Digitilisation has permeated all spheres of society; including politics and economics, as well as science and culture. It has changed the way people live and interact in their day to day lives. Technologies such as the cloud, big data analytics, mobile computing, the blockchain, Internet of Things (IoT) and Artificial Intelligence (AI) are transforming the way of how organisations manage their day to day business, from decision making to customer service. They have extended beyond the confines of traditional ICT systems and functions, such as through their access to sensitive data and in their conduct of decentralised activities which may be critical in their own right. Thus, digitalisation knows no personal, functional, organisational and even national bounds; creating in effect new challenges including those of privacy and security. The resulting paradox is that whilst society is more efficient as digitalisation progresses, it is increasingly more fragile and vulnerable to cyber related attacks.
Data breaches are increasingly one main consequence of cyber-attacks, especially in business domains that handle sensitive data, such as medical and financial institutions. They may be a result of social engineering methods which maliciously trick users to provide unauthorised access or data; loss or theft of mobile devices or media carrying sensitive data; insider accidents by employees who may mistakenly provide access to sensitive information or lack of cybersecurity preparedness by business partners.
Worst of all, especially due to their least expectation, although viewed as one of the most common cyber related data breaches, are insider frauds within organisations by the employees themselves or insider snooping whereby sensitive data is accessed by unauthorised employees.
Additionally, traditional ICT systems are increasingly coexisting with user-managed devices such as BYOD (Bring your own device) and with a vast number of other data management systems. Their deployment in potentially vulnerable environments such as hospitals and power generation plants, compound their risk to human welfare through cyber-attacks. Similarly, the disruption of one single market entity through a cyber-attack may carry risks across multiple countries and financial infrastructures, damaging trust in banking and payment services, thus leading to damage in the smooth functioning of society.
Within the EU, the latest legal initiatives are one means of assisting in countering the new digital security threats in the long run. Whilst the General Data Protection Regulation (GDPR) aims to protect EU citizens personal data, the Network and Information Systems Directive aims to assist in protecting critical European infrastructure. They are good and necessary initiatives that will have a favourable impact on EU Member States data protection capabilities and cyber resilience over the coming years.
However, digitalisation has arrived with a tempo that few had envisaged, bringing new threats and leaving significant gaps in cyber security awareness and behaviour. Whilst predictions on where technology is heading are relatively good, it cannot be said of its social implications. Thus, cyber security cannot be obtained through legislation alone but requires intense, coordinated and continuous understanding and involvement of the entire digital value chain from citizens, digital suppliers, organisations, law enforcement entities and governments. Apart from the technical perspective, the need to understand and tackle such a challenge from a behavioural science point of view is thus crucial.
Attackers on cyber space after all, wield a huge advantage over its defenders. They need to focus and exploit one vulnerability to be able to obtain results. Organisations, on the other hand need to ensure that a myriad of cyber security challenges are addressed and that the ever-increasing connectivity occurs in the most secure and holistic manner. This involves technology as well as strategy, processes and ultimately people themselves.
Indeed, cyber security requires strategy and prioritisation. Digital transformation projects may look attractive at a business case level viewing them from their characteristics of change, ability, speed, connectivity and customer experience. Security is however often seen as a stumbling block. It is true that security is not always an easy feat and unfortunately the relationship between security and emerging technologies is not always a great one. Rather than looking solely at the return on investments made in such technologies, it would therefore be best to factor in at the onset potential losses should there be a failure to properly assess and protect those areas which need securing. Cyber security cannot be an afterthought. Cyber security professionals thus need to be involved at the onset of any digitalisation projects.
Within the context of digitalisation, cyber security beginning at the level of a mobile user and working all the way up to system wide vulnerabilities is increasingly a must. The role of information and data, which plays a critical role in all of this, is not to be undervalued. It is therefore necessary for all systems and technologies involved to be categorised in terms of their criticality, especially if they handle or manage sensitive data or operations. Using an analogy of a walled city, traditionally, security defences around the traditional ICT systems would have provided adequate protection to the ‘crown jewels’. However, such an approach no longer holds. Cyber security needs to be taken care of beyond the perimeter of the traditional ICT systems or IT functions given that other interconnected peripheral devices and/or systems are also likely to manage critical or sensitive data or operations. Thus, rather than the notion of a walled citadel, the approach would more appropriately be that of an open city having a number of critical sites that are adequately protected. Ultimately cyber-attacks focus on the weaker parts of an attack surface!
