Digital transformation and cyber security - how to use data and technology to thrive
- Cyber and Digital Security
- Investigations, Litigation and Forensics
Digital transformation and cyber security - how to use data and technology to thrive
The global COVID-19 pandemic is the most intensive data-driven global crisis any of us has seen. Even the most forward-leaning companies have struggled with the sheer volume of data they must monitor and track on a daily basis. Then must also quickly make sense of that data to inform decision-making and forward planning.
If anyone doubted the importance of digital transformation to business, COVID-19 has underlined that reality with a vengeance.
Our new virtually enabled, data-driven and distributed homeworking has changed the daily reality for millions of employees. It has also increased our vulnerability to cyber-attacks. Criminals have weaponised the fear and uncertainty of the pandemic to commit financial fraud and extort ransoms; meanwhile state actors have focused on disruption, espionage, and surveillance. The tactics are not new, but the scale and volume of the attacks have been. This has shone a stark light on those organisations that have not made significant progress in digitally transforming their operations.
Digital transformation is a nebulous term, but at its heart, it is a way to empower an organisation with the skills, culture, data, and data insights drawn from the technology to enable innovation and growth. It is also a way to build resilience. Automation, artificial intelligence, and cloud infrastructure, among other technological advancements, present huge opportunities and create new ways for intelligence teams to communicate, pool resources, and make data-driven decisions for their organisation that previously would have been either siloed or missed completely. However, this digital landscape that makes us more interconnected also makes us more exposed than at any time before.
Our individual and corporate exposure to cyber threats is expanding at a rapid rate. Artificial intelligence techniques, while still in their infancy, are being utilised in more state and criminal operations for faster and harder-to-detect attacks. Targeting of operational technology – the systems used to control industrial operations at manufacturing facilities, power plants and other critical infrastructure – is increasing as outdated analogue systems digitise and converge with IT networks at corporate headquarters.
Attacks in 2017 showed prospect of global disruption
Meanwhile, targeting of cloud service providers and software supply chains continues to raise the spectre of cascading attacks that flow through the systems of global companies and their suppliers at unprecedented speed. We have already seen this in the contagion unleashed by several high-profile attacks in 2017. One of these, NotPetya, was attributed by Western governments to Russia, causing billions of dollars in damage to public and private sector companies around the world.
The risk of getting caught up in such contagion is becoming ever more likely now that cyber attacks have become a less covert and more conventional tool for states to project force. Unrestrained by international norms, the militarisation of cyberspace has quickened the commodification of attack tools now available to a wide range of threat actors, not just to national governments.
Just three years after NotPetya, organisations worldwide face the prospect of even bigger, faster and more impactful attacks. Already organisations face growing business interruption, response, recovery and remediation costs, as well as bigger cyber insurance premiums. Such challenges are especially relevant to companies that maintain and operate legacy systems now ill-suited to the digital age. The need for these companies to digitally transform is perhaps the most acute and is in the public interest, given many of them – some of the biggest organisations in the world – maintain sensitive data on all of us.
Diverging regulations complicate multinationals’ strategies
Regulatory risk is also a growing challenge. As seamless global connectivity has grown in recent years so, conversely, has the emergence of a fragmented regulatory backdrop. Whatever the debates over cause and effect, this has presented major compliance and operational headaches for international companies. As an example, China’s Cyber Security Law, with its emphasis on data localisation and controls on cross-border data transfers, is forcing companies doing business in China to map their data flows and supply chain exposure, often with big implications for their operating models.
Where this differs from the EU’s General Data Protection Regulation is in the notion of proportionality, which in Europe allows for exceptions based on criteria such as the data subject’s consent and risk management. The underlying principle of GDPR and more recent legislation in California has been to shift the power balance from bulk data collection and surveillance to data privacy and consumer rights.
Trade tensions, sovereign internets add to headaches
Politics only complicates this backdrop. Tensions between the US and China, and the rise of protectionism in the creation and trade of software and hardware, are catching global companies in the crossfire – just ask Huawei or Cisco. Companies are being required to weigh political and national security considerations when engaging with a supply chain partner about which their host government has a negative view.
Covid-19 will accelerate this underlying trend – the decoupling of US and Chinese technology interdependence – with many companies seeking to move their production closer to their consumer base, especially in the pharmaceutical and medical services sectors. The growth of internet controls in Russia, China and many African nations is raising the prospect of further fragmentation. The erecting of digital boundaries, a clear expression of a more assertive national self-interest, poses a threat to globally standardised electronic communications. Such boundaries could have a profound impact on the way we live and work.
The emergence of “sovereign internets” cut off from the rest of the web is a clear test to the open vision with which the internet was founded. However, some perspective is needed. Despite the challenges, the age of ubiquitous global connectivity is here to stay. The proliferation of internet of things (IoT) devices is such that they are predicted to overtake non-IoT connections in 2022. The computerisation of everything from cars to medical devices, homes, factories and cities is not going anywhere, a reality the Covid-19 pandemic has reinforced with the normalisation of our virtual homeworking setups. Likewise, digital transformation is at its core a way to build resilience against existential shocks, whether that is a pandemic, supply chain disruption or the day-to-day barrage of phishing and social engineering attacks.
How should organisations respond?
Fine tuning risk management strategies to navigate the shifting political and regulatory tides and their impact on operating models is essential. Internal company functions will also need to adapt. In many larger international companies, we are already seeing a blending of physical and cyber security functions, merging once siloed structures to reflect the growth of attacks on systems whose disruption leads to a direct physical impact.
Organisations can prepare themselves for these emerging challenges in the coming years through further investment in highly automated security operations and intelligence centres – not least because mitigating risks and threats such as mass shootings, environmental activism, digital disruption and state-directed disinformation now requires active monitoring of online environments. Cyber-physical convergence is changing the world around us and focuses more light on the need for companies to recruit people with the skills to interpret the noise and chatter of these forums.
The critical success factor in any digital transformation programme is to ensure it is focused on people. Technology is a crucial catalyst in the process but investment in skills and culture is a much more sustainable way of building a secure, compliant and resilient business in the information age. Promoting creativity will unlock the potential of global connectivity and the agility to navigate uncertain political, economic and regulatory headwinds.
Investment in people is also the only way to utilise the data insights that will increasingly shape strategic decision making. These insights are the gamechanger and the key to making the most of a digital transformation programme.
Unlock the power of data and analytics in your security programme
Control Risks is working across the globe to support our clients with the evolution of their security and resilience programmes. We work with organisations at varying levels of data maturity to improve systems and processes, to enable intelligence-led decisions and to support their response to critical events.