Thursday, 13th August 2020

Building digital transformation with security in mind

Enterprises face both external and internal threats to their data, network and IT assets. Cyber-attacks are now sophisticated enough to catch enterprises off-guard and it is important for enterprises to have proactive systems which can keep track of activities in their networks, servers and other IT assets. By Senthilvel Kumar, Program Director of Cybersecurity at Mindtree.

As organisations digitally transform it is essential they do so while keeping security in mind. Across industries, threat landscapes are changing rapidly in the digital era and no industry is immune. Threats, and their associated risks, remain simple in the modern world however with increasing digitisation of industries, they are becoming very complex to understand.

Going by the number of incident investigations we go through, we have come to understand the approach used by attackers to exploit organisations weaknesses are very simple. Their goal is to get their feet in and laterally move to other areas of the organisation they attack. All the steps they take seem like legitimate actions and they cover their traces very well avoiding detection. Even businesses with strong mitigation planning may potentially fail to detect the threats. Here we will explore how organisations can keep security in mind when they are going through digital transformation.

Meeting current and upcoming regulatory and compliance requirements

To help lead the charge in organisations going through digital transformation, there must be a business lead or IT lead to help align various units with the new initiatives which should have due considerations with all the regulatory and compliance requirements.

Information security is a necessity to be included within multiple teams to ensure best practice throughout an organisation at all times. Stringent information security lays the platform within businesses to help them meet their regulatory and compliance requirements.

When it comes to multinational organisations, as they span across the globe, the regulatory rule of the land prevails. Businesses operating in one location on the other hand are able to stay focussed on their regulatory requirements more clearly. If organisations miss out or overlook these external obligations, they become susceptible to hefty fines which cost more later; including requirements into the foundation at the beginning is vital. If they do not, regulatory bodies have the authority to impose severe sanctions or shut the business for non-compliance.

Using a zero trust approach

Businesses can identify genuine threats and malicious activities targeting their operations on a daily basis before they have a chance to cause damage. To do this, businesses should begin with a "zero trust" approach.

A "zero trust" approach to organisational security means organisations should not automatically trust anything within or outside its perimeters and instead verify all third parties trying to connect to its systems before granting access. When organisations use such a focused effort, there is a greater possibility they can detect system level threats. Implementing this approach at the start of the digital transformation process can yield better security results.

Implementing best practice

Legal and compliance teams will require budgets to be able to carry out coordinated efforts to ensure all obligations are met to protect systems. A risk committee or council should also be established to define and review the processes to keep all units on track.

Teams that are able to break their silos are also able to collaborate more effectively. To translate compliance regulations into technical specifications, an organisations security function should provide support for all teams. To implement digital transformation in parallel with a long-term plan, both legal and security functions must foster an inclusive governance model to ensure best practice.

It may be overwhelming initially so to adopt best practice, organisations should start with a small-scale approach focused on the essentials. Build monitoring capabilities to get a view of what is going on. Design correlated rules. Evaluate use cases and the objectives to achieve. Expand the monitoring scope to include vulnerabilities such as servers, proxy servers, perimeter security devices (such as IPS/IDS), firewalls, DNS, log-on failures, mobile device login patterns, password reset patterns, information exchange pattern, email, and applications. This way organisations will be able to scale their security programme while implementing digital transformation in a manageable way.

In addition to this, in the market today there are threat intelligence platforms available. These platforms can be implemented to detect possible threats. To maximise the visibility of emerging threats, organisations can implement user behaviour analytics along with Security Orchestration and Analytical Response (SOAR) in the overall mix too. With the support of all these tools, organisations should also define the process of threat monitoring; well-defined security operations processes will bring accurate threat related information to the right audience.

Another way to implement best practice is to carry out security testing on a frequent basis. There is a strong correlation between how many times a year an organisation scans and how quickly they address their vulnerabilities. The most active DevSecOps programmes fix flaws more than 11.5 times faster than the average organisation – allowing them to simultaneously secure their code and quicken the software development process. The frequency can vary depending on the system and the industry they are operating in, but organisations who scan for vulnerabilities the most often have a higher chance of catching potential threats faster. All of these steps are best practices, which can set up an organisation for success from the beginning.

Ensuring protection

There are steps businesses can take to protect themselves from the modern, recurring threats they face. By identifying all key business assets, organisations can verify the impact if it were to come under a cyberattack in regards to financial loss or reputational damage. In the cybersecurity world, we recommend businesses undergo such security posture review every two years at a minimum. This process should include public facing digital assets such as the company website, supplier connectivity arrangements, and data exchange arrangements.

Security should be a board level discussion. Establishing a security function and ensuring board-level representatives hear them can make sure the initiatives are aligned and budgets are managed correctly. By combining technical security needs with the business objectives, overall outcomes can be linked to the objectives and priorities of the business. For example, many organisations are moving towards a “cloud first” strategy so to be successful, it is prudent they have priorities around cloud initiatives so no new or undetectable threats are emerging from business-lead decisions.

Adding in security that is more stringent may attract resistance from users, which in turn may lead to weaker security over a period of time. To prevent this, establish business policies which allow employees to deliver their day-to-day responsibilities. Employees tend to be the loose end for success of security programmes. They should be trained on relevant topics, and awareness needs to be created. Run intuitive quiz programmes and reward employees with due considerations. Another effective scheme is setting up an internal security champion programme - in such a programme, each team has one dedicated member who is specifically trained in security. Implement online courses as appropriate for your organisation.

Moving forward with security at the forefront

Organisations will benefit from operating with a best practice model from the beginning of their digital transformation and from ensuring strong defences. Good defences for businesses build their threat detection capabilities, such as security incident and event monitoring, and data exfiltration detection capabilities, to run simultaneously.

Where possible, consider automation to eliminate manual errors and build a review, testing and audit regime across the organisation. Repeat initiatives that cannot be automated with a rationale suitable to your businesses. Having senior management involved and giving direction is very important to build the right tone from the top and across all departments.

Organisations will not be able to predict some of the future attacks that may take place, but they can make sure they have done all that they can to prevent malicious actors from taking them down.

By Joseph Carson, chief security scientist at Thycotic.
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Dan Schiappa, Executive Vice President and Chief Product Officer, Sophos.
By Jesper Frederiksen, VP and GM EMEA at Okta.
By Keith Banham, mainframe R&D manager at Macro 4, a division of UNICOM Global.
By Mikkel Stegmann, Principal Scientist at Fingerprints.