It’s difficult to avoid discussions about digital trends, business models and the resulting benefits. The world’s most valued organisations provide digital services. Private investment in new digital start-ups is sky high, while the benefits to organisations of digitalising processes and services can be significant. Digitalisation is generally a force for good, but as Steven Webb and Anthony Leather point out in the first of a regular and exclusive series of monthly articles for the readers of Risk Xtra, there’s also a significant cyber risk. To mitigate the threat and ensure they’re as well prepared as they can be for any data loss or disruption, there are several questions that organisations should always ask themselves.
Before we consider those questions, what exactly is digitalisation? The Oxford English Dictionary defines it as an operation to “convert (pictures or sound) into a digital form that can be processed by a computer”. In short, this is the Big Data revolution which requires computers to create insights and deliver actions based on processing huge quantities of data. As data volumes grow and analytics become increasingly sophisticated, we’re moving from insight to foresight and the increasingly accurate prediction of future outcomes.
The pace of the digital revolution has been significant as organisations prioritise investment in new processes and customer solutions. The benefits derived from increasingly networked, data-driven and intelligent infrastructures are significant, though they’re counterbalanced by our increasing reliance on these systems and their vulnerability to pernicious threats. This will result in an escalating digital battle between Government and business and those intent on causing financial, reputational or physical damage.
There are strong arguments supporting the assertion that the digital battle against criminality is being lost for reasons that include insufficient Governmental regulation and policy, organisational inertia towards addressing cyber risk, the escalating economic cost of cyber criminality and the challenges of holding cyber criminals to account for their actions.
It’s understandable that managers can feel overwhelmed by the scale of the cyber threat, and especially so as applications and endpoints continue to grow and security remains an afterthought. On that note, a recent PwC survey on the subject of ‘Digital Trust’ highlighted that only 53% of respondents agreed that “cyber and privacy risk management is baked-in fully from the start of transformational projects.”
To help organisations address evolving cyber challenges, there are several simple questions that organisations should ask themselves on a regular basis. These questions might be familiar to CISOs or corporate risk managers in multinational organisations, but SMEs will not always have a structured risk assessment process and may not ask these questions often enough. If that’s the situation then somebody needs to take ownership of the role quickly.
There are four key questions to be asked.
(1) What are the external and internal digital risks posed to the company?
Reports and news channels frequently report on the size of the cyber problem with headlines focusing on Doomsday-style scenarios. However, beyond the news on British Airways’ data loss and the resulting fine, or the latest state on state cyber attack, what matters is how big the cyber threat really is to your organisation. A multinational digital giant managing thousands of endpoints and constant application development may be more challenging to protect than a local family business. Although the threats will be different, the impact on a smaller business may be no less severe.
Each business should define what cyber risk means to them and consider the operational, financial and reputational damage that could be caused by data loss, a cyber security incident by way of third parties through the supply chain or even malicious internal activity.
A thorough evaluation of the risk also helps to build a strong business case to persuade executives to invest time and resources into improving protection, mitigation and resilience.
Running at least an annual risk assessment sounds straightforward, but another survey suggests otherwise. The Department for Digital, Culture, Media and Sport published a report entitled the ‘Cyber Security Breaches Survey 2019’ which surveyed over 1,500 businesses. Out of those, only 31% had completed a cyber risk assessment within the last 12 months which suggests that many organisations have yet to develop a systematic approach towards their cyber risk management. For those organisations lacking resources, there are a number of different frameworks that are freely available through the Institute of Risk Management and the National Cyber Security Centre.
(2) Who comprises the digital risk team?
The risk profile of the company is typically set by the Board and, increasingly, cyber security is a key feature of organisational risk registers. However, in large organisations the risk team needs to be wider than the Board or risk officer who then sets the policy.
We believe that increased risk from Internet of Things-related trends will result in the convergence of internal organisational risk policy, security process and contingency planning between operational, physical security and information security teams. This is due to the overlapping threats and enterprise-wide consequences of an attack. A more co-ordinated approach to physical and information security will become increasingly more widespread over time, while contingency planning and disaster response needs to incorporate operational teams.
