Monthly Archives: July 2020

Digital transformation & cyber risk: what you need to know to stay safe

Larry Ponemon

CyberGRX and Ponemon Institute surveyed 581 IT security and 302 C-suite executives to determine what impact digital transformation is having on cybersecurity and how prepared organizations are to deal with that impact. All 883 respondents are involved in managing digital transformation and cybersecurity activities within their organizations. The results show that while digital transformation is widely accepted as critical, the rapid adoption of it is creating significant vulnerabilities for most organizations—and these are only exacerbated by misalignment between IT security professionals and the C-suite.

The full report can be downloaded from the CyberGRX website.

Our research think tank is dedicated to advancing privacy and data protection practices—and these report findings underscore a growing need for such mitigation tools, at a time when we see rapid digital transformation across industries. We chose to study both IT security professionals and C-suite executives to tap into the intersection of two groups making the biggest impact on organizations as they adopt new digital practices.

Here are the key themes that will be reviewed in this report.

Digital transformation is increasing cyber risk.

  • IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Only 37 percent of respondents say the CIO is most involved and only 24 percent of respondents say the CISO is most involved. Both roles are trailing behind general managers, lines of business managers and data sciences.
  • Eighty-two percent of respondents believe their organizations experienced at least one data breach as a result of digital transformation. Forty-two percent of respondents believe they experienced at least two to five cyber events and 55 percent of respondents say with certainty that at least one of these breaches was caused by a third party.

Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT.

  •  Fifty-eight percent of respondents say the primary change to their organizations is increased migration to the cloud, which relies upon third parties. This is followed by the increased use of IoT and increased outsourcing to third parties. Despite the increasing risk, 58 percent of respondents say their organizations do not have a third-party cyber risk management program.

Conflicting priorities between IT security teams and the C-suite create vulnerabilities and risk.

  • Seventy-one percent of IT security respondents say the rush to achieve digital transformation increases the risk of a data breach and/or a cybersecurity exploit compared to 53 percent of the C-level respondents. Sixty-three percent of C-level respondents vs. only 41 percent of IT security respondents do not want the security measures used by IT security to prevent the free flow of information and an open business model.

Unless things change, the future doesn’t look any more secure

  • Currently only 29 percent of respondents say their organizations are very prepared to address top threats related to digital transformation in two years. Only 43 percent of respondents are very optimistic their organizations will be prepared to reduce the risk of these threats.
  • Organizational size and industry differences have an impact on the consequences of digital transformation. Most industries do not have a security budget for protecting data assets during the digital transformation process.

“If there’s one major takeaway from our research, it’s that digital transformation is not going anywhere. In fact, organizations should expect—and plan for—digital transformation to become more of an imperative over time,” says Dave Stapleton, Chief Information Security Officer, CyberGRX. “For this reason, organizations must consider the security implications of digital transformation and shift their strategy to build in resources that mitigate risk of cyberattacks. Based on these findings, we recommend involving organizations’ IT security teams in the digital transformation process, identifying the essential components for a successful process, educating colleagues on cyber risk and prevention, and creating a strategy that protects what matters most.”

Key findings overview:

The rush towards digital transformation has increased cyber risks.

IT security respondents who are in the trenches are far more cognizant than C-level respondents of the risk if not enough time and resources are allocated to the digital transformation process. Most respondents say their corporate leaders are not aware of how the inability to secure digital assets could significantly hurt their organization’s brand and reputation. Less than half of C-level respondents (49 percent) say senior management recognizes the potential harm to brand and reputation.

Conflicting priorities between IT security teams and the C-suite create vulnerabilities and risk. Only 16 percent of respondents say IT security and lines of business are fully aligned with respect to achieving security during the digital transformation process. As a result, there are gaps in perceptions about risk to the digital transformation process. Specifically, far more IT security respondents (64 percent) than C-level respondents (41 percent) say that the digital economy significantly increases risk to high value assets such as IP and trade secrets. Sixty-three percent of C-level respondents vs. only 41 percent of IT security respondents do not want the security measures used by IT to prevent the free flow of information and an open business model.

Organizations are not protecting what matters most. Analytics and private communications are the digital assets most difficult to secure according to 51 percent and 44 percent of respondents, respectively. However, only 35 percent of respondents say analytics is appropriately secured and only 38 percent of respondents say private communications are secured. Surprisingly, only 25 percent of respondents say consumer data, which is considered highly sensitive and confidential, is appropriately secured. However, the difficulty to secure this data is very low. Only 10 percent of respondents say such data is difficult to secure.

A secure digital transformation process is affected by a lack of expertise and a lack of visibility. Fifty-three percent of respondents say the most significant barrier to achieving a secure digital transformation process followed by insufficient visibility of people and business processes (51 percent of respondents).

