Cybersecurity and digital transformation: Risks and rewards of making the step forward
Upgrading to a cutting-edge technological model can bring a world of benefits to any organization. By fully integrating today’s software in both administrative and customer-facing processes, businesses can make enormous gains in terms of efficiency, accuracy, overall capability, and the customer experience. It is no exaggeration to say that digital transformation represents the true difference between yesterday’s economy and the path to success from this point forward.
Yet digital transformation is much more than a simple software upgrade. It requires a real shift in business culture, along with continuous training and preparation. Nowhere are these additional needs more evident than in the quest for security.
Old Wine, New Bottles
The issue of security is as old as the concept of property itself. The usual actors on all sides – thieves, saboteurs, opportunists, security guards, police – may have different personal characteristics in the age of cybercrime, but they take familiar roles. Whereas the stereotypical criminal in the past used to rely on physical power and dexterity to achieve their objectives, today’s adversaries are more likely to be skilled at typing code into a computer.
The form of any security threat necessarily reflects the type of treasure is being sought, and where it is located. Some value remains stored in physical vaults and safes, but far more lucrative prizes can now be found on networks and hard drives. When companies replace cash registers with online purchasing apps, their security concerns don’t go away; they instead shift into new domains where the likely forms of attack (and best strategies for defense) automatically undergo a similar transformation.
As with other forms of property-based crime, a strong defense provides two distinct kinds of advantage. Clear and effective security precautions can repel attempted break-ins, but they can also discourage some would-be criminals from even trying. Conversely, the failure to take cybersecurity seriously can positively attract criminals, in the same way that a house is more likely to become a target for burglars when it has the lights off, the driveway empty and the windows open.
The Scope of the Problem
Consider that digital transformation allows for open 24/7 connectivity between your business and its employees, customers, vendors, and other third parties. A security breach at any of these points of contact – at any time – can cause real harm. Moreover, digital transformation concepts and technologies such as cloud software, IoT, DevOps, big data, agile, and Blockchain also open the door to real privacy and security concerns.
Recent findings from the business world confirm this analysis. Surveys and statistics suggest that cybersecurity is a large and growing concern within the business community. Ponemon Institute, which studies data protection in the context of the latest information technology, found that 70% of all organizations significantly increased their security risks in 2017. Moreover, 69% of surveyed organizations had determined that antivirus software was unlikely to protect them against current cybersecurity threats, with a similar number feeling that they lack adequate security resources overall.
The Ponemon study also found that most businesses needed an average of 197 days to detect a breach of their network – and that a successful cyberattack on a business was likely to cost a total of 165 million THB, from both direct and indirect effects.
Another study found that damage from malicious cybersecurity incidents is likely to consume 2.2% of Thailand’s entire GDP in the coming years. Some of the most damaging tactics used by criminals include online brand impersonation, as well as the corruption or theft of data. Of the threats themselves, most of them fall into the categories of botnets, hackers, and ransomware.
Companies should take note that the clear majority of cybercrime incidents in Thailand target businesses (65%) rather than individuals (35%), according to research conducted by ThaiCERT. Other studies have found an unsettling disparity between knowledge and behavior. A 2015 ESET Cyber-Savviness Report found that 72.5% of respondents were aware of the recommended precautions to avoid online risk – but that only 45.3% actually bothered to follow those same recommendations. In many cases, investment in cybersecurity comes as a response to attacks that have already occurred, although a more proactive approach could have prevented them in the first place.
The indirect costs of a cyber breach – loss of public trust or reputation, business slowdowns, clean-up efforts – tend to outweigh the direct cost of the attack itself. Additional losses often affect the wider economy when an attack takes place; domino effects from production slowdowns as well as declines in overall consumer confidence can hurt even the organizations that avoid direct attacks entirely.
Indeed, in a very real sense, all of the benefits of digital transformation depend on a solid underlying security structure. A weakly constructed or maintained system will result in a service that fails to inspire trust, and therefore cannot be used to anything approaching its full potential. Every organization embracing digital transformation should therefore take the issue of cybersecurity very seriously, with its CIO regularly monitoring new developments in the field in order to protect the integrity of its data networks.
