By James Owen, Partner, Head of Cyber Security Practice, EMEA, Control Risks
If anyone doubted the importance of digital transformation to business, COVID-19 has underlined that reality with a vengeance.
Our new virtually enabled, data-driven and distributed homeworking has transformed the daily reality for millions of employees. It has also increased our vulnerability to cyber-attacks. Meanwhile state actors have focused on disruption, espionage and surveillance. The tactics are not new, but the scale and volume of the attacks have been. This has shone a stark light on those organisations that have not made significant progress in digitally transforming their operations.
Attacks show the prospect of global disruption
Targeting of cloud service providers and software supply chains continues to raise the spectre of cascading attacks that flow through the systems of global companies and their suppliers at unprecedented speed. We have already seen this in the contagion unleashed by several high-profile attacks in 2017. One of these, NotPetya, was attributed by Western governments to Russia, causing billions of dollars in damage to public and private sector companies around the world.
Artificial intelligence techniques, while still in their infancy, are being utilised in more state and criminal operations for faster and harder-to-detect attacks. Targeting of operational technology - the systems used to control industrial operations at manufacturing facilities, power plants and other critical infrastructure - is increasing as outdated analogue systems digitise and converge with IT networks at corporate headquarters.
Diverging regulations complicate multinationals' strategies
Regulatory risk is also a growing challenge. As seamless global connectivity has grown in recent years, so conversely has the emergence of a fragmented regulatory backdrop.
As an example, China's Cyber Security Law, with its emphasis on data localisation and controls on cross-border data transfers, is forcing companies doing business in China to map their data flows and supply chain exposure, often with big implications for their operating models. Meanwhile, the underlying principle of GDPR and more recent legislation in California has been to shift the power balance from bulk data collection and surveillance to data privacy and consumer rights.
Trade tensions and 'sovereign internets' add to headaches
Politics only complicates this backdrop. Tensions between the US and China, and the rise of protectionism in the creation and trade of software and hardware, are catching global companies in the crossfire - just ask Huawei or Cisco. Companies are being required to weigh political and national security considerations when engaging with a supply chain partner about which their host government has a negative view.
The growth of internet controls in Russia, China and many African nations is raising the prospect of further fragmentation. The erecting of digital boundaries, a clear expression of a more assertive national self-interest, poses a threat to globally standardised electronic communications. Such boundaries could have a profound impact on the way we live and work.
The emergence of 'sovereign internets' cut off from the rest of the web is a clear test to the open vision with which the internet was founded. However, some perspective is needed. Despite the challenges, the age of ubiquitous global connectivity is here to stay. The proliferation of internet of things (IoT) devices is such that they are predicted to overtake non-IoT connections in 2022.
How should organisations respond?
Fine-tuning risk management strategies to navigate the shifting political and regulatory tides and their impact on operating models is essential. Internal company functions will also need to adapt.
Organisations can prepare themselves for these emerging challenges in the coming years through further investment in highly automated security operations and intelligence centres.
The critical success factor in any digital transformation programme is to ensure it is focused on people. Technology is a crucial catalyst in the process, but investment in skills and culture is a much more sustainable way of building a secure, compliant and resilient business in the information age.
Investment in people is also the only way to utilise the data insights that will increasingly shape strategic decision-making. These insights are the game changer and the key to making the most of a digital transformation programme.
The full Airmic survey report, Top risks and megatrends 2020, can be downloaded here.