In a game of chess, skilled players need to think in two ways at once. Tactically, they need to be able to respond to the immediate situation on the board, countering threats and finding ways of putting pressure on their opponent. Strategically, they need to see into the future and understand how their moves might open up vulnerabilities that their opponent can exploit later down the line, and make sure they have a plan in place to respond. In short, it’s as much about avoiding unintended outcomes as it is about achieving intended ones – and learning to see the board in this way doesn’t happen overnight.
Over the last year, we’ve all been through a wave of rapid digital transformation which, for good reasons, has been more tactical than strategic. The pandemic created an existential threat to businesses that demanded immediate solutions. The need for flexible remote working led to a massive rollout of new devices and new permissions to access data. New applications were spun up to ensure continuity of business process and service for customers. More tools and more cloud capacity were added to organisations’ IT infrastructures to keep up with the demand.
As the world starts to reopen this year, we’ll all have to take a fresh strategic look at our technology and find ways to solidify the benefits of this digitalization while mitigating the risks. Through it all, risk assessment has taken a back seat to keeping the lights on – but perhaps more importantly, all of these additional devices, applications, users, and data mean that businesses have a bigger attack surface than ever.
There is now, in effect, a bigger board to play on, with more pieces moving on it in more complex ways. This all raises the risk of unforced errors as well as offering an opportunity to malicious actors: while every other sector has been knocked back by the pandemic, cybercriminals have always worked remotely, and they haven’t missed a day.
Play your best moves with a helping hand
These are still difficult times for businesses, and no organisation has the luxury of pausing operations in order to identify and fix potential problems in their IT infrastructure. The good news is that, with the right partner, they don’t have to stop and take stock. The strategic approach to digital transformation is to run and transform the business at the same time, bridging existing and emerging technologies while mitigating the risks that digitalization can create. Remote working, for example, isn’t just about handing out devices: it’s about giving staff secure access to systems they need, over the open internet. By now everyone is well-practiced with usernames, passwords, and multi-factor authentication – but what happens after access is granted to a system?
Once data can be accessed from anywhere, a situation is created where a single breach might be enough to compromise large swathes of a business’s valuable data. A salesperson, for instance, might legitimately log in with a mobile device, not realizing that their device is compromised and can then be used by a malicious actor to find financial and personally identifiable information.
Rather than building walls within the system, investing in a difficult process of siloing information and locking down identity privileges, the strategic move might be to implement a User and Entity Behaviour Analytics (UEBA) tool powered by unsupervised machine learning. These AI tools have the capacity to monitor all system activity in real-time, identifying anomalies and responding to risk. When our salesperson logs in with a compromised device, UEBA knows that they are unlikely to head to the human resources data to download employee addresses – and so it prevents it.
This is context-aware computing: security that works with how employees work, rather than putting up barriers to productivity. We can also see the importance of the human angle in development teams. It’s tempting to think that the opposite of security is insecurity – leaving bugs unfixed, data unencrypted – but in truth it is complacency, assuming that nothing will go wrong. This is why software development demands vigilance, especially now, when many workers have been away from the office for nearly a year and team cultures of peer support are fading.
At the same time, developers have been under more pressure than ever, working to build ways of keeping customers going without face-to-face interaction. We can build up DevSecOps processes that center on security and introduce tools like Runtime Application Self-Protection (RASP) which automate the detection and prevention of threats at the application layer, where the most severe data breaches often occur. The strategic move, however, might be to also see this as the culture challenge that it is, including HR in the response process and calling on business leaders to stimulate a sense of teamwork.
Those understandable issues of staff complacency can also contribute to data security problems: mistakes like mis-delivery of emails and misconfiguration of cloud accounts caused 22% of breaches in 2019, and the last year has seen a huge growth in cloud usage.
This form of risk is also heightened by the realities of remote, digital working. Staff need to share data, and if the officially-sanctioned tool for doing that presents a problem, they may turn to solutions like Dropbox, WeTransfer, or personal iCloud accounts, removing that data from security oversight in the process. Likewise, staff need to access data day after day and may save down copies in multiple places to avoid passing through security checks every time.
All of this creates a growing mass of shadow data: potentially sensitive or valuable information which lives on the fringes of IT systems, inside the organisation but outside of its data policies – and you cannot, ultimately, protect data if you’re unaware it exists. While continued digital transformation might reduce the attractiveness of non-sanctioned data practices, the strategic move might be to also put data discovery tools in place, automatically shining a light on shadow data and bringing it back under the influence of your security strategy.
Checkmate in three
Your business is the King you must protect. In chess, finding your King in check means that the only move possible is to eliminate the danger, and in business, any threat to continuity needs to be answered immediately. The best strategy, however, is often to avoid check in the first place – and here, security is the Queen that keeps your business safe.