The Challenge of Security in Digital Transformation

When it comes to the digital transformation of your company, IT security is increasingly important. Because in order to be sustainably efficient and productive, digitization needs a comprehensive security strategy. Recent studies and surveys show that many companies still don’t take the matter of security seriously enough - or are reluctant to introduce digital processes, because they fear disastrous security flaws.

The “Hillary” case illustrates the problem

During the US presidential elections in November 2016, the Democrat candidate Hillary Clinton had to contend with one serious error: during her time as US Secretary of State, she had used a private email server for both her private and professional email correspondence “out of convenience” – a striking security risk which opened the doors to unauthorized use of data. What happened here is also one of the biggest weaknesses for companies in terms of security: emails including masses of malware, uncontrolled internet access, and human error are still the biggest security risks in the digital world. In addition, more and more people are using tablets and smartphones for work – but 17 percent of smartphones used in SMEs are still unsecured (DsIN SicherheitsMonitor 2016 Mittelstand. IT-Sicherheitslage in Deutschland. 2016, p.13).

Digitization is seeing the interlinking and interaction of systems, machines, business areas, back office, service providers, suppliers, crowd services and not least, customers take on a new dimension. It’s clear that this complexity also comes with new security risks. Many companies are seeing the opportunities which digitization brings with it for increased productivity, efficiency and customer retention. But they often still neglect to see the increased risk of a threat posed by digital attackers and security flaws.

IT specialists can act as important advisers for management and employees. And as adept strategists who maintain an overview in order to develop comprehensive, company-wide security strategies.

A danger foreseen, danger averted

According to the study “Digitalisierung und IT-Sicherheit” by the Bundesdruckerei in collaboration with KANTAR EMNID, the need to improve technical IT security measures was recognized by 43 percent of companies, while 39 percent identified a need for improved organizational measures and 32 percent wanted to improve personnel IT security measures.” (Bundesdruckerei GmbH in collaboration with KANTAR EMNID, Studie Digitalisierung und IT-Sicherheit in Deutschen Unternehmen, 2017, p.5).

Nevertheless, the industry is caught in a dilemma: digital transformation is progressing at a breath-taking pace worldwide and you don’t want to be left behind. That’s why companies sometimes go along with the latest technology without being adequately prepared for serious emergencies, such as a cyber-attack.

A loss of customer confidence is the price to pay for disastrous security breaches

The issue of security is thus pushed into the background in favor of faster digitization - potentially with disastrous consequences. If, for example, customer data ends up in the wrong hands – as has already happened on a large scale at T-Online, the gaming portal Valve or Facebook – this causes irreparable damage to customer relationships, which can threaten the existence of small and medium-sized companies.

Over 50 per cent of companies affected

But the dangers arising from unsecured processes and IT weaknesses are even more diverse:

  • Manipulation of data of all kinds
  • Sabotage and manipulation of business processes or IT systems
  • Theft of development know-how
  • Theft of financial data
  • Spying on electronic communications
  • Blackmail

According to the digital association BITKOM, 51 percent of companies were affected by industrial espionage, sabotage or data theft in 2014/2015 – mostly medium-sized companies with 100 to 499 employees. (BITKOM study report Spionage, Sabotage und Datendiebstahl– Wirtschaftsschutz im digitalen Zeitalter, Berlin 2015)

It can happen to any company or public authority and municipal institutions such as energy providers or public transport companies. The security company Sophos demonstrated the danger at CeBIT 2015 with a test set-up: just 15 minutes after the start, more than 700 attacks had been registered on the control system. At DEF CON 2016, hackers identified 47 critical security flaws in 23 IoT devices. In 2015, the Cyber-Security Council Germany estimated the annual damage caused by cyber-attacks to be around 50 billion euros – there are no precise figures as many companies do not report incidents.

The more complex the infrastructure, the more varied the dangers

External attacks are above all facilitated by internal weaknesses. These include:

  • the pursuit of profit is more important than security, lack of investment in modern software and services
  • understaffed IT departments with increasingly complex tasks
  • shortage of staff competent in the area of IT security
  • management and staff lacking an awareness of the risks
  • traditional, poorly secured communication processes with authorities, suppliers, and customers are maintained for convenience
  • a huge number of events to be supervised, in which an attacker can slip through the net unnoticed

 

What can IT managers do?
  • It is generally recommended to try and adopt the perspective of an attacker, in order to gain an insight into their intentions and methods. This makes it easier to identify critical weaknesses and plug security holes.
  • It is important to develop a company-wide, efficient overall strategy for IT security. This needs to effectively protect against risks, but without significantly impacting the performance of IT Infrastructure. In a nutshell: IT security must not become a bottleneck.
  • As an IT specialist, you are in the ideal position to raise awareness around the subject of IT security among management and staff.
  • Make IT structures leaner and masses of data more manageable. This is often simple and effective with professional, certified cloud solutions.
  • Continuously monitoring and above all securing the interfaces between machines and equipment, and to external parties (cloud, branches, subsidiaries, warehouse, suppliers, customers...). Or choose a provider offering this as part of the service package.
  • Careful assignment of access rights. Make sure that solutions purchased externally, such as cloud services for data storage and exchange, allow for this.
  • Develop compliance regulations for the area of security and ensure these are adhered to.
  • Basic protection through regular software updates, virus scans, firewalls, continuous monitoring of the overall IT system (weaknesses, cyber-attacks), and effective encryption methods.