Innovation benefits not only businesses but also bad actors. As digital transformation becomes increasingly ubiquitous, more data becomes vulnerable to attack from more points of vulnerability and from more potential attack vectors. In the last year alone1:
- Web attacks are up by 56% (e.g., breaches introduced from a third party website)
- Supply chain attacks are up by 78% (e.g., breaches introduced through/by vendors and third party service providers)
- Attacks that come from email attachments that are actually office files are up 43%
To minimize the risk of a data breach, businesses need to be as innovative in their approach to security as they are in their approach to digital transformation. Just as digital transformation requires an overarching enterprise-wide strategy, so too does security transformation, including securing the right digital transformation team, the right security team, and ensuring appropriate checks and balances between them. All of that requires much of what an effective digital transformation requires, not the least of which involves embedding the “culture” into the enterprise through:
- stakeholder buy-in
- necessary capital investment
- some level of organizational fluidity
Based on our own experience as a digital transformation partner to over 4,000 businesses across the globe, as well as our constant monitoring of the digital and security transformation landscape, we’ve come up with the following best practices for getting security right in your digital transformation:
Assemble the proper team
Before you can even begin to assess the potential risks involved in digital transformation you need to be able to assess the inherent risks as well as the laws with which you’ll have to be compliant. That means assembling the right team, including the following (some of whom may overlap, depending on organizational structure):
- A senior level information security officer
- Legal counsel or other experts capable of outlining compliance requirements
- A team (or teams) reporting to the top information security officer to:
- monitor compliance, including staying abreast of changes to laws, rules, and regulations
- respond to security breach incidents
- respond to the consequences of breach-incidents (including interacting with end-users)
All of these team members should be embedded into your enterprise’s overarching business strategy, looping them in at every level of decision-making and execution.
Taking inventory and assessing the risks
With the proper team assembled, it’s crucial to take an inventory of:
- All key processes
- All systems that deliver key processes
- All data delivered to, delivered by, stored in, and processed via those systems
- All such data that is sensitive, proprietary, or otherwise subject to regulation
- The laws, rules, and regulations applicable to that data
- Existing vulnerabilities
- Potential vulnerabilities
- Industry-specific vulnerabilities
Creating policies and plans to address the vulnerabilities
This may include coming up with new ways of authenticating system-user credentials, policies regarding enterprise- as well as personal-devices, policies regarding security clearance for employees and others on the premises, and policies regarding use of networks and social media. Despite that one of the aims of digital transformation is a breaking down of information silos, it’s also critical to put protocols into effect that ensure any information made “accessible” as a result will be accessible only by those with a need, or permission, to know it.
Training and educating…everyone from employees to the chief executive
Some experts estimate that as many as 95% of all data breaches2 are the result of human error. But that percentage includes error at the coding level at all levels of supply chain. Others place the percentage at closer to somewhere between 40%3 and 50%4, where the error is limited to user-interaction with the system in question. Whatever the percentage, the reality is that if you were to ask 10 employees what they might be doing that puts enterprise data at risk, at least half might not have any idea—that is, unless you provide them with training/education on system and data security. This includes general training/education about security, why it’s required, and what’s at stake when it’s compromised, as well as specific topics that address of-the-moment security risks. At this moment, that might include:
- How to identify phishing schemes
- How to identify unsafe websites and links
- How to recognize malicious email attachments
- Proper password management (including requiring strong passwords and periodic password updates)
- Proper device and workstation security
- Social media awareness
Laying down and enforcing security-focused protocols
Where training and education fail, protocols—especially those that are consistently enforced and periodically reiterated—can pick up the slack. For example, protocols regarding:
- Using public networks
- What to do if a device is lost or stolen
- What can and can’t be shared on social media
- What to do when sensitive information is requested by email or otherwise
- Multi-step authentication processes disclosing sensitive data or access to databases containing the same
- The use or ban from use of non-enterprise devices while on enterprise premises
- The taking of photographs and screenshots on enterprise premises
- The tracking and return of enterprise-issued devices and badges and other credentials upon termination of employment
Create a strong response plan
System and data security requires a response plan in the event of a breach. An effective response plan can significantly mitigate the damages of a breach. Such a plan would include:
- A means for identifying new risks and vulnerabilities and a protocol for conveying them throughout the enterprise and to third parties who need to know
- A means for detecting breaches long before the average detection time of 100 days
- A protocol for responding to detected breaches, including:
- isolating affected system segments
- shutting down access to those segments and the data accessible within
- notification of whomever needs to be notified under applicable law (from end user to law-enforcement to forensics experts to attorneys)
- A protocol for post-incident procedures, including documenting the incident and collecting data to improve future responses and update security protocols to meet current risks
- A post-incident public relations/marketing response
- Embedding the response plan into the related business processes
- “Fire-drills” that reinforce the plan essentials in the minds of the key players
Keeping the “bad guys” out involves a combination of prevention, detection, action, and agility. Make sure your enterprise has all of these covered.
In the weeks ahead, we’ll be diving in to explore how system and data security dovetail with data privacy and all the laws and regulations with which your digital transformation provider should be compliant. We’ll also explore those security matters you’ll want to consider when choosing your digital transformation partner. If you missed the earlier posts in this series on cyber security, you can catch up here on:
- Why security is the transformation you should be talking about
- What we’re really talking about when we’re talking about security
- 21 Staggering Security Statistics Every Business Should Consider
- How the Bad Guys Get In: Cyber Attack Vectors
Gotta read it all now? You can download the entire series as a flipping-book here.
In the future, be sure to subscribe to Exela’s quarterly thought leadership publication, PluggedIN for up-to-the-minute news and views on topics that matter to you.
- https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-en.pdf
- https://fraudwatchinternational.com/security-awareness/what-is-cyber-security-awareness-training/
- https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
- https://atlasps.com/2019/02/data-breaches-caused-by-human-error-major-cybersecurity-threat-2019/