It seems like the last few years, organizations small and large have been undertaking some sort of digital transformation initiative. This can be in the form of improving the customer experience at a physical shopping location using interactive technology or designing of new processes to optimize monitoring and performance of tasks through a mobile application. Organizational customers, whether internal or external, can reap the benefits of using these new digital technologies to increase effectiveness and/or efficiency towards tasks being performed to produce a desired result. Designing technology features and supporting processes that customers demand, comes with the potential of increasing risk across areas of the business that are unexpected.
As enterprises look to become more agile and predictive, increase revenues, target new audiences and introduce new products through the performance of a digital transformation initiative, they must weigh the costs and benefits around the spectrum of Cybersecurity. The process of continuous Cybersecurity use case development during a Digital Transformation can help enable the success of the program, protecting critical information and the technologies used to drive the transformation.
Risk and Reward in the Cloud
There are many examples of how enterprises are bringing digital technologies into the workspace as well as towards their customers, one including the use of applications that reside in the cloud. Although new applications within the cloud provide capabilities such as hosting and storage, appropriate access to these applications needs to be governed to ensure inappropriate access to protected data is minimized. Per the 2016 Symantec Shadow Data Report, “The average enterprise uses an average of 928 cloud applications, 20 times more applications than the organization thinks they use.” This notion of “Shadow IT” arises around the enterprise, those planning to perform a Digital Transformation needs to be aware of applications created and utilized that enable the transformation and how it impacts that organization around the classification of its data. Applying security measures through policies and procedures through designed processes will support the employment of standardization of data usage, dependent on those who have a need to access that data and have been trained on how to use and protect said data. Another example from the 2017 Symantec Internet Security Threat Report, “The DNS provider, Dyn, experienced a Distributed Denial of Service (DDoS) attack, affecting services provided by numerous enterprises, including Amazon Web Services, SoundCloud, Spotify, and GitHub. It underlined the risks businesses take when using cloud services.” Organizations utilizing one or many of these applications were affected, placing potential risk to the performance of their Digital Transformation program.
Governance, Risk and Compliance
Another priority area that needs to be addressed is compliance within a Digital Transformation initiative. Per a Symantec CloudSOC analysis report, “25% of all shadow data (business data stored in the cloud without IT’s consent or knowledge) is ‘broadly shared’, increasing its risk of exposure. Three percent of this ‘broadly shared’ data is compliance related.” Within this report, “41% contained Personally Identifiable Information (PII), 49% contained Protected Health Information, and 10% contained Payment Card Industry (or credit card related) data.” Cybersecurity protections through handling sensitive data when deploying new digital technologies need to be put in place, whether through new and optimized controls within a security infrastructure, mature software update practices, employment of strict identity and access management as well as permissions rule sets, and resilient response plans when incidents do occur. Governance, Risk and Compliance teams need to be brought on early and often during Digital Transformation initiatives to ensure obligatory actions are updated and optimized as new processes and technologies are utilized that affect organizational compliance requirements.
Internet of Things
I have seen during the last few years, the drastic increase in the use of Internet of Things devices during the implementation of a Digital Transformation, especially as it relates to improving the overall customer experience as well performance of business operations. According to the 2017 Symantec Internet Security Threat Report, “Attacks on Symantec’s Internet of Things honeypot almost doubled from January to December 2016. An average of almost 4.6 unique IP addresses were hitting the honeypot every hour in January, but this increased to an average of just over 8.8 in December.” As organizations implement connected devices, from digital technologies in the office and home, sensors capturing large amounts of data to basic recording devices such as cameras and DVRs, distributing the proper security controls and software patches are required to minimize device vulnerabilities and exploiting a network through hacking.
As we at Lewis Fowler have partnered with clients on implementing new technologies through a structured transformation, we emphasize the utilization of Cybersecurity governance frameworks such as ISO 27001, COBIT and the NIST Cybersecurity Framework when initiating and planning new transformational programs. Integrating designed steps from these guidelines will help shape appropriate Cybersecurity measures through the implementation of controls revolving around an organization’s risk tolerance and overall focus on the end user and/or customer. As processes and technologies evolve through the performance of a transformation, so will the Cybersecurity actions needed to ensure data, connected devices and cloud applications are protected from malicious actors to advanced persistent threats.