Services
Cyber Security
Data and Cybersecurity to Fight off Cyberattacks
Highlights
- The dynamic, borderless, multimodal, and decentralized nature of digital ecosystems, along with the fact that there are often multiple gatekeepers and participants make them vulnerable to cyberthreats.
- While most organizations are aware of cyber risks, efforts to boost security are poorly supported and designed.
- To address the risks, firms must move away from chasing the latest crisis to adopting a systematic approach that is automated and relevant to industry and geography.
On this page
On this pageinpage
A connected vision
Understanding the risks of digital ecosystems
Companies rightly see much promise for future revenues and productivity by building and participating in emerging digital ecosystems, but most have not given enough consideration to the risks and threats inherent in such ecosystems.
Digital ecosystems are dynamic, agile, interactive, borderless, multimodal, and decentralized. And they often have multiple gatekeepers and participants. In short, they represent a target-rich environment for hackers and digital criminals seeking to steal or exploit sensitive data or to disrupt operations.
Are organizations aware? Most aren’t. In most industries, efforts to revamp security procedures, institute new policies and technologies, and close gaps are uneven, poorly supported, and poorly designed. This paper explores some of those flawed approaches—and, importantly, how to correct them.
A systemic problem
Balancing the opportunities and threats that come with digital transformation
Digital transformation represents a broad, multimodal, and systemic shift for organizations and entire industries. The opportunities a company has in the market change drastically when marketing, supply chains, and other operations move to digital-only platforms and in the process creating digital ecosystems: large, often shifting, and multiplayer spaces where information is shared, business is conducted, and suppliers are linked together.
However, these digital ecosystems also create opportunities of another kind, including cyberthreats and external attacks on company systems, loss of control over intellectual property (IP), and at times existential threats to business. Multiple examples of hacks and cyberthreats exist, and the issue is finally getting the attention it deserves.
Nevertheless, our experience is that many organizations are ill-prepared for the risks inherent in digital ecosystems. Organizations are often taking major risks simply by doing nothing, or by doing the wrong things.
In manufacturing and technology industries, we observe that companies often share IP with their global ecosystem partners or suppliers but are unable to address the risks associated with such sharing or fail to enforce the required controls to reduce those risks. The reason isn’t a lack of ability or understanding. It’s mostly a byproduct of volume—there are just too many suppliers to work with and track, and organizations often lack a sustainable, repeatable, and effective process and framework for de-risking their digital ecosystem.
Even in industries with more advanced track records of building and maintaining de-risking processes, risks do remain. For example, in the banking, financial services, and insurance sector, there is a strong awareness of the risks and a corresponding interest by regulators in such processes. Yet even then, solutions are not implemented effectively. We take note of the rise of fintech providers whose innovative solutions address some of the de-risking priorities, but still require an accompanying focus on due diligence and security checks—something fintech providers may not be able to appreciate.
Alternatively, in industries without significant regulatory exposure, we observed that they don’t have the same sense of urgency to take appropriate action regarding de-risking. While they are increasingly aware of cyberthreats in general, the sense of risk does not affect the way those organizations interact with stakeholders such as their own teams, partners, vendors, and suppliers, who may potentially pose the greatest risk.
In short, in any de-risking framework, one must assume that the largest source of cyberthreats comes not from someone breaking in, but rather from a door left open for an uninvited guest. Organizations must adapt their mindset, their processes, and their resources accordingly.
Major problem areas
Managing challenges in governance that arises from distributed accountability
In many organizations, the responsibility for closing risk gaps lies with several people from the leadership, rather than a single point of authority. This could lead to:
Failure due to shared responsibility: The absence of clear accountability diminishes the organization’s capacity to proactively prioritize and implement risk reduction strategies.
Failure to prioritize risk correctly: Effective risk assessment and remediation is challenging without understanding the business context. For example, an external vendor can be a potential source of risk while also being critical and central to the business. Resolving and mitigating such risks may require unique handling and focused attention. On the other hand, other vendors for the same organization may not play as central a role to the business and therefore, handling their risk may be a more straightforward task. It’s important for organizations to identify special situations for special handling while also developing systematic and automated approaches for the less-important entities. Unfortunately, many organizations fail to consider the significance of internal context, and therefore fail to prioritize their efforts.
