As IT and security practitioners, we tend to work in logical, finite terms. We measure our corporate landscape in endpoints and applications, terabytes of data, number of employees and more. We adopt new technologies like artificial intelligence to try to bring order to unpredictability.
Business risk is much more subjective, however.
Where risk intersects our IT world, it creates a fuzzy, unsatisfactory landscape that is difficult to define and harder to manage. And this landscape is expanding.
Many of the digital transformation technologies we introduce to reduce traditional types of business risk are the very causes of a new type of risk. Digital Risk. Take call centres. Over the years, organisations have continuously adapted systems, communication channels and processes to remain competitive. More recently, to stay competitive established operators have had to replicate self-service models disruptive, digital start-ups use. But these consumer apps, chatbots and online forms, introduced to replace the contact centre agent, have introduced vulnerabilities, substituting one form of risk for another and facilitating new attack vectors.
Of course, it’s never quite that straightforward. But as fast as we create new technologies, there is an unorganised army of hacking groups and individuals ready and willing to find ways to exploit them.
British Airways and TicketMaster data breaches have highlighted the dangers of code injection for any business providing self-service booking or ordering services. Chatbots, predicted to become a popular method for launching phishing attacks, are another example. What concerns data-protection professionals about these specific threats is they can run undetected, silently stealing data without any visible effects on customer experience or back office operations. According to the UK’s information commissioner, Elizabeth Denham, in a recent Wall Street Journal interview, this lag in detection is one of the key factors considered when the ICO calculate GDPR breach fines.
Over the coming months we’ll be taking a deep dive into Digital Risk to understand the steps you can take to identify, reduce, mitigate or (hopefully) eliminate it. To start, here’s how we define Digital Risk.
RSA have identified eight distinct types of Digital Risk:
This is both helpful and thought provoking. But it doesn’t account for situations where newly introduced digital vulnerabilities impact more traditional forms of risk. When Wetherspoons’ chairman, Tim Martin, closed all the social-media accounts for the company in 2018 he cited the potential harmful, addictive nature of their use. In reality, with close to 900 locally-run accounts, Wetherspoons had created an almost unpoliceable network. It was a ticking timebomb, waiting for any motivated individual to do real brand damage and so a significant reputational risk that had to be addressed. Wetherspoons also hit the headlines in 2017, when they took the bold decision to delete their entire customer email marketing database, which is certainly one way to minimise risk.
The simple truth is this: your Digital Risk profile is unique to your business. It will depend on your people, your technology, your processes and your industry. So, the first step to managing Digital Risk is to identify it. And here’s the hard part, traditional InfoSec and Cybersecurity has been entirely focused on protecting the network and defending the perimeter. Cloud adoption, increased mobility, and evolving digital supply chains are just some of the many explanations why this is no longer enough.
In our next update, we look at how you can identify critical aspects of your organisation’s digital footprint that can increase Digital Risk – and why this needs to be a topic for boardroom discussion.
Jeremy Hendy is CEO of Skurio