Transform or die – this has been the mantra for successful businesses throughout the ages, and now more than ever we are seeing technology enable the digital transformation of business. There are many drivers of digital transformation – the need to reach out to a wider client base (millennials prefer a digital channel as opposed to bricks and mortar), to take products and services to market quicker and more cost effectively, to appeal to new audiences, etc. – but regardless of the reason, digital transformation and the opportunities it offers are here to stay.
While disruptive technologies such as cloud, artificial intelligence and blockchain promise to increase efficiency and help business gain competitive advantage, they also present risks we’ve not experienced previously and protecting assets critical to an organisation’s continued operations and the trust of its customers is a balancing act. For digital transformation to work, it must be well planned with security top of mind.
Digital transformation without due consideration to security can have debilitating effects on an organisation. Imagine a new online banking platform developed with much emphasis on the experience, with positive rates of customer acquisition. But within 4 weeks of launch, it’s compromised and sensitive customer details sold on the dark web. Such a breach not only disrupts a business and is expensive to remediate, but it shatters the trust of its customers.
So how do we build security into everything we do to ensure your business’ transformation to digital is a success? Let’s focus on three key areas – embedding security as part of the development lifecycle, the technology architecture and appropriate monitoring through threat intelligence.
First let’s consider the development lifecycle of software and technologies that are part of the digital transformation journey. ‘Bolting on’ security after the fact is too costly and quite frankly, largely ineffective. Rather, security needs to be built-in to the software development lifecycle.
It should form part of the ‘Feasibility Analysis’ phase where we ask the question whether the software or technology can be adequately secured. If the answer is yes, then we ensure the security requirements are gathered as part of the ‘Requirements Definition’ phase, and then implemented and tested in the ‘Build’ and ‘Test’ phases. We take this embedded approach rather than trying to retrofit security.
It’s also critical to ensure your developers are adequately educated in the security aspects of software development. Adopting a framework such as ISO or NIST standards, or the ISC2 guidelines is a good way to ensure that your software is developed securely and the Testing phase should pay special attention to security. It’s a good idea to test again before pushing the software live and at regular intervals to ensure new vulnerabilities have not been inadvertently introduced into the code as a result of updates or patches. Developers are human after all. Simple things like hardcoded credentials, weak encryption and use of production data in testing can easily creep into the development lifecycle – these must be identified and addressed before the software or technology is released for general use.
The second area that we need to address is the architecture – the security within the software or technology needs to be commensurate with the risk. For example, a simple website that only publishes publicly available information may only have a simple username / password authentication mechanism, or even no authentication at all. On the other hand, an internet banking platform may employ mandatory two factor authentication (username and a token or biometric authentication) due to the higher value of data it holds.
Every software application or technology will no doubt run on a network of some form, so it’s important not to forget this or any other layer (such as the database layer, the operating system layer, etc.) within the architecture that needs to be secured. Every layer needs to have the right level of security to ensure an intruder cannot compromise the software application or technology easily.
Pay particular attention to authentication and authorisation controls as these form the security backbone of any software application or technology. Biometric authentication is now widely used as a result of devices such as the Apple iPhone that now inherently supports fingerprint scanning and facial recognition. Tying authentication to such strong measures and then ensuring appropriate levels of access within the software application or technology (authorisation controls) will make it that much more difficult for an intruder to gain unauthorised access.
The final area to consider is threat intelligence. Monitor the dark markets (the dark markets are where hackers sell stolen data, discuss mounting attacks and sell hacking tools and fake applications) for fake versions of your applications and technology that are designed to dupe users into giving up their credentials, and causing damage to your organisation’s reputation and possibly abandonment of the technology. Often new applications are the targets of attacks as they may contain more security holes than normal and represent a soft target. This intelligence will allow you to proactively bolster your defences in order to allow you to thwart these attacks. And finally, monitoring the dark markets can allow you to see if any of your data has been stolen. As much as the horse has bolted in this case, it will allow you to manage the breach proactively and hopefully plug the gap that led to the data leak.
Digital transformation is a key part of any organisation’s ability to innovate and thrive. But with every opportunity comes risk. A focus on embedding security as part of the development lifecycle, the technology architecture and appropriate monitoring through threat intelligence will ensure you continue to see the benefits of your digital transformation journey while mitigating the risks associated with it.
Ashwin Pal is the Unisys Director of Security Services responsible for the delivery of Unisys’s security business in the Asia Pacific region.