With nine-figure GDPR fines issued to BA and Marriott, taking cyber-security seriously is now a must for business and public sector organisations alike. Defending the organisation against hacks, leaks and the simple human errors at the heart of many breaches has never been more critical.
Especially in an age where vulnerability publicity goes viral.
If you don’t want to find out about your breach through a ‘helpful’ third party tweet, the trick is to implement security processes which can stay one step ahead of the latest threats, while keeping pace with the digital transformation needs of the business. Albert Einstein professed that "Life is like riding a bicycle. To keep your balance, you must keep moving". In turn, security leaders must balance the needs of the business to be ever more agile, competitive and productive, with solutions and techniques which keep the data and the business safe. There is no opportunity for rest or complacency.
With more than 50 percent of CISOs reporting directly into the CEO, and over 60 percent of boardroom meetings routinely discussing cyber-security, it appears that business leaders are, in general, lending a sympathetic ear. These conversations have historically focused on reporting exposure of the ‘owned’ IT estate, securing budget to protect it and defending the corporate perimeter. But here’s the truth: the measurable perimeter has now dissolved. Data is being routinely processed and stored in the cloud; embedding it with third- and fourth-parties in complex data supply chains.
That’s why the fundamental concept of cyber-security needs to be replaced with a more holistic approach. Digital Risk Protection should be an agenda item at every board meeting, and here’s why:
Securing the supply chain
To earn the glory of a Michelin star, a chef must become the master of their craft. But they must also become an expert in every aspect of their business too. From the greeting of the maître d′, through the handling of allergens, to the best suppliers of finest ingredients, every detail is important. Only then can they confidently guarantee the quality of their service and the health of their customers. To become a ‘Michelin starred CISO’, leaders must understand a range of business and supply chain risks, so they can respond accordingly. This isn’t always easy in the opaque world of technology ecosystems.
The rewards of digitally transforming the business are undeniably attractive. Your customers increasingly expect instant, real-time responses 24/7 from anywhere and on any device. Businesses that aggressively digitise their supply chain are likely to boost their base growth by 3.2 percent, say McKinsey. And this figure is higher than transformation focused on any other business area.
CISOs who can implement processes and systems to defend and protect corporate data outside the perimeter will have a huge impact on the growth and viability of the business. Accordingly, reporting to the board needs to consider digital risks across the entire information supply chain, not just the bits you can see and control.
Lighting up shadow IT
Keeping shadow IT in check can be a full-time job for a CIO. But with Low-code and No-code application development on the rise, and a growing problem of under-the-radar BYOA ("Bring Your Own App"), control can be an illusion. Blocking unauthorised Cloud apps is one option but always introduces frustration. It can often make the problem worse. If you try to build the walls higher, staff will simply find another way round – such as emailing the data to a home account or using their phone or tablet to do the job instead.
That’s why understanding where your data is stored and processed is vital. It affects almost every aspect of the business from customer experience and digital transformation, through to compliance and beyond. Having a regular and open discussion on this topic at the highest level makes sense. When heads of departments which use a lot of shadow IT – typically HR, marketing and software development – understand the impact it can have on security, they are far more likely to cooperate, and educate their staff. And digital risk management solutions can play a big role in bringing shadow IT out of the shadows, by continually monitoring for issues associated with third party apps, as well as looking after the data that’s flowing through those apps.
Security is everyone’s business
Protecting the data centre from intrusion is critical beyond doubt. But the human factor cannot be ignored. The latest figures from the UK ICO show that around 85 percent of reported data breaches in Q4 2018-2019 involved (potentially avoidable) human error. It’s usually a case of a staff member doing the wrong thing, but for the right reason.
Whether responding to a phishing attack, copying the wrong person on an email, or a salesperson taking a copy of the sales lead database before they join a competitor, these can be addressed through awareness and training. While this is a direct responsibility of most CISOs, improvements can only be made with the buy-in from department heads.
As a philosophy, digital risk protection encompasses almost all of these failure mechanisms and can also give you advanced warning of potential attacks being planned against you. Going way beyond traditional threat intelligence, it can protect you against leaks and misuse of your data and provide the earliest notification of breaches – even if they originate from a partner. It can also ensure that your staff are doing everything they can to protect the brand across its digital footprint.
Assessing your risk
These three areas highlight the need to look beyond traditional cyber-security models. The techniques you will be required to deploy in the future will depend on the digital risks your business faces. So, being able to assess your digital risk is key. One useful method for looking at this is to think about your "digital footprint".
When we discuss digital risk protection with security professionals, we always start with the information most critical to their organisation: "What information would you not want to see posted online?" Unsurprisingly, the priorities vary. Some businesses are focused on maintaining their commercial advantage, so protecting intellectual property is top of their list. For others, margin assurance is key, so defending revenue streams against loopholes, fraud and counterfeit goods is the most important. Almost everyone is concerned about compromised staff credentials circulating in dumps and forums. But across the many and varied types of Digital Risk, one aspect is consistent: It’s the business that decides the priorities and that’s what drives investment. For any security leader looking to secure funding for digital risk protection – ask the board what their priorities are.
In next month’s column we’ll be taking a closer look at protecting your information across the supply chain, and some techniques you can use to increase transparency and illuminate digital risk.
Jeremy Hendy is CEO of Skurio