Recently, as part of a professional development exercise, I examined the effect of digital transformation on businesses, specifically the exponential growth in Cloud Computing, Artificial Intelligence (AI) and Internet of Things (IoT). As part of the examination, I looked not just at the benefits, but also the concerns re the mushrooming risks to data and network security and how organizations can mitigate their risk and allay customer concerns. The following is an excerpt summary from an article I wrote.
Connectivity puts data and networks within the reach of enterprising bad actors with the expertise and persistence to attack and crack network security systems. Recent and continuing hacks reveal the vulnerability of corporations, government agencies and individuals, to process disruptions, ransom demands and damaging exposure. Governments and corporations are scrambling to keep up with the attacks, the former rolling out sweeping regulations such as General Data Protection Regulation (GDPR) in Europe and California Consumer Privacy Act (CCPA) in California to tighten personal data management, while corporations are spending hundreds of billions, and expected to “exceed $1 trillion cumulatively over the five-year period from 2017 to 2021” to protect their networks.
An intrusion on the network of service providers could cripple operations for days and week, resulting in lost revenues, potential ransom, and a PR nightmare. Exposure of employee and client data would likely entail significant financial consequences in addition to major reputational risk. Therefore, as digital transformation and evolution progresses, it is incumbent on firms to establish the most effective preventative measures as well as nimble response mechanisms, in their approach to risk management and data security.
For many firms, embarking on a two-part strategy will be the most optimal solution. First it allows them to establish broad-based cybersecurity infrastructure and culture, then over time evolves into a more targeted program that prioritizes high risk program aspects. McKinsey & Company promoted this approach in a model that classifies cyber risk program from a worst case “no security awareness” to a best case of “holistic resilience” enabled by artificial intelligence. This proposed approach builds on the widely used “maturity-based approach” with a cybersecurity team that manages companywide prevention and response, and the “risk-based” approach that seeks to improve upon the maturity-based approach by focusing time and resources on areas of greatest risk to the company. While these efforts would be led by a cybersecurity team, it is worth underscoring that risk management and enhanced security precautions requires the training and efforts of every employee.
The maturity-based approach is common among companies and many experts laud this approach as a good starting point, because it addresses the broad range of potential risks by integrating risk management protocols company wide, and establishes a corporate ethos of prevention, monitoring, response, and organizational awareness.
The cost of this protection is hard to quantify with precision but can be massive. Estimates range from 6% to 20% of a company’s IT budget depending on company size, range of activities, sensitive data, and network structure. In its latest Cyber Resilient Organization Report, IBM noted that just 26% of the 3,400 respondents to their 2020 survey used some firmwide cybersecurity incident response plan, coupled with AI, machine learning and other technology to strengthen their overall security. Many also reported resource and budget constraints as a huge factor.
Establishing the maturity-based approach with controls on site and at the cloud service provider (CSP) will install a security structure for the obvious risk areas, satisfy client concerns and meet the requirements of privacy regulators. However, this approach can be improved by transitioning to the risk-based approach.
The Risked Based Model
In echoing the McKinsey risk-based model, Alexander Moiseev, Chief Business Officer of Kaspersky, noted, “More mature organizations do not try to fix as many gaps as possible. First, they look at critical business risks, whether it’s downtime, service availability, a destroyed reputation, lost business opportunities or any kind of direct monetary losses.
For the businesses with this mindset, cybersecurity isn’t a habit, or a ‘necessary evil’ investment instigated by scary headlines, it’s reasonable and based on risk calculation.”
This approach also addresses the concerns raised by some experts, that is, it is not practical or necessary to monitor everything. Instead, resources should be repositioned to the areas of greatest risk, and employee training is prioritized and more beneficial than additional application spending. Plus, considering employee training is often one of the most overlooked, yet critical centerpiece of any response plan, as borne out in a study by Kaspersky Labs. It found that of the businesses surveyed, over 50% listed employees as their greatest weakness.
Data Security: A Shared Responsibility
Any good cyber security plan must address vulnerabilities at the company level as well as at the cloud service provider (CSP) level. This includes managing users, the type of data in the cloud and access to that data. The IT team must be trained and resourced for this type of role, to properly assess the CSP to ensure the security posture is sufficient. It must also address IoT which while seen as a godsend by many users of technology, because of the ease of connection among people and devices, is ripe for exploits.
The U.S. Department of Homeland Security (DHS), recognizing the exponential growth and potential vulnerabilities of IoT published a guiding document titled, “Strategic Principles for Securing the Internet of Things.” In it they provided several recommendations including: incorporating security at the design phase of any comprehensive system and having advance security updates and vulnerability management tools.
The Business Case for a Strong Risk Management Approach
There is no doubt that costs continue to balloon, and simultaneously, customers are expecting an even greater degree of security and privacy. How to manage the two without sacrificing reputation, data breach or customer confidence? While the answer is multi-faceted and requires flexibility, what is clear from the research is that companies who are performing well also invested heavily in training, detection, and containment. They had implemented at least a maturity-based approach and embarked on a philosophical change that required companywide buy in, mainly to set risk appetite thresholds.
EY risk manager Michael Herrinton, writing in Harvard Business review reported that, “Top-performing companies - from a risk maturity perspective - implemented on average twice as many of the key risk capabilities as those in the lowest-performing group.” Additionally, these companies believed that it made business sense and were more likely to outperform their peers and generated as much as three times the Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA), as their peers.