no digital transformation without cybersecurity...no digital transformation without cybersecurity...

4
No digital transformation without cybersecurity The digital transformation Every day new digital applications find their way into our lives, Information and Communication Technology (ICT) has brought our society many benefits and will do so for the coming years as key enabler of economy. Research by MIT and Capgemini Consulting shows that many firms and governments are starting to transform their businesses successfully through digital technology. 1 ‘Digitization’ can extend the reach of organizations, improve management decisions, and speed the development of new products and services. It can lead to new business models as well, clearing the path for new ways of competing. And finally, digitization speeds the hyperconnected world, in which everyone and everything can and probably will be connected to the internet and to each other . 2 Drawback of digitalization There are drawbacks to everything, and that includes digitization. As our dependence on ICT grows, so does our vulnerability and this requires leadership and action to mitigate risks. To put it in the words of the European Commission: “The more we depend on the internet, the more we depend on its security.” 3 Since threat levels have sharply increased the last two decades, there is a sense of urgency. cybercrime, digital espionage and hacktivism (digital activism) have become serious risks for business, governments and civilians, according to multiple government reports. 4 Money and other valuables, intellectual property, personal information and continuity and integrity of websites and other digital processes are sought after by malicious actors. But let’s not forget that human error, technical failure and natural causes are still the main cause for ICT incidents. Security keystone for digital transformation As cyberincidents have become common news items, it is apparent that the cyberthreat translates itself into impact. Unfortunately, figures about national and international damage cover a wide range and do not look very reliable as a whole yet. For instance, research for the UK Government calculated a 27 billion Pounds, but this figure seems exaggerated. 5 By comparison, in 2011 Dutch banks report an annual damage of 92,1 million Euros (and rising) in electronic banking (including skimming). 6 Though much lower (even like for like), this is still a considerable amount.

Upload: others

Post on 01-Jun-2020

31 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: No digital transformation without cybersecurity...No digital transformation without cybersecurity The digital transformation Every day new digital applications find their way into

No digital transformation without cybersecurity

The digital transformation

Every day new digital applications find their way into our lives, Information and Communication Technology (ICT) has brought our society many benefits and will do so for the coming years as key enabler of economy. Research by MIT and Capgemini Consulting shows that many firms and governments are starting to transform their businesses successfully through digital technology.1 ‘Digitization’ can extend the reach of organizations, improve management decisions, and speed the development of new products and services. It can lead to new business models as well, clearing the path for new ways of competing. And finally, digitization speeds the hyperconnected world, in which everyone and everything can and probably will be connected to the internet and to each other.2

Drawback of digitalization

There are drawbacks to everything, and that includes digitization. As our dependence on ICT grows, so does our vulnerability and this requires leadership and action to mitigate risks. To put it in the words of the European Commission: “The more we depend on the internet, the more we depend on its security.”3

Since threat levels have sharply increased the last two decades, there is a sense of urgency. cybercrime, digital espionage and hacktivism (digital activism) have become serious risks for business, governments and civilians, according to multiple government reports.4 Money and other valuables, intellectual property, personal information and continuity and integrity of websites and other digital processes are sought after by malicious

actors. But let’s not forget that human error, technical failure and natural causes are still the main cause for ICT incidents.

Security keystone for digital transformation

As cyberincidents have become common news items, it is apparent that the cyberthreat translates itself into impact. Unfortunately, figures about national and international damage cover a wide range and do not look very reliable as a whole yet. For instance, research for the UK Government calculated a 27 billion Pounds, but this figure seems exaggerated.5 By comparison, in 2011 Dutch banks report an annual damage of 92,1 million Euros (and rising) in electronic banking (including skimming).6 Though much lower (even like for like), this is still a considerable amount.

Page 2: No digital transformation without cybersecurity...No digital transformation without cybersecurity The digital transformation Every day new digital applications find their way into

external networks (e.g. USB sticks, laptops) can transport malicious software (malware) too.8 And let’s not forget one of the weakest links: humans. Any high tech security system can be circumvented through unaware or misled users. Social engineering is a highly effective attack mechanism.

Successful defense against cyberattacks is therefore never guaranteed, resulting in two conclusions:

1. Defensive measures should not be neglected. The higher your walls, the less attractive you are (though never impregnable…). Investments should be maintained, but with risk and the value of protected assets in mind.

2. Focus and investment in detection, response and recovery should be augmented. This in order to maximize resilience and minimize damage once an attack occurs. For most organizations, these aspects are less developed and require action.

In order to protect your own organization, but your clients and other connected parties too, cybersecurity should entail both defense and resilience.

Integral approach

Though the causes for the sense of urgency on cybersecurity might be mainly technological, the solutions require an integral approach, covering people, process and technology.

Theft of intellectual property or eavesdropping on inside information during negotiations erodes the basis for the continuity of businesses too. Likewise the impact on reputations, as cyberincidents have gained public and political interest. A good example is Diginotar, a digital certificate provider which had to close shop after it was hacked.7 And who is liable for any damage to third parties, especially in the light of interconnectedness?