The Foundation of Security is Preparation
Reliable software and encrypted networks provide some measure of defense for organizations that have made the leap to a fully digital business model, but their efficacy depends on good maintenance, regular oversight, and a company-wide understanding of best operating practices.
A true commitment to secure operation therefore requires having the right personnel in place to handle IT-related issues, train the remaining staff on how to handle sensitive data, and supervise their activity to ensure that they are effectively following these procedures. Such training should use down-to-earth language to allow everyone to understand the basic principles behind each process – and why they are important.
IT personnel will have additional tasks to worry about, such as the smooth running of the business in all its technical aspects, but the entire organization must be willing to defer to them on matters related to data handling. The security guards of today’s economy, in other words, are more likely to focus their attention on unlocked networks than unlocked doors.
It is worth stressing that for any reasonably well designed computer system, the weakest link in its security profile is likely to be the ordinary people who use that system on a daily basis. Passwords can be revealed carelessly to outsiders, hidden malware can record keystrokes, fake websites can appear authentic at first glance, but then capture login details as they are entered.
Comprehensive training is therefore essential, and a culture of best IT practices must be endorsed and encouraged by those in leadership positions. Companies should invest in hiring the right people, setting up all new computer systems properly and professionally, and increasing the confidence and ability of all staff members in relation to the new systems they will need to operate.
A wider understanding of cybersecurity issues on a macroeconomic level can also help companies prepare in advance for any unanticipated delays or disruptions that occur elsewhere in the economy. Businesses can minimize inconveniences that would otherwise indirectly affect them, by planning for alternate sourcing of key resources in case of need.
Modern approaches to risk management must therefore play a role in the organizational structure of any security-conscious business. Each person also needs to be aware of their own responsibilities as they relate to cybersecurity. A digitally-based organization can be considered secure only when the entire team has a clear understanding of what to do, why they must do it, and what kinds of dangers to look out for. Only through such a system can potential threats be evaluated, predicted, identified, and dealt with before they are able to cause damage.
Best practices for data protection must be adopted by all personnel within the organization. In a very real sense, everyone with a password to log onto the company network essentially has a key to the front door of the company itself. The IT manager should take special care to isolate departments from each other within internal networks, so that a potential data leak in one area is unlikely to affect data elsewhere, but any breach at all can represent a real threat to the smooth operation of the business. For a company to succeed, therefore, cybersecurity must be everybody’s responsibility – and not merely a concern for the IT department.
The Risk of Doing Nothing
It is natural for some companies to feel intimidated by the complexity of today’s digital world. Many leaders, relatively unskilled in IT-related matters, no doubt throw their hands up in despair at the thought of having to manage a company-wide transition to a model they have little experience overseeing. The potential for cybersecurity breaches, and the headaches they can cause, may give them all the more reason to delay digital transformation even longer.
But many companies have successfully embraced digital transformation, even though they began from a similar starting point. The key is to take advantage of help where it is available, following the path that has already been created by those who have come before. While there may not be any way to eliminate security risks entirely, it is also true that this goal has never been achievable in the past either. The central aim must always be to minimize avoidable security incidents, through preparation that is informed by a deep understanding of the issues involved.
In a fast-moving economy, the surest way to expose a business to harm is through inaction. By staying behind and letting one’s competitors reap the full rewards of digital transformation, businesses that hesitate too long will find themselves edged out of their own market.
The digital world does indeed take time to master, but that is all the more reason to begin as early as possible. The right approach involves careful planning, the right personnel moves, security-conscious procedures, effective company-wide training, a renewed emphasis on positive and proactive culture as it relates to cybersecurity, and an enlightened approach to risk management in a data-driven world.
The combination of these elements can make an organization’s ongoing security concerns far smaller than they would otherwise be. The business can then gain the freedom to concentrate on pushing the envelope forward, establishing new standards of excellence within its industry.
1) 2017 State of Endpoint Security Risk Report; Ponemon Institute sponsored by Barkly
2) “Understanding the Cyber Security Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World”, Frost & Sullivan and Microsoft.