Failure to adopt basic policies: Surprisingly, many organizations lack simple protocols and policies to handle cyberthreats. This results in an expensive response to each risk, each time. Simple de-risking rules can provide a substantial amount of protection without a lot of discussion or debate. Think of usage of checklists to reduce medical error in surgery: Through a review of a six-item checklist, the risk of error in surgery can be reduced by half. Similarly, sources of cyber-risks can be addressed through mechanized or automated approaches, thus eliminating the most common errors. This allows risk professionals to focus attention on special sources of risk and threats, or black swan events.
Lack of asset inventory: Often, organizations gain the first appreciation of their digital assets, such as intellectual property, when they’re at risk or in crisis. This is untenable and impractical. The first step toward an effective defense is understanding the value of what you’re defending and investing accordingly. Still, too many organizations fail to execute a proper asset discovery framework when it comes to digital assets, intellectual property, customer information, and other critical elements.
Failure to analyze risks: It is highly important for organizations to follow a clear path of action while assessing their ecosystem for sources of risk. Analyzing the risk factors in the supply chain may result in specific actions compared to those required for mitigating risks among vendors or employees. Each segment of the ecosystem requires its own priority level for remediating those sources of risk and there should be a standard risk calculation mechanism for determining these priorities.
Geographic sensitivity: Organizations in North America and Europe have developed some sensitivity to digital ecosystem risks and threats; the same cannot be said for organizations native to Asia and the Far East. This may be of special concern to multinationals whose operations span multiple major regions. Either way, organizations must meet the same, high standard for ecosystem risk assessment and remediation, regardless of where they operate.
Seven essential steps
Understanding risks from system and strategy failure by exploring worst-case scenarios
Digital ecosystems have the potential to streamline business processes, but they can develop serious risks if not managed effectively. Some simple set of practices and methodologies that can safeguard against risks are as follows:
Perform a ‘doomsday’ prioritization of your risk setup: This can be done by layering in the additional context of each potential source of threat, its geography, its unique vulnerabilities, and anything else informed by your best threat intelligence. Assess the potential loss of your most valuable and vulnerable assets and build a defense and mitigation strategy from there.
Create a clear plan for addressing a large set of your vulnerabilities: By creating a realistic but still ambitious plan to greatly reduce your vulnerabilities, you will have a metric for accountability. From our work with our clients, we know that such an approach reduces vulnerabilities 70% faster over a year.
Look for automation opportunities: While not widely available, an automated approach to assessment and risk management can produce meaningful reductions in the threat environment. Most solutions available to organizations rely on bespoke approaches. Automation, however, is the only realistic strategy that meets both the volume and dynamic nature of fresh threats.
Deploy a prioritized approach: Since the work of addressing vulnerabilities cannot be completed at the same level of intensity, organizations must break the work into specific scoreable parameters—shared intellectual property, shared personal data (personally identifiable information, personal health information, and payment card industry data), volume of data, and regulations covering the disbursement or accidental release of such data. These parameters may suggest a prioritization for the work to be done since they may well resolve questions about the severity of the relative risk.
Set a schedule for work: Organizations should assume a protocol for continuous monitoring through external risk-scoring solutions. At the same time, it is difficult to keep a constant eye on risks while focusing on the operational tasks at hand. Therefore, set a schedule to determine when to assess supply chain and other ecosystem players for their vulnerabilities.
Conduct dynamic assessments: It’s not wise, considering the dynamic and shifting nature of the risk, to calendarize risk assessment. Rather, organizations need to build in systems that test digital ecosystems in a dynamic and unpredictable way, with continuous monitoring and interdiction.
Create frameworks bound to policies and protocols: These may be drawn from industry frameworks developed by ISO/IEC 27001 and NIST. These frameworks will include all legal, physical, and technical controls in an organization’s risk management systems. At the very least, these provide a strong foundation for an individualized framework.
A strategic approach
Adopting a comprehensive approach for the future
At a minimum, organizations seeking to address the risks associated with digital ecosystems must adopt an approach that moves beyond chasing the latest crisis.
They must accept that certain risks pose a greater threat than others, that some can be greatly reduced through automated assessment and mitigation, and that some will be of particular concern because of their closeness to the core of the business. Organizations that adopt a systematic approach to de-risking their digital ecosystems will have a far greater sense of the nature of those risks, relevant to their industry and geography. They will also be able to build a far more comprehensive approach to facing threats.
Note: A version of this article was originally published on CSOonline.com.
