Securing the future
Embracing the security benefits of digital transformation
Securing the future
Embracing the security benefits of digital transformation
Bas de GraafHead of Ethical Hacking Services , BT

Doing business today means doing so digitally. Although this brings us lots of advantages, it also introduces a wide range of threats.

Malware, viruses, data leakage, denial-of-service attacks, and more are all dangerous threats that businesses must defend against. Because of the critical importance of security, you might imagine that it would be sensible to take a conservative approach to new and emerging technology. But this thinking might also put your business at risk.

By continuing to use outdated technology, you expose your business to risk as vulnerabilities are well-known, and quite often support is no longer available.

I spend time thinking carefully about how organisations big and small can protect themselves from cyber threats and test the security of both their business software systems and their supporting infrastructure. 

The human factors associated with these are equally as important as the technology. I believe there is one thing that you can do to protect your business that is more important than any other: to wholeheartedly embrace new technology and digital transformation.

The problem - if you can call it that - is that people are smart, determined and innovative
Bas de GraafHead of Ethical Hacking Services, BT

Modern IT systems with their high-grade encryption and firewalls are, on paper, fully secure when we trust what the vendors are telling us. But what this doesn’t account for is the potentially weakest link of all: people.

The problem – if you can call it that – is that people are smart, determined, and innovative.

Example 1: long and complicated passwords

Insisting that employees use long, complicated passwords and change them regularly seems like a smart move. But any security benefits this might have will be undermined if the first thing the employee does after changing their password is write it down on a post-it note and stick it under their keyboard or on their monitor for the world to see.

Example 2: size limitations on email attachments

Corporate networks can impose size limitations on email attachments. In principle, this might appear to be a good way to protect the mail servers. However end-users may not always consider the impact of their actions and do not always have knowledge of how the underlying system works. 

We shouldn’t then be surprised when an employee needs to email a large PowerPoint presentation, rather than doing so in a controlled, IT-department-approved process, they just open a web browser and send it using their own unrestricted personal email account instead.

Even worse, perhaps they might upload it to one of the many free web-based file-sharing services, so they can email a link instead of the file itself. While convenient for the end-user, this creates a huge security problem.

Once the file has been uploaded it may not be clear how long the file is kept by the file sharing service, who has access to it in the meanwhile, or ultimately what might be done with it. The upload service could be doing, well, anything, with your company’s most sensitive information. You just don’t know.

While you can block these websites when people are connected to your company network, users may have access easily when working from their home location or by dropping the VPN. Due to the current situation we are facing where governments advise everyone to work from home, the problem might be even bigger than we think.

It could be:

  • your business process has introduced a new security problem
  • the process has been circumvented unintentionally
  • you’ve lost control of your data in the process.

 

People seek shortcuts

The lesson here should be simple. Although you can do a lot to create awareness, fighting against it is tough. Your people may be experts in their profession but not necessarily in the field of security. People are always going to look for the shortest route to achieve their goals and, in some cases, they might be really creative.

Real-world scenarios

I have witnessed first-hand, even with our clients, IT departments that filter encrypted files (like a report containing penetration test findings) upon network ingress. The employees from these same organisations who consume our security services then request that we send our reports to their private email addresses, again circumventing a well-intentioned security measure. 

So if your corporate security makes work harder, people will find a way around it, whether you like it or not. Humans will be human. On one level, the examples above of two common security threats might sound scary. But I think this is the wrong reaction. 

Shadow IT challenge

I think the “Shadow IT” challenge - that of employees finding their own solutions - is actually rather inspiring. They have identified problems – passwords being hard to remember and restrictive email attachments – and have used their own initiative to find solutions so that they can work more effectively. That’s exactly what you should want a brilliant employee to do. 

Paving the way for secure evolution

The challenge for us, as security-conscious managers and leaders then, is to instead figure out how we can best support employees to use new ways of working while keeping the business’s data secure and private. 

We should ask ourselves what new and emerging technologies we can leverage to work both more effectively and more securely. Instead of insisting employees remember long passwords, perhaps we can roll out password managers and two-factor authentication? Instead of restricting file sharing, could we offer a company-wide cloud storage that meets our security requirements? 

Tomorrow’s security landscape

Is it possible to build security so that it is completely frictionless and ubiquitous? Just as we do not need to think about locking our car or bike, can processes be rebuilt so the same is true for our business-critical systems and the supporting infrastructure? This is the opportunity that digital transformation presents.

At no point in this evolution did anyone stop and ask fundamental questions about the business and how it operates in a world that is digital by default
Bas de GraafHead of Ethical Hacking Services, BT

The security barrier

There is an irony to the security benefits of digital transformation. According to that same survey, the top reason why some managers said they were reluctant to embrace new technology was concerns about – that’s right – security.

But in my view, there is a way to overcome this fear, and it goes back to the human element. If you can bring employees and stakeholders on the digital transformation journey along with you, you are not just creating a stronger business, but there is the opportunity to create and instil a culture of security in your people too. 

When this collaboration happens, though humans may still be human, you can remain confident that your business is serious about security.