Avoiding the pitfalls of digital transformation

30 October 2018

Special feature from Mark Lunt, Managing Director at JOS and Anwar McEntee, Senior Business Manager at Adura Hong Kong, JLT’s Cyber Consortium Partners.

Once upon a time, there was a digital transformation (DX) leader. This transformation leader delivered a technology project that met objectives, delivered on schedule and on budget. Everyone was delighted, until the company’s corporate data appeared for sale on a dark web forum.

Sadly, that transformation manager is no longer with the company. This little fable is unfortunately a reality for more companies than the statistics indicate. We’re going to review a couple of oversights that largely contribute to these statistics and how to avoid going from hero to zero.

Far too often, transformation initiatives, or just platform upgrades, don’t include sufficient security risk input throughout the various project lifecycles. The business case needs to, not only extol all the business benefits and competitive advantages of a new technology, but also include a comprehensive risk review.

The conversation needs to start with risk and follow through by identifying assets and the likelihood and impact of attacks, including dollar values. The objective is to simply ensure the company’s (security) risks are identified and accounted for, by balancing security controls against the transformation functions. If this is done from the beginning of the project plan, the business can rest assured that they’ve helped to minimise the impact of attacks (or system failures) to the business.

Digital transformation is about digitising processes, services and business models that yield agility, efficiency and competitive advantage. Gartner says by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk effectively.

This staggering statistic forces the discussion about balancing digital risk with sought-after transformational functions. If we look at Digital Transformation, we can start the conversation around three areas: infrastructure, people and risk/ threat landscape.

We know infrastructure is constantly changing and evolving. With users, both internal and external, being the benefactors of the new technology, but also a conduit to attacks. Evolving threat vectors and the actors behind the threats are currently stepping up their attacks against both.

We’re getting better at installing security protection kits, like firewalls and intrusion prevention systems, but today’s attacks are focusing more on people and the transformational applications they use. Most enterprises are not going to improve their risk levels by stacking up more security systems, when their general staff are inadvertently installing malicious software anyway.

Sign up to our latest  news & insights Sign up to our latest  news & insights

Moreover, protection devices aren’t going to stop loss of data if the transformational applications are not properly tested. As it stands, the leading method for extracting data from organisations is through the very applications deployed to transform the business.

Security awareness training can significantly improve an organisation’s resilience. More than just informative emails, a training program that integrates email phishing tests goes a long way to make the training stick, given the interaction and educational quizzes. Phishing and business email compromise attacks figure in over 90% of breaches and losses today, so it’s a good place to start looking to reduce your risk. In terms of attack evolution, this year’s trends show that many phishing emails don’t include malicious links or feature malware infested attachments. Hackers are more patient now, they know that with a little more social engineering effort, they can obtain the information they need to advance an attack on the business.

There are well publicised breaches, such as Deloitte’s O365 migration project, that involve hackers accessing emails using stolen admin credentials. This led to the exposure of over 244,000 employee email accounts and customer communications. Worse yet, a massive breach at Equifax exposed private data of almost half the US population. An investigation has shown how difficult it is to keep all of a company’s systems updated. The company knew about the vulnerability within a particular application, but didn’t have the resources to resolve the issue before the hackers took advantage.

The lessons here are: Focus on the evolving risks surrounding the people on both sides of your digital systems, internal and external, including partners and supply chain vendors. Second, review and test the applications underpinning your digital transformation programs.

As Verizon’s Data Breach Report 2018 has shown, web applications continue to be the number one method that bad actors employ to steal enterprise data. Frequent web application scanning should be adopted, along with an independent web application penetration test that includes the underlying web server infrastructure. The objective is not to be 100% impenetrable, but just secure enough to be too difficult and thus costly for bad actors to make you another breach statistic.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article



Services provided in the United Kingdom by Marsh JLT Specialty, a trading name of Marsh Ltd and JLT Specialty Limited (together “MMC”). Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). JLT Specialty Ltd is a Lloyd’s Broker, authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 310428).

This is not legal advice and is intended only to highlight general issues relating to its subject matter. Whilst every effort has been made to ensure the accuracy of the content of this document, no MMC entity accepts any responsibility for any error, or omission or deficiency. The information contained within this document may not be reproduced. If you are interested in utilising the services of MMC you may be required by/under your local regulatory regime to utilise the services of a local insurance intermediary in your territory to export insurance and (re)insurance to us unless you have an exemption and should take advice in this regard.