Special feature from Mark Lunt, Managing Director at JOS and Anwar McEntee, Senior Business Manager at Adura Hong Kong, JLT’s Cyber Consortium Partners
Once upon a time, there was a digital transformation (DX) leader. This transformation leader delivered a technology project that met objectives, delivered on schedule and on budget. Everyone was delighted, until the company’s corporate data appeared for sale on a dark web forum.
Sadly, that transformation manager is no longer with the company. This little fable is unfortunately a reality for more companies than the statistics indicate. We’re going to review a couple of oversights that largely contribute to these statistics and how to avoid going from hero to zero.
Far too often, transformation initiatives, or just platform upgrades, don’t include sufficient security risk input throughout the various project lifecycles. The business case needs to, not only extol all the business benefits and competitive advantages of a new technology, but also include a comprehensive risk review.
The conversation needs to start with risk and follow through by identifying assets and the likelihood and impact of attacks, including dollar values. The objective is to simply ensure the company’s (security) risks are identified and accounted for, by balancing security controls against the transformation functions. If this is done from the beginning of the project plan, the business can rest assured that they’ve helped to minimise the impact of attacks (or system failures) to the business.
Digital transformation is about digitising processes, services and business models that yield agility, efficiency and competitive advantage. Gartner says by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk effectively.
This staggering statistic forces the discussion about balancing digital risk with sought-after transformational functions. If we look at Digital Transformation, we can start the conversation around three areas: infrastructure, people and risk/ threat landscape.
We know infrastructure is constantly changing and evolving. With users, both internal and external, being the benefactors of the new technology, but also a conduit to attacks. Evolving threat vectors and the actors behind the threats are currently stepping up their attacks against both.
We’re getting better at installing security protection kits, like firewalls and intrusion prevention systems, but today’s attacks are focusing more on people and the transformational applications they use. Most enterprises are not going to improve their risk levels by stacking up more security systems, when their general staff are inadvertently installing malicious software anyway.
Moreover, protection devices aren’t going to stop loss of data if the transformational applications are not properly tested. As it stands, the leading method for extracting data from organisations is through the very applications deployed to transform the business.
Security awareness training can significantly improve an organisation’s resilience. More than just informative emails, a training program that integrates email phishing tests goes a long way to make the training stick, given the interaction and educational quizzes. Phishing and business email compromise attacks figure in over 90% of breaches and losses today, so it’s a good place to start looking to reduce your risk. In terms of attack evolution, this year’s trends show that many phishing emails don’t include malicious links or feature malware infested attachments. Hackers are more patient now, they know that with a little more social engineering effort, they can obtain the information they need to advance an attack on the business.
There are well publicised breaches, such as Deloitte’s O365 migration project, that involve hackers accessing emails using stolen admin credentials. This led to the exposure of over 244,000 employee email accounts and customer communications. Worse yet, a massive breach at Equifax exposed private data of almost half the US population. An investigation has shown how difficult it is to keep all of a company’s systems updated. The company knew about the vulnerability within a particular application, but didn’t have the resources to resolve the issue before the hackers took advantage.
The lessons here are: Focus on the evolving risks surrounding the people on both sides of your digital systems, internal and external, including partners and supply chain vendors. Second, review and test the applications underpinning your digital transformation programs.
As Verizon’s Data Breach Report 2018 has shown, web applications continue to be the number one method that bad actors employ to steal enterprise data. Frequent web application scanning should be adopted, along with an independent web application penetration test that includes the underlying web server infrastructure. The objective is not to be 100% impenetrable, but just secure enough to be too difficult and thus costly for bad actors to make you another breach statistic.