Digital technologies have fundamentally changed the way organizations do business. Mobile access, advanced analytics and cloud have increased both operational agility and revenue growth through data availability, workforce enablement, and improved customer experiences. As a result, organizations are projected to spend $1.97 trillion on digital technologies and services by 2022, according to IDC. The benefits of digital transformation are unlimited in scope and scale, but with it comes new risks for organizations and their security teams.
Expanding Infrastructure and Increased Complexity
Cloud, mobility, and the internet of things have dramatically impacted change cycles. What might have previously been implemented over many years often now occurs in just months, weeks, and even days. However, every new technology adds a huge amount of complexity which can cause disruption, and even increase organizations’ attack surfaces.
Organizations’ expanding infrastructure can have weaknesses, such as open ports, vulnerabilities, or weak or expiring certificates. These exist across your known infrastructure, but also extends to shadow IT – those projects and software managed outside of the IT department, the existence of which may not be known to the security team. Attack surfaces are becoming increasingly hard to reliably identify, never mind reduce.
The Challenges of Third Parties
According to the Ponemon Institute, 56 percent of organizations have experienced a data breach as a result of a third-party vendor. The U.S. National Institute of Standards and Technology (NIST) calls out third parties as a top source of risk, in part because of poor security practices. Add fourth and fifth parties into the mix, and the risk increases exponentially. So how can organizations be confident that their vendors and subcontractors – who play a crucial role in their business operations – are adequately protecting organizations’ sensitive data?
Companies can bolster their third-party risk awareness in a number of ways: educating internal stakeholders about properly managing third party risk; contractually enforcing third party security performance expectations with independent reviews of external-facing systems; tracking third-party risk in a central database; and adjusting approach based on known strengths and weaknesses, to name just a few. However, even all of the measures will not adequately safeguard your sensitive data: organizations should assume this information will become exposed, and take steps to detect and remediate this loss.
Criminals “going digital”
As third-party ecosystems grow, more data is stored on the cloud, and employees find new ways to engage online, organizations’ sensitive data frequently becomes exposed. Knowing this, adversaries take advantage of this unwanted exposure; using credentials for account takeovers, or intellectual property to conduct corporate espionage.
However, it even extends beyond this – cybercriminals have taken notice and are finding ways to take advantage of organizations’ digital transformation efforts. No sooner than a company or bank offers a new mobile app to improve access and efficiency will a bad actor try and devise a way to manipulate it to his own end.
To protect against these threats, organizations need to find new ways to detect data loss, to secure their online brand, and to reduce their attack surface.
Asking the right questions
Digital technologies are critical to a businesses’ ability to become more agile, increase profitability and better respond to customers. But, like most processes, it’s an ongoing one and takes time and attention. Ultimately, to fully benefit from these innovative digital practices and tools while simultaneously ensuring cybersecurity, companies must be prepared to consistently plan and continually collaborate to increase transparency of their own and their third parties’ practices. I suggest business leaders ask themselves the following three questions to reduce this digital risk:
1. Who is “in charge” of managing digital risk? Are we relying solely on the CISO or does risk extend beyond silos?
2. Are we extending digital risk management beyond the company, into our partner and vendor ecosystem? What tools does the organization have in place to detect and remediate risks outside the traditional perimeter?
3. Does our CISO address security in terms of business risk? Do we measure the success of the security team in terms of business risk?
Organizations’ perimeters will continue to erode as their digital footprints expand, but with the right risk protection strategy any organization can succeed in the age of digital transformation.