Digital Transformation appears to be ubiquitous with different connotations across enterprises. Regardless of what “Digital Transformation” means for an enterprise there is increased focus and threat posed by security. This article will go into the benefits and the risks to security posed by an organization’s desire to be more agile and responsive to market needs.
CIOs for decades had to deal with security challenges and in spite of the best efforts and increased investments, 50% of US companies had a cyber-attack in 2017. The problem is amplified with the increase of endpoints and the complexity of the attack vectors due to technologies such as IoT and mobile devices accessing enterprise network. The statistics from CSO Online show that 61% of organizations have experienced an IoT security incident, 90% of remote code execution attacks are associated with cryptomining and 54% of companies have experienced an industrial control system security incident. While the additional devices and new ingress points are causing a strain on the security, there has been an increase in targeted phishing attacks, ransomware and malware as well. Our good old e-mail is still the major source (92%) of malware causing havoc on enterprises. The price tag on an average ransomware attack is not trivial – it can cost an enterprise $5M. The recent attacks of WannaCry and NotPetya show that the scale of the attack can be humongous impacting the entire healthcare network of NHS and other organizations such as Telefonica.
Digital transformation, which at the end of the day is leveraging technological innovations to drive better business outcomes capitalizes on 4 key technologies – Cloud, Internet of Things, Machine Learning/Artificial Intelligence and Mobility. Technologies such as Blockchain are also becoming relevant for certain enterprises. Enterprises are looking to drive automation of business processes and digital connectedness of the entire value chain to drive agility. A number of them are creating new business models and leveraging data to drive growth. As outlined in the MIT Technology Review, in the digital era, the focus needs to shift from securing network perimeters to safeguarding data spread across systems, devices, and the cloud.
Enterprises have several new security challenges that are posed due to Digital Transformation:
- Polymorphic Attacks: Sophisticated attacks that can change and adapt to avoid detection by traditional security solutions. The malware frequently changes attack states or uses different file names, hashes or signatures to encrypt or otherwise hide code so as to avoid detection and eradication.
- DevOps: Agile development and DevOps is fundamental to Digital delivery. Rapid releases and continuous integration and development could lead to security vulnerabilities pass through undetected into production.
- Lack of visibility across diverse environments: Hybrid Cloud based IT infrastructure, highly distributed environments spanning remote branches, and non-integrated, siloed multi-vendor point defense products leads to lack of visibility of vulnerabilities across user, system and network.
- Digital Value Chain: Increased direct connectivity across suppliers, partners and customers are exposing several new weak links for the attackers as the network is no longer contained with perimeter protection being enough.
- Endpoint devices in highly vulnerable locations: Next-generation devices such as IoT in industrial equipment and consumer devices are now deployed in potentially vulnerable environments such as vehicles, hospitals, and energy plants, vastly increasing the risks to human welfare. Concerns about such devices being hacked, turned into botnets, and used to attack targeted computers and organizations are growing as well.
- Application vulnerabilities – Application Development teams should share the responsibility of CyberSecurity with the Infrastructure and Security teams as a number of new vulnerabilities are being exposed through applications and the development team is responsible for hardening and securing applications. Self-defending apps are being created with advanced access-control capabilities, allowing them to react to malicious source-code modifications and debugging at runtime. Encryption is being built-in both for data at rest and in transit.
It is not all doom and gloom for the Security Professional. Digital Transformation has brought several boons as well. There is increased awareness at the C-level and Board on Security issues and additional funds are being allocated to build security into Digital Transformation. CIOs are using this opportunity to strengthen the posture and shore up the infrastructure plugging the holes and strengthening the weak links. In addition, there is an increased need to be compliant and organizations are willing to spend money to be compliant on certifications/regulations such as PCI-DSS, HIPAA, GDPR and also respect data sovereignty requirements by countries such as China, Russia, UK, Germany, Australia etc. Compliance mandates are driving 69% of security spending, 33% are mandates from the Board and 29% responding to a security incident from another organization according to 2018 IDG Security Priorities Study where respondents could choose more than one factor.
The other key advantages in addition to awareness and funding is that Security has moved beyond IT to business operations and enterprises are even making security a competitive differentiator. Security is integral to the adoption of innovative technologies and newer technologies and embedded into Software Defined Networks (SDN) to provide seamless and secure access to data.
Enterprises are leveraging Digital Transformation to rearchitect their platforms and integrating systems to create a unified security architecture. Threat intelligence is being shared across the organization and across multiple companies, additional safeguards are being put in place in the network, systems and applications and a significant portion of security operations are being automated and monitored 24×7 leveraging modern Security Operation Centers (SOC) and Network Operations Center (NOC).
Since digital transformations are spreading data across diverse environments and are created connected value chains, vulnerabilities can rapidly spread and cause millions of dollars of damage and significant reputational impact. C-level executives and the Board have to adopt a proactive stance and make it a regular agenda item during Board meetings to review security.
The following measures can be taken by enterprises to reduce risk across 10 areas in the digital landscape – Strategic, Technology, Operations, Third Party, Regulatory, Forensics, Cyber, Resilience, Data Leakage, and Privacy:
- Secure Maintenance/Patching – Review Common Vulnerabilities and Exposures on a monthly basis to assess risk. Proactive and Timely Patch Management.
- Application and Custom Code Security: Harden Applications and strengthen DevOps. Leverage source-code security scanning tools to identify vulnerabilities in programs.
- Encryption: Develop and deploy consistent encryption both at-rest and in-transit
- Network Security: Segment the network with separation of high-security areas and privileged access.
- Operating Systems and Database Security: Restrict database-access and provide dedicated security requirements for all Operating Systems.
- Front-end security: Secure configuration for clients and mobile endpoints with appropriate access control lists and Identity Access Management
- Communication Security – Use encrypted communication such as SSL, TLS and secure RFC
- Security Operations Center – Monitor security audit logs and all systems especially for critical applications and users. Automate cyber-security practices and use the SOC/NOC to monitor.
- Training and Awareness – Build training programs and create phishing simulated attacks to improve security awareness and drive change across all employees in the organization
- Integrated Security Systems – Integrate security systems and/or have a single pane of glass improves visibility across the larger attack surface.
- Sharing Threat Intelligence – Share threats across the enterprise as soon as they are detected
- Business Continuity: Define emergency, backup, and disaster recovery concepts to ensure business continuity. Prepare end-to-end fallback systems for critical processes and applications.
Digital Transformation is leading to Security Transformation and as with all transformations, change management across all levels is imperative to make sure enterprises are prepared in today’s environment where attacks are becoming more sophisticated and attack vectors and surfaces are increasing. Enterprises need to be agile to adapt to the changes in threat landscape and respond quickly and effectively.