Organizations have experienced multiple data breaches as a result of digital transformation. Eighty-two percent of respondents believe their organizations experienced at least one data breach during the digital transformation process. Forty-two percent of respondents say their organizations could have experienced between two and five data breaches and 22 percent say their organizations could have experience between six to ten data breaches. Fifty-five percent of respondents say with certainty that at least one of these breaches was caused by a third party.

Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT.

Current tools or solutions to manage third-party risk are still not considered effective. Slightly more than half (51 percent) of organizations represented in this research have a strategy for achieving digital transformation and of these 73 percent of respondents say their strategy involves assessing third-party relationships and vulnerabilities. Forty-two percent of respondents say their organizations have a third-party risk management program and assessments are the most commonly used solution. However, when asked if they are effective, 53 percent say the tools and solutions used are only somewhat effective (28 percent) or not effective (25 percent).

A secure cloud environment is a significant challenge to achieving a secure digital transformation process. Sixty-three percent of respondents say their organizations have difficulty in ensuring there is a secure cloud environment and 54 percent of IT security say the ability to avoid security exploits is a challenge. Fifty-six percent of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.

Challenges for securing the future of digital transformation

Budgets are and will continue to be inadequate to secure the digital transformation process. Only 35 percent of respondents say they have such a budget. If they do, these budgets are and will continue to be inadequate to secure the digital transformation process. Because of the risks created by digital transformation, respondents believe the percentage of IT security allocated to digital transformation today should almost be doubled from an average of 21 percent to 37 percent. In two years, the average percentage will be only 37 percent and respondents say ideally it should be 45 percent.

More progress needs to be made in the ability to mitigate cyber threats. The top three threats respondents are most concerned about are system downtime, cybersecurity attacks and data breaches caused by third parties. Currently, only 29 percent say they are very prepared to address these threats. In two years, only 43 percent are very optimistic their organizations will be very prepared to reduce the risk of these threats.

A secure digital transformation process is dependent upon the expertise of the IT security team and they are not very influential. Today, only 35 percent of respondents say IT security is very influential. In the next two years, their influence increases only slightly. In two years, 43 percent of respondents say IT security will be very influential.

Digital transformation impacts industries differently.

Across industries digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT. Respondents in healthcare, industrial and retail say the most significant change caused by digital transformation is the increased migration to the cloud. The public sector and healthcare industries are less likely to say the increased use of IoT has changed their organizations. Retail and financial services respondents are most likely to say increased outsourcing to third parties as a result of digital transformation has had an impact.

Industrial manufacturing is most likely to have a strategy for achieving digital transformation. Healthcare is least likely to have a strategy. As part of their strategy, retailers are most likely to include assessing third-party relationships and vulnerabilities, including supply chain partners.

Perceptions of digital transformation risk vary among industries. Leaders in services and financial services are most likely to recognize that digital transformation creates IT security risk. Respondents in the industrial manufacturing sector are least likely to say their leaders recognize the risk.

Retail, public sector and services are the industries most concerned about the rush to achieve digital transformation. Sixty-eight percent of respondents in retail, 65 percent of respondents in services and public sector say the rush to achieve digital transformation increases the risk of a data breach and/or a cybersecurity exploit.

A successful digital transformation process requires IT security to balance the securing of digital assets without stifling innovation. IT security faces the challenge of a secure process without stifling innovation. Because digital transformation is considered essential, most industries say that IT security should support innovation with a minimal impact on the goals of digital transformation. Eighty-three percent of respondents in financial services say such a balance is essential.

Most industries do not have a security budget for protecting data assets during the digital transformation process. Despite the need to have the necessary expertise and technologies to ensure a secure digital transformation process, industries are not allocating funds specifically to digital transformation. Healthcare organizations are most likely to have funds for protecting data assets during the digital transformation process.

Organizational size affects the digital transformation process

Following are the most salient differences according to organizational size. Our analysis looked at organizations with a headcount of less than 5,000 and greater than 10,000.

The increased migration to the cloud and the use of IoT are having the greatest impact during the global transformation on smaller organizations. Larger organizations are seeing the greatest impact due to increased outsourcing to third parties.

More larger organizations have a strategy for digital transformation. Larger organizations (54 percent of respondents) are more likely than smaller organizations (43 percent of respondents) to have a strategy for achieving digital transformation. As part of their strategy, 80 percent of respondents in larger organizations vs. 69 percent of respondents in smaller organizations are assessing third-party relationships and vulnerabilities, including supply chain partners, as part of their digital strategy.

Larger organizations are far more likely to recognize the risk of digital transformation. Seventy-nine percent of respondents in larger organizations vs. 61 percent of respondents in smaller organizations believe the rush to achieve digital transformation increases the risk of a breach and/or cybersecurity exploit. Larger organizations are less likely to say that it is important to balance security with the need to enable the free flow of information. Seventy-two percent of respondents in larger organization say digital transformation increases risk to high value assets such as intellectual property, trade secrets and so forth.

