make the difference between a disaster and a bad day.
Four step guide to managing digital risk
While this paints a rather gloomy picture, we shouldn’t throw in the towel just yet. Yes, Digital Transformation will create risk but there are also huge business benefits. The important thing is to be aware of the risks and create a digital risk management strategy that limits your exposure by:
- Understanding your risk exposure: Knowledge is key to identifying and prioritising cyberthreats. You can manage risk more proactively if you build a clear picture of the criticality of your assets and how a cyberattack on these would impact business operations.
- Bringing security into the fold: Your security team can’t protect what they can’t see. Including security teams in your Digital Transformation projects will help to head off potential issues at an early stage and ensure that the team is aware of all the risks and threats that they need to monitor for.
- Knowing your data: Many Digital Transformation projects are very data-reliant, which brings inherent risks; particularly if it’s customer data. Knowing what data is the most important to the business and how it is being used will help teams to prioritise security and ensure that the company crown jewels are protected.
- Turning down the noise: Security teams are under pressure to tackle threats and while technology is only one piece of the puzzle, it’s an important one and should be continuously reviewed to ensure it’s keeping up with the adversaries. Rolling out new tech such as automation, AI and Machine Learning can help find and automatically respond to attacks, which reduces the noise that analysts must deal with.
In order to manage digital risk in an environment that is getting increasingly complex, we need to work smarter, not harder. While a hyper-connected digital environment is good for business, it can also amplify digital risks. For every new business opportunity, we need to remember that there’s a new opportunity for malicious parties too. Creating a digital risk strategy will help your organisation to anticipate the hazards and put in place procedures to handle the unpredictable, helping to ensure your Digital Transformation is a success.