Moreover, building cyber security defences and having alarm and monitoring mechanisms are not enough. They need to be tested on a regular basis and measures taken to ensure improvements in case of any noted vulnerabilities. Technology can be an enabler of an integrated and holistic approach. In the assessment and procurement of tools and/or services it needs to be ensured that cyber security is considered as one of the key requirements, and that it is included to the maximum extent possible in the design of the technologies under evaluation. Given the proliferation of ICT in various new technologies, their evaluation may necessitate involvement not solely of ICT expertise but also in collaboration with other specialist technical expertise, depending upon the tool/service being assessed. Additionally, the selection of tools or services purely for cyber security purposes (such as for a Security Operations Centre) calls for an architectural vision rather than just a mere evaluation of a single product in the traditional best-of-breed approach.
In all this, the way new technologies are evaluated, implemented and run, may call for the need of updated or new security related processes and methodologies as guidelines.
Cyber resilience calls for not only having the right infrastructure but also a clear and strong direction from top management on preparedness, awareness and mitigation as well as investment in enhanced awareness, smart policies and effective governance. Cybersecurity should be an overall management challenge requiring a holistic, risk management perspective. An organisation’s top management must not simply give lip service to cyber security. It needs to support and more so, follow and be seen to follow, good security practices themselves. Reporting structures between top security personnel and an organisation’s top management need to be directly linked. From a skills viewpoint, whilst ICT professionals need to be aware of the specifics of various devices in use, other personnel need to be trained in the essentials of ICT security.
In essence, for digitalisation to succeed, changing the thinking, strategy and maturity regarding cybersecurity is a must. It calls for a holistic approach to cyber security, governance and organisation so as to ensure better preparedness on all fronts in an ever-widening cyber security picture.
Ultimately, cybersecurity should therefore become a collective responsibility and cyber awareness and computer hygiene should become an integral part of digital education and literacy programmes for individuals and organisations alike. Basic computer hygiene such as keeping software updated, having endpoint protection, backing up and encrypting sensitive data are a good initial base towards the formation of a cyber security culture needed to complement the progress in digitilisation.
Let no one be deluded and be lulled into a false sense of cyber security. The rate of cyber related threats in this era of digitalisation is real and is increasing. Cyber security must therefore be seriously reckoned with and be dealt with in a responsible, and comprehensive manner!
- MIT Technology Review Insights, Cybersecurity in the Age of Digital Transformation , January 23, 2017 [Accessed on 19/7/2018 https://www.technologyreview.com/s/603426/cybersecurity-in-the-age-of-digital-transformation/
- Cyber security: security risks and solutions in the digital transformation age [accessed on 13/6/2018 https://www.i-scoop.eu/cyber-security-cyber-risks-dx/
- Laine , T. (2018) , Digitalisation poses new security challenges for payment systems, Bank of Finland Bullettin, May 23 ,2018
- Minsky, L., DiSanti, B. and Carson, J. (2017) , When it comes to Cyber Security, A step ahead is a step out of harm’s way, The European Business Review, November 10, 2017
- Pupillo, L (2018), EU Cybersecurity and the paradox of Progress, CEPS Policy Insight No. 2018-06/February 2018
- Theede R (2018) Cybercrime in the Digital Age [Accessed on 15/6/2018 http://www.global-engage.com/life-science/cyber-crime-in-the-digital-age]
- Healthcare security – Three Paradoxes and the need for a Paradigm Shift, Feature, ISACA Journal Vol 3, 2018
ARTICLE WRITTEN BY DR.KEITH CILIA DEBONO FOR THE ACCOUNTANT