Smaller organizations are more likely to be vulnerable to a cyberattack or data breach following digital transformation. Seventy-one percent of respondents in smaller organizations and 64 percent of respondents in larger organizations believe the risk of digital transformation makes it more likely to have a data breach or cyberattack. Larger organizations are more likely to say the rush to produce and release apps, the increased use of shadow IT and increased migration to the cloud have made their organizations more vulnerable following digital transformation.

Characteristics of organizations with mature digital transformation programs

In this study, we analyzed the responses from those organizations that self-reported they have a achieved a mature digital transformation process. Twenty-three percent or 131 respondents self-reported that their organizations’ core digital transformation activities are deployed, maintained and refined across the enterprise. We compare the findings from this group to the 77 percent of the other 450 respondents.

Mature organizations are more likely to have strategies to protect data assets and assess third-party relationships. Fifty-six percent of the most mature organizations have a strategy for achieving digital transformation. In contrast, 47 percent of the other respondents say they have such a strategy. Those in mature organizations say their strategies are more likely to protect data assets and assess third-party relationships and vulnerabilities, including supply chain partners.

Mature organizations are more likely to understand and anticipate the risks associated with digital transformation. Respondents in mature organizations are far more likely to make reducing the third-party risk a priority than the other organizations (78 percent vs. 51 percent). Mature organizations are also more likely to recognize the digital economy increases the risk to high value assets such as intellectual property, trade secrets and so forth (78 percent vs. 60 percent). Mature organizations are also more likely to believe in the importance of balancing the security of our high value assets while enabling the free flow of information and an open business model.

Digital transformation is considered essential to the company’s business. More mature organizations are likely to believe in the importance of IT security to supporting innovation with minimal impact on the goals of digital transformation (90 percent vs. 81 percent) and that digital transformation is essential to the company’s business (84 percent vs. 79 percent).

All organizations struggle with having an adequate budget for protecting data assets during the digital transformation process. Forty-three percent of respondents of mature organizations vs. 34 percent of other organizations say their budgets are adequate for protecting data assets during the digital transformation process.

For more detailed findings, please download the full report from the CyberGRX website at https://get.cybergrx.com/ponemon-report-digital-transformation-2020/

How to detect fake anything in a zero trust world

Bob Sullivan

Fake News is stoking violence and helping destroy our democracy. Fake pills make people sick and can even kill them. Fake foods, like fake olive oil, or mislabeled fish, rip consumers off and steal profits from honest companies. The world is becoming overrun by fake everything, says Avivah Litan, renowned fraud analyst at consultancy firm Gartner. Counterfeit products are a $3 trillion problem, she says…But today’s topic is even bigger than fraud. It’s about a threat to reality itself.

In a new paper, called How to Detect Fake Anything in a Zero Trust World, Litan argues that a mix of technology and human intelligence can beat back this problem of fake everything. But only if someone — consumers? government regulators? corporations? — is willing to pay the price. I spoke with her recently: You can listen to our conversation at the link below.

A few highlights from our talk:

Imagine being able to scan a barcode on a piece of salmon at the supermarket and being able to see the fish’s journey from the river where it was caught, to the port where it was dropped off, to the plane that took it to your city, to the truck that took it to your store.  That’s the promise of blockchain, which could help consumers decide they prefer fish caught from a specific place. They could also demand it be caught in a certain way, and report fraud or mislabeled products.  Litan gets most fired up talking about fake Olive Oil. She thinks blockchain public audit trails could help stop that, too.

Using these tools to cast a wider net — pun intended — Litan thinks tech could help consumers/citizens regain the grasp of reality they are losing. Fake news and fake cures have been a problem for years, but the Covid-19 pandemic has brought the issue into sharp relief.

“The hope is there is no shortage of innovation in this space,” she tells me. “The problem is (companies) won’t do it unless (consumers) pay a premium.”

Litan is perhaps the media’s most-quoted expert on credit card fraud and identity theft, dating back to the early years of credit card database hacking and the rise of fraud-fighting software.  She sees some parallels between the race for banks and retailers to stop credit card hacking — which costs the companies billions — and their relative indifference to identity theft — in which consumers bear a lot of the cost.

But the rise of fake everything, and the collapse of trust worldwide, is a far bigger problem. I’ve started calling it the trust market crash.  It’s an enormous challenge in a world of commerce that’s built on trust.

Innovation will be critical, she said, because government regulators — well-intentioned as they may be — won’t be able to keep up.

“The world is moving way too fast for our political systems,” she said.  Current solutions fall far short. What is an Italian olive oil consumer to do, outside of grow their own olives, Litan joked.   “Hopefully the technology will evolve where you have the solutions at your fingertips.”

Her paper offers the “Gartner Model for Truth Assessment,” with different blended technology and human solutions for the problem of fake.  But much more needs to be done.

“The best hope is a consumer revolution,” she said. “We’ve had enough of this fake news, (people) shoving all this fake stuff down our throats.”

Avivah has posted a short blog entry about her paper. The paper itself is behind Gartner’s paywall.