Rushed digital transformation is creating security risks

It was supposed to be a silver lining: The pandemic provided the kick in the pants that many enterprises needed to finally get long-gestating digital transformation efforts underway. But for many organizations, such transformations turned into rush jobs, with many digital transformation projects being hatched far earlier than expected.

While some of these transformations came out in one piece, many weren't so fortunate, carrying with them a virulent case of cybersecurity vulnerabilities. These vulnerabilities have in turn led directly to a surprising number of breaches. In fact, 82 percent of respondents in a recent Ponemon survey said they believe their organizations experienced at least one data breach due to digital transformation.

There have been contributing factors to the haste. "Naivete combined with being overwhelmed is not a good mix," says Stevan Bernard, former senior security adviser for International SOS and now CEO of cybersecurity firm Bernard Global. "The pandemic put us in a survival mode. For those who previously had little to no dependence on digital, whether in their business or their personal lives, being connected suddenly became essential, even urgent."

Digital transformation vulnerabilities are booming

Demand for digital transformation services and technologies increased almost immediately after the first statewide stay-at-home order was enacted in March 2020, speeding the adoption of many digital technologies by several years. Such efforts quickly enabled and enhanced video chat and other services for working from home, telemedicine, socialization while social distancing, and contactless food and grocery delivery.

But many of the digital innovations that support these services arrived with attendant cybersecurity vulnerabilities. "We have seen a large uptick in vulnerabilities within cloud infrastructure, web applications, APIs, and microservices. These newer technologies that are empowering the digital transformation movement are creating new attack surfaces," says Richard Peters, principal of UHY Consulting, a management consulting firm.

Criminal hackers are equally privy to the many third-party vulnerabilities in digital transformation. Most organizations don't have enough expertise to go it alone, so they hastily outsourced to various SaaS providers, inheriting the exposure of those providers in the process.

"Companies can use hundreds if not thousands of SaaS providers. SaaS vendors range in their own levels of security maturity. There has also been a rise in shadow IT, specifically SaaS tools that individuals or business units purchase on their own without the knowledge of IT or security teams," says Eric Christopher, co-founder and CEO of Zylo, a SaaS management firm. IT teams can't secure data and processes that they can't see."

Not all vulnerabilities that result from digital transformation are technological. Some have been about putting people in a different position relative to policies and procedures. "When you work in an office, your office can force certain ideas on you. You see posters on cybersecurity awareness campaigns, you get to talk to your IT guy, and you speak with your colleagues. But when you're working from home, you're effectively a lone soldier protecting yourself. You have to make the correct decisions to protect your digital environments," says Simon Leech, senior adviser for security and risk management at HPE Pointnext Services.

Over the past 18 months, breaches of intellectual property and the theft of millions of records have resulted from vulnerabilities in hurried digital transformation efforts. In frequent, prominent examples, some large enterprises have left data exposed through misconfigured AWS S3 storage buckets. These organizations essentially opened their cloud data to anyone in the world who came upon it. In some cases, no cybercriminals waltzed in to steal the data. Many more organizations were not so lucky.

In addition to these reports, evidence of breaches due to digital transformation is appearing in updates to the tabletop exercises that most organizations perform. Tabletop exercises run leadership through a mock risk event to see how they respond and determine whether they have prepared for such eventualities. "I've had conversations with my peers about trends in their tabletop exercises. They've watched breaches of digital transformation unfold. Now they see the same scenarios show up in these mock risk exercises," says Daniel Frye, vice president of Hewlett Packard Enterprise's Global Security Fusion Center.

The breach outlook

The carnage is hardly over. Many organizations have yet to see breaches of vulnerabilities in their digital transformation efforts, but they're surely en route. "The global attack surface exploded in two weeks through COVID-19 and the mass move to work from home. With that attack surface now being so broad, I'm sure more breaches due to digital transformation are coming," says Frye. From a sheer numbers game, it certainly seems so: According to PwC, some telcos reported carrying 60 percent more data on their networks in 2020 than they did before the pandemic.

"Though 5G is creating an unimaginable platform for unleashing data (analysis, access, storage, and movement), we remain ill-prepared," says Bernard. "Add to this artificial intelligence and machine learning, and know that those with ill intentions are creating entirely new ways of optimizing these technologies for nefarious purposes."

As severe as they may seem, breaches don't represent the end of digital transformation but mere setbacks in the never-ending evolution of digital business processes. The future looks brighter from a 30,000-foot vantage point. "I don't see breaches stemming the digital transformation revolution at all," says Tyrone Jeffress, vice president of engineering and information security officer at Mobiquity, a digital consultancy. "The digital transformation opportunities are far too significant for organizations to ignore. But digital transformation will see continued hurdles—breaches, unauthorized data exposure—if product teams don't give proper attention to defining and implementing security requirements."

A cure already exists

Organizations can mitigate these emerging security challenges. When considering security for digital transformation, keep patch management, third parties, application security, and security automation at top of mind. Leech offers these recommendations:

• Put patch management in place for public cloud workloads. When Microsoft's Patch Tuesday rolls around, assess whether those patches are relevant to you and how much time you have before you need to start patching.

• Extend your enterprise security strategies out to third-party cloud service providers. Make sure they have the answers to your security team's questions.

• Move what you already secure well over to the cloud first. Improve security for the rest so that when you use it in a public cloud environment, you don't amplify existing security issues.

• Consider concepts such as compliance as code and policy as code. They allow you to automate the security protection capabilities you need to protect the public cloud.

Eighty percent of respondents in a recent McKinsey survey reported launching digital transformation initiatives in the past five years, but less than 33 percent claimed lasting success from them. If breaches can kill a company, they can undoubtedly stifle digital transformation.

The answer is to start with security, rather than leaving it for later consideration. "By following a security-by-design methodology, which means getting the security team involved very early on in a project, organizations can reduce the effects of forgetting about security in their digital transformation efforts," says Leech.