When it comes to security, digital transformation brings about new demands and new risks. To enable users to adopt these new services in total confidence whilst fully understanding the data risks for the company, a global approach should be put into place. Here I set out the 5 golden rules that I would recommend to new IT Security Managers (ITSM).
At each stage of the data transformation project, there are important security-related consequences that must be kept in mind. These range from wider system access to unstructured and increasingly less partitioned data, as well as a vaster and more diverse population of users to the co-existence of old applications with new technologies. The list goes on. Therefore traditional partitioning strategies are no longer relevant. Implementing a global (not siloed), entirely rejigged security strategy is necessary to ensure the success of your digital transformation plan. New ITSM have got their work cut out for them!
An ‘end-to-end’ approach
This involves real vision, taking into account all aspects of digitalisation and offering a coherent approach to security. This approach should be managed using strategic choices until their implementation into the company processes, applications, and infrastructure.
An ‘end-to-end’ approach should be employed and focused on 2 main objectives: the protection of clients’ and employees’ private lives with particular emphasis on personal data, and the protection of the company, with emphasis on its IT capabilities and production data.
To assist those new ITSM responsible for cyber security during digital transformation, here are my 5 golden rules for success:
1 – Think security from the development stage
The particularity of digital transformation is the arrival of new technology and new uses of existing technology. Generally developed through iterative design, the security of these applications is often dealt with post-pilot stage once the concept has been approved. But making an application secure post-development can prove very complicated if the structure was not developed with this in mind initially. A development method known as “secure by design” should therefore be adopted to ensure that the different risks are identified from the development stage.
2 – Be vigilant
Vigilance should be enforced when managing user identities and system access. This is one of the real issues of digital transformation; the multiplication and diversity of users is increasing, and yet authorisation systems remain a weak point. Even biometric solutions have shown their limits. For example, user profiles with the authorisation to generate sensitive data (such as money transfers) should be partitioned from the profiles that subsequently authorise these data. Additionally, the number of privileged-access users and accounts should be kept to a minimum. Last but not least, a strict password policy should be enforced combined with multifactor authentication systems in relation to sensitive processes.
3 – Isolate vulnerable systems
Application suites are often very varied because they use technologies developed at different periods in time. As new applications must communicate with and integrate into the existing suite, managing obsolescence and technological heterogeneity between applications should be dealt with as a matter of priority. It is, then, sometimes necessary to isolate these vulnerable systems by protecting them specifically, as they were not developed to face these new security issues from the outset. Finally, any failures to respect security rules should be noted and dealt with appropriately.
4 – Install a SOC (Security Operations Centre)
Every day, new flaws are discovered in business software, and every day hackers are developing new plans of attack. These flaws, for which there is currently no corrective solution (Zero Day vulnerability) are worth gold dust on the darknet and offer an open door into even the best protected IT systems. Simply setting security standards – even though absolutely necessary for risk limitation – is proving to be insufficient. To detect and deal with daily attacks which are becoming more and more sophisticated, the best solution would be to bring in a team of experts who will analyse in real time all activity (traffic logs, emails, different flux, etc.), seeking out “weak signals” which will alert them to suspicious actions such as admin connection from an unusual location or the exfiltration of sensitive data. Once the threats are detected, you can react accordingly.
5 – Inform users
Bear in mind that the users themselves are often the vulnerable point in the system, as hackers will take advantage of their naivety. It is, then, vital to inform and regularly train systems users on the way hackers operate and the correct code of conduct to adopt. It is also important to develop applications in such a way so as to limit the potential harm of a user fallen prey to hackers.
Installing digital confidence
Now aware of increasingly frequent and mediatised security incidents, clients, staff, and shareholders may become mistrustful or disengage entirely. Who can forget the attacks on TV5 Monde, data leaks and theft at Sony or at toy manufacturer VTech? Digital transformation will only be successful if it met with digital confidence, the certainty that a keen eye will be kept on security issues and with the highest level of professionalism. Remember, giving confidence to users will ensure the company’s longevity. Restoring confidence after a major security incident is often a very complex matter.