The potential reputational damage from operational failure or data loss also requires an external communications plan to limit the effect of any adverse publicity.
Reducing the cyber risk will also require greater external collaboration and information sharing across business and Government to ensure that there are real-time alerts of complex threats affecting multiple organisations and that Best Practice and mitigation strategies are shared. The basis of policy such as the General Data Protection Regulation and the NIS, plus that for the national cyber centres and CERT, is to reduce risk through openness and information sharing.
(3) How should the business protect itself against the increased digital risk?
When people think about protection they automatically think about firewalls, access control or other solutions to safeguard access and filter content. These remain very important tools, but in truth are only part of the overall solution. Organisations need to implement the latest policies and ensure that these are updated in real-time through automated processes.
Beyond policy and network protection tools, there also needs to be staff training as one of the most common risks is staff negligence through, for example, sending data to an external party by mistake. Policy, protection and staff awareness will all help to reduce risk if carried out properly. This isn’t an easy task and organisations should consider whether they’re best placed to manage these processes themselves or rely on managed security service vendors who have the staff, tools and monitoring capabilities to protect organisations.
Understanding the risk profile and developing the right protection strategies also needs to be accompanied with an incident response plan. The Department for Digital, Culture, Media and Sport survey, however, again suggests there’s room for improvement with only 16% of businesses surveyed having a formal incident response plan in place.
Contingency planning has long been based on returning to ‘business as usual’ which is effectively building a plan to recover to the organisation’s previous operational status. However, there’s a paradigm shift whereby remediation of an incident returns an organisation to a ‘new normal’ wherein the business is more secure and more resilient. This, at least in part, is driven by the learning experience and costs associated with a significant breach.
Further information on the tools and practices to protect against cyber threats can be sourced through the aforementioned National Cyber Security Centre.
(4) How should the organisation plan for future risks?
Beyond constantly evaluating the business requirement and strategy and how this will impact the organisational risk profile, security and risk teams should also keep updated on new technological solutions. One of the key challenges to lowering your organisational exposure to data loss or similar is the speed with which technology evolves and how quickly new challenges emerge. However, it should reassure everybody that, for every emerging challenge, there’s almost always an emerging solution as the following two examples highlight.
Concern over facial recognition technology and privacy has grown lately and resulted in cities like San Francisco banning the technology. However, it’s unlikely that the growing adoption of facial recognition technology will slow due to the willingness of people to share their data and the benefits that organisations can derive through using the technology. A good example is the latest trend of FaceApp that recently spread across social media. The app is used to create images of what people will look like in 20 years’ time. Most people who’ve used it have given over all their rights to the pictures and image of their face. The app’s Terms and Conditions clearly state that it can use the photo in any way it sees fit with no chance for complaint or appeal.
In addition, facial recognition technology is increasingly being used in the corporate world to ensure that the right people have access to the appropriate areas. However, this also provides a risk to the organisation should the digital images be stolen through a cyber incident.
D-ID is an organisation that’s tackling privacy-related issues through a solution that prevents any software from identifying the protected photo. It protects the individual’s identity and lowers the organisations exposure to any data loss.
Another example related to computer vision and image processing is Deepfake, an emerging technology that’s already alarming Governments. Derived from ‘Deep Learning’ and ‘Fake’, the technology – which is available through opensource – manipulates images, videos and audio files to create lifelike images of individuals. This is likely to lead to a new cyber challenge that enables criminal organisations to use fake images for their gain. They could fake the voice of a CEO to authorise payments, cause reputational damage or bypass authentication.
While there’s no problem today, it’s likely to emerge as a real threat over the next five years and organisations are already tackling the threat. Start-up Cyabra (from Israel) is one such organisation, while Faculty (UK) is another working on solutions.
There’s a wide range of conferences and trade shows in the UK where many of these organisations exhibit and it’s good practice for security and risk management-focused professional to routinely visit them and update themselves on new technologies. Remember it’s not always the large stands that have the most interesting solutions.
Steven Webb and Anthony Leather are Directors of Westlands Advisory (www.westlandsadvisory.com)
Next month: Security Convergence – what is it, why does it matter and what should organisations be doing to address this issue