It is difficult to avoid discussions about digital trends, business models and the resulting benefits. The world’s most valued organisations provide digital services. Private investment in new digital start-ups is sky high whilst the benefits to organisations of digitalising processes and services can be significant. Digitalisation is generally a force for good but there is also significant cyber risk. To mitigate the threat and ensure they are as well prepared as they can be for any data loss or disruption, there are several questions that organisations should ask themselves regularly.
Before we consider the questions, what is digitalisation? The Oxford English Dictionary defines it as an operation to “convert (pictures or sound) into a digital form that can be processed by a computer”. In short this is the big data revolution which requires computers to create insights and deliver actions based on processing huge quantities of data. As data volumes grow and analytics become increasingly sophisticated, we are moving from insight to foresight and the increasingly accurate prediction of future outcomes.
The pace of the digital revolution has been significant as organisations prioritise investment in new processes and customer solutions. The benefits derived from increasingly networked, data-driven and intelligent infrastructure are significant though they are counterbalanced by our increasing reliance on these systems and their vulnerability to pernicious threats. This will result in an escalating digital battle between government and business, and those intent on causing financial, reputational or physical damage. There are strong arguments supporting the assertion that the digital battle against criminality is being lost for reasons that include insufficient governmental regulation and policy, organisational inertia towards addressing cyber risk, the escalating economic cost of cyber criminality and the challenges of holding cyber criminals to account for their actions.
It is understandable that managers can feel overwhelmed by the scale of the cyber threat especially as applications and endpoints continue to grow and security remains an afterthought. To this point, a PwC survey on Digital Trust highlighted that only 53% of respondents agreed that “cyber and privacy risk management is baked in fully from the start of transformational projects.”
To help organisations address evolving cyber challenges, WA suggests that there are several simple questions that organisations should ask themselves on a regular basis. These questions might be familiar to CISO’s or corporate risk managers in multi-national organisations, but small to medium sized enterprises will not always have a structured risk assessment process and ask these questions often enough. If that is the situation then somebody needs to take ownership of the role quickly.
Here are 4 key questions to ask yourself.
What is your external and internal digital risk?
Reports and news channels frequently report on the size of the cyber problem with headlines focussing on doomsday scenarios. However, beyond the news on British Airway’s data loss and the resulting fine, or the latest state on state cyber-attack, what matters is how big is the cyber threat to your organisation. A multi-national digital giant managing thousands of endpoints and constant application development may be more challenging to protect than a local family business. Although, the threats will be different the impact to a small business may be no less severe. Each business should define what cyber risk means to them and consider the operational, financial and reputational damage that could be caused by data loss, a cybersecurity incident from third parties through the supply chain or even malicious internal activity. A thorough evaluation of the risk also helps to build a strong business case to persuade executives to invest time and resources into improving protection, mitigation and resilience.
Running at least an annual risk assessment sounds straight forward but another survey suggests otherwise. The UK Government Department for Digital, Culture, Media and Sport (DCMS) published a report, “Cyber Security Breaches Survey 2019”, which surveyed over 1,500 businesses. Out of those only 31% had completed a cyber risk assessment within the last 12 months which suggests that many organisations have yet to develop a systematic approach to cyber risk management. For those organisations lacking resource there are a number of different frameworks that are freely available through the Institute of Risk Management and National Cyber Security Centre
Who is the digital risk team?
The risk profile of the company is typically set by the Board and increasingly cyber security is a key feature of organisational risk registers. However, in large organisations the risk team needs to be wider than the board or risk officer who then sets the policy.
WA believes that increased risk from Internet of Things related trends will result in the convergence of internal organisational risk policy, security process and contingency planning between operational, physical security and information security teams. This is due to the overlapping threats and enterprise wide consequences of an attack. A more co-ordinated approach to physical and information security will become increasingly more widespread over time whilst contingency planning and disaster response needs to incorporate operational teams. The potential reputational damage from operational failure or data loss also requires an external communications plan to limit the effect of any adverse publicity.
Reducing the cyber risk will also require greater external collaboration and information sharing across business and government to ensure that there are real time alerts of complex threats affecting multiple organisations and best practice and mitigation strategies are shared. The basis of policy such as GDPR and NIS, and national cyber centres and CERT, is to reduce risk through openness and information sharing.
How do I protect against the increased digital risk?
When people think about protection they automatically think about firewalls, access control or other solutions to protect access and filter content. These remain very important tools but are only part of the solution. Organisations need to implement the latest policies and ensure that these are updated real-time through automated processes.
Beyond policy and network protection tools, there also needs to be staff training as one of the most common risks is staff negligence through, for example, sending data to an external party by mistake. Policy, protection and staff awareness will all help to reduce risk if carried out properly. This is not an easy task and organisations should consider whether they are best placed to manage these processes themselves or rely on managed security service vendors who have the staff, tools and monitoring capabilities to protect organisations.
Understanding the risk profile and developing the right protection strategies also needs to be accompanied with an incident response plan. The DCMS survey however suggests that again there is room for improvement with only 16% of businesses surveyed having a formal incident response plan in place. Contingency planning has long been based on returning to “business as usual” which is effectively building a plan to recover to the organisation’s previous operational status. However, there is a paradigm shift whereby remediation of an incident returns an organisation to a “new normal” where the business is more secure and more resilient. This in part is driven by the learning experience and costs associated with a significant breach.
Further information on the tools and practices to protect against cyber threats can be sourced through the NCSC.
How do I plan for future risks?
Beyond constantly evaluating the business requirement and strategy and how this will impact the organisational risk profile, security and risk teams should also keep updated on new technological solutions. One of the key challenges to lowering your organisational exposure to data loss or similar is the speed with which technology evolves and how quickly new challenges emerge. However, it should reassure everybody that for every emerging challenge there is almost always an emerging solution as the following two examples highlight.
Concern over facial recognition technology and privacy has grown lately and resulted in cities like San Francisco banning the technology. However, it’s unlikely that the growing adoption of facial recognition technology will slow due to the willingness of people to share their data and the benefits that organisations can derive through using the technology. A good example is the latest trend of FaceApp that recently spread across social media. The app is used to create images of what they will look like in 20 years’ time. Most people who have used it have given over all their rights to the pictures and image of their face. The Apps terms and conditions clearly state that it can use the photo in any way it sees fit with no chance for complaint or appeal. In addition, facial recognition technology is increasingly being used in the corporate world to ensure that the right people have access to the appropriate areas. However, this also provides a risk to the organisation should the digital images be stolen through a cyber incident. D-ID is an organisation that is tackling privacy related issues through a solution that prevents any software from identifying the protected photo. It protects the individual’s identity and lowers the organisations exposure to any data loss.
Another example related to computer vision and image processing is Deepfake, an emerging technology that is alarming governments. Derived from “Deep Learning” and “Fake”, the technology, which is available through opensource, manipulates images, videos and audio files to create lifelike images of individuals. This is likely to lead to a new cyber challenge that enables criminal organisations to use fake images for their gain. They could fake the voice of a CEO to authorise payments, cause reputational damage or bypass authentication. Whilst there is no problem today, it is likely to emerge as a real threat over the next 5 years and organisations are already tackling the threat. Start-up Cyabra (Israel) is one organisation whilst Faculty (UK) is another organisation working on solutions. There are a wide range of conferences and trade shows in the UK where many of these organisations exhibit and it is good practice to routinely visit them to keep updated on new technologies. Remember it’s not always the large stands that have the most interesting solutions!