Assume you have been breached

In the old days, ICT would be protected by information security measures barring external intruders from the network. Basically a good firewall would keep the bad guys outside the organizations perimeters. Two things have changed however, leading to a new way of thinking: ‘assume you have been breached.’

First, as organizations become connected with others, the borders between internal and external networks get less clear. The ‘Cloud’ and employees bringing in their own devices only add to this phenomenon, dubbed as de-perimeterization. There is no ‘inside’ or ‘outside’ anymore for most organizations.

Second, a determined (and resourceful) attacker will ultimately breach security measures. This is true for all ICT connected directly to the internet, but StuxNet shows that such is not a necessity: devices that can hook up to both secure separate networks and

People

Process

Technology

Preparation

Prevention

Detection

Response

Recovery

Figure: cybersecurity is more than just technology

Page 3: No digital transformation without cybersecurity...No digital transformation without cybersecurity The digital transformation Every day new digital applications find their way into

�� Strategic risk management (cyber integrated in risk management)

�� Communications (awareness, reputation management, crisis communication)

�� Human Resources (training and exercises, screening, other human factor issues)

�� Strategy (security impact of digital transformation)

�� Legal (liability, intellectual property)

An interdisciplinary approach would reflect the truly strategic importance of cybersecurity in organizations with a high or growing dependence on ICT.

Technology is the obvious subject and still dominates the discussion on cybersecurity. There are numerous urgent fields of attention, like network integrity, bring your own device, process control systems and webapplications. Also improving situational awareness inside and outside the organizations networks through detection and cyberintelligence, will contribute to the organizations ability to respond to cyberattacks.

Conclusion

We believe that digital transformation is first and foremost a business transformation, which is not just about technology. However, cyberdefense and resilience are necessary ingredients for digital transformation, given the high business impact of ICT failure and cyberattacks. Just like digital transformation, people are essential for cybersecurity. Be it as user, decision maker or cybersecurity expert. Together they can make or break the digital security of an organizations assets.

People are not only a weak link, but also an important key to improved defense and resilience. We distinguish three main groups of people involved: users, decision makers and cybersecurity experts. Users should be equipped with enough awareness on risks, but also information on possible actions. Awareness campaigns and training and exercises help users. Decision makers face the challenge of translating cyberrisks into business risks and take appropriate action. What does this threat mean? What assets are at stake? What controls should we implement? Getting facts and interpreting the relevance of those facts are important challenges, as the source often is highly technological and cybersecurity dashboards (if any) mainly address operational metrics. Finally, the lack of enough (highly qualified) cybersecurity experts is a serious concern for both business and governments. Who can outsmart the hackers? And on the other hand: should cybersecurity employers co-operate more to leverage their combined strength and develop more interesting career paths for their experts? We think they should.

Processes and organization are important ingredients in improving cybersecurity. This encompasses (visible) leadership, clear and communicated policies, regulations and processes, budgets, business continuity management and Plan-Do-Check-Act mechanisms (audits, risk assessments). As cyberincidents can impact valuables, reputation, intellectual property, liability and business continuity, other disciplines than IT (security) should be involved too, like:

Sources:

1. MIT Center for Digital Business and Capgemini Consulting: Digital Transformation: A Roadmap for Billion-Dollar Organizations, 2011

2. World Economic Forum. Risk and Responsibility in a Hyperconnected World. Pathways to Global Cyber Resilience, 2012

3. Eurocommissioner Neelie Kroes, The Digital Agenda two years on: is Europe well-placed?, 12 June 2012 (press release)

4. See for instance the Cybersecurity View for The Netherlands, issued in 2011 and 2012 by the Dutch National Cyber Security Center. Its observations and conclusions match those in most other countries

5. Detica, The Cost of Cybercrime, 2011

6. Each half year the Dutch Banking Association publishes figures on www.nvb.nl

7. See www.vasco.com for a press release on 20 September 2011, stating the bankruptcy of Vasco subsidiary Diginotar

8. How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems. Tofino Security et al., 2011

Page 4: No digital transformation without cybersecurity...No digital transformation without cybersecurity The digital transformation Every day new digital applications find their way into

Rightshore® is a trademark belonging to Capgemini

Capgemini Consulting is the strategy and transformation consulting brand of Capgemini Group

The information contained in this document is proprietary. © 2012 Capgemini. All rights reserved.

Contacts

Erik Hoorweg Vice President +31 615 030869 [email protected]

Patrick de Graaf Principal Consultant +31 646 092792 [email protected]

With around 120,000 people in 40 countries, Capgemini is one of the world’s foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore®, its worldwide delivery model.

Learn more about us at www.capgemini.com.

Capgemini Consulting is the global strategy and transformation consulting organization of the Capgemini Group, specializing in advising and supporting enterprises in significant transformation, from innovative strategy to execution and with an unstinting focus on results. With the new digital economy creating significant disruptions and opportunities, our global team of over 3,600 talented individuals work with leading companies and governments to master Digital Transformation, drawing on our understanding of the digital economy and our leadership in business transformation and organizational change.

Find out more at: http://www.capgemini-consulting.com/

About Capgemini