Securing the future

Embracing the security benefits of digital transformation

Securing the future

Embracing the security benefits of digital transformation
Bas de GraafHead of Ethical Hacking Services , BT

Doing business today means doing so digitally. Although this brings us lots of advantages, it also introduces a wide range of threats.

Malware, viruses, data leakage, denial-of-service attacks and more are all dangerous threats that businesses must defend against. Because of the critical importance of security, you might imagine that it would be sensible to take a conservative approach to new and emerging technology. But this thinking might also put your business at risk.

By continuing to use outdated technology, you expose your business to risk as vulnerabilities are well-known and quite often support is no longer available.

I spend time thinking carefully about how organisations big and small can protect themselves from cyber threats and test the security of both their business software systems and its supporting infrastructure. The human factors associated with these are equally as important as the technology. I believe there is one thing that you can do to protect your business that is more important than any other: to wholeheartedly embrace new technology and digital transformation.

 

The problem - if you can call it that - is that people are smart, determined and innovative
Bas de GraafHead of Ethical Hacking Services, BT

Modern IT systems with their high-grade encryption and firewalls are, on-paper, fully secure when we trust what the vendors are telling us. But what this doesn’t account for is the potentially weakest link of all: people.

The problem - if you can call it that - is that people are smart, determined and innovative.

For example, insisting that employees use long, complicated passwords, and change them at regular intervals seems like a smart move. But any security benefits this might have will be undermined if the first thing the employee does after changing their password is write it down on a post-it note and stick it under their keyboard or on their monitor for the world to see.

Another example if I may -What if a corporate network imposes size limitations on email attachments? Again, in principle this might make sense for protecting the mail servers. End-users may not always consider the impact of their actions and do not always have the knowledge of how the underlying system works. We shouldn’t then be surprised when an employee needs to email a large PowerPoint presentation, rather than doing so in a controlled, IT-department approved process, they just open a web browser and send it using their own unrestricted personal email account instead.

Even worse, perhaps they might upload it to one of the many free web-based file sharing services, so they can email a link instead of the file itself. While convenient for the end-user, this creates a huge security problem.

Once the file has been uploaded it may not be clear how long the file is kept by the file sharing service for, who has access to it in the meanwhile or ultimately what might be done with it. The upload service could be doing, well, anything, with your company’s most sensitive information. You just don’t know.

While you can block these websites when people are connected to your company network, users may have access easily when working from their home location or by dropping the VPN. Due to the current situation we are facing where governments advise everyone to work from home, the problem might be even bigger than we think.

It could be:

  1. Your business process has introduced a new security problem
  2. The process has been circumvented unintentionally
  3. You’ve lost control of your data in the process
     

And then what?

Once the file has been uploaded it may not be clear how long the file is kept by the file sharing service for, who has access to it in the meanwhile or ultimately what might be done with it. The upload service could be doing, well, anything, with your company’s most sensitive information. You just don’t know.

While you can block these websites when people are connected to your company network, users may have access easily when working from their home location or by dropping the VPN. Due to the current situation we are facing where governments advise everyone to work from home, the problem might be even bigger than we think.

Humans gonna human

The lesson here should be simple. Although you can do a lot to create awareness, fighting against it is tough. Your people may be experts in their profession but not necessarily in the field of security. People are always going to look for the shortest route to achieve their goal and, in some cases, they might be really creative.

I have witnessed first-hand, even with our clients, IT departments which filter encrypted files (like a report containing PenTest findings) upon network ingress. The employees from these same organisations who consume our security services then request that we send our reports to their private email addresses, again circumventing a well-intentioned security measure. So if your corporate security makes work harder, people will find a way around it, whether you like it or not. Humans will be human.

On one level, the examples above of two common security threats might sound scary. But I think this is the wrong reaction. I think the “Shadow IT” challenge - that of employees finding their own solutions - is actually rather inspiring. They have identified problems - passwords being hard to remember and restrictive email attachments - and have used their own initiative to find solutions so that they can work more effectively. That’s exactly what you should want a brilliant employee to do.

The challenge for us, as security-conscious managers and leaders then, is to instead figure out how we can best support employees to use new ways of working while keeping the Security protection for corporate workforces. We should ask ourselves what new and emerging technologies we can leverage to work both more effectively and more securely. Instead of insisting employees remember long passwords, perhaps we can roll out password managers and two factor authentication? Instead of restricting file sharing, could we offer a company-wide cloud storage that meets our security requirements? Is it possible to build in security so that it is completely frictionless and ubiquitous?

Just as we do not need to think about locking our car or bike, can processes be rebuilt so the same is true for our business-critical systems and the supporting infrastructure? This is the opportunity that digital transformation presents.

 

At no point in this evolution did anyone stop and ask fundamental questions about the business and how it operates in a world that is digital by default
Bas de GraafHead of Ethical Hacking Services, BT

The security barrier

There is an irony to the security benefits of digital transformation. According to that same survey, the top reason why some managers said they were reluctant to embrace new technology was concerns about - that’s right - security.

But in my view, there is a way to overcome this fear, and it goes back to the human element. If you can bring employees and stakeholders on the digital transformation journey along with you, you are not just creating a stronger business, but there is the opportunity to create and instil a culture of security in your people too. 

When this collaboration happens, though humans may still be human, you can remain confident that your business is serious about security.

 

Cyber security at BT
We have everything you need to protect business from cyber threats.

Cyber security services for small businesses
Protect your data with the right security solutions. Find out how we can help you to protect your networks, data, and devices from cyber crime.
More on cyber security
Cyber security for large businesses
Safeguard your people, assets and sites against the unexpected in an affordable way, with our unique combination of cyber security solutions.
Cyber-Security Protection for large business sites
BT network security
How we can fortify your network, keeping it up-to-date, efficient and standing up against the most sophisticated threats.
Corporate network security
Cyber security services for small businesses
Protect your data with the right security solutions. Find out how we can help you to protect your networks, data, and devices from cyber crime.
More on cyber security
Cyber security for large businesses
Safeguard your people, assets and sites against the unexpected in an affordable way, with our unique combination of cyber security solutions.
Cyber-Security Protection for large business sites
BT network security
How we can fortify your network, keeping it up-to-date, efficient and standing up against the most sophisticated threats.
Corporate network security
More on small business cyber security
mid adult man with beard and glasses texting
BUSINESS SECURITY
August 13, 2021
Remote working security guide: turning on the human firewall
Mature man working in call centre
DIGITAL TRANSFORMATION
November 02, 2021
Business networking solutions: building networks that can deliver under pressure
Co-workers looking at tablet in office
DIGITAL SKILLS
September 28, 2020
Our top tips for digital transformation