Digital Transformation

Like death and taxes, another certainty in life is that nothing stays the same. This is no different for businesses - regardless of their background or industry. When change inevitably comes, businesses have two choices - adapt or die (or at the very least be left behind).

These changes can be minor or transformational (perhaps an overused term). They may happen once in a while or frequently. In each case, businesses need to adapt to their markets, customers and expectations in order to survive and grow.

It is well documented that organisations that embrace the digitalisation of their services, systems data and processes experience a range of benefits. Not only are they better able to service their customers, meet expectations and respond to behaviours, but it also drives operational efficiencies, innovation and collaboration which in turn leads to opening doors to different markets and ventures.

The digitalisation transformation path raises numerous challenges for organisations, here are five things every business should consider:

COVID-19 may have accelerated their adoption but providing digital tools for your employees enables them to work more efficiently regardless of location. Under recent restrictions, businesses that have enabled workers by giving them video conferencing tools, collaboration platforms and online business applications have been better able to continue to function and managed customer demand and expectations.

A digitally enabled workforce brings challenges such as managing the security of remote working staff to ensure that the systems and data they are handling are securely accessed and managed. Areas of consideration include:

• Secure Devices
  • Device access control
  • Anti-virus / malware (for known threats)
  • Endpoint threat Detection and Response (EDR) for unknown threats (aka Zero Day threats) and malicious behaviour
      
    
• Encrypted remote access
   
• Password management – Password Managers and multi-factor authentication
   
• Staff Cyber Awareness and resilience. With staff working more in the digital world and in many cases remotely, they are a business's first line of defence and often the target of external threats. Building their cyber awareness so that they are better able to identify cyber threats will keep them and the organisation more secure.
   
• Security monitoring for business services such as Office 365, Teams, etc. which will look for unusual and/or malicious behaviour resulting in access to business applications.

It is generally accepted that organisations which digitalise their services are not only able to better engage with their customers via user-friendly services but can simultaneously reduce operational costs through a mixture of automation, information handling, streamlining processes and staff engagement / support.

As with the digitalised workforce, your digitalised services also need to be protected in order to ensure their integrity and availability. Areas of consideration include:

• Hosting environment - Your business services need to be hosted on something and somewhere. Typically, businesses are embracing the cloud to host their services within a managed infrastructure environment, where they are easily accessed by staff and/or customers. Even here your services will need additional protection, such as:
  • Network protection – Firewalls, DDoS mitigation, load balancers (for availability)
  • Hardening software – Latest software for operating systems and any 3rd party applications,
  • Access control – Ensuring access for staff and customers is managed, controlled and recorded.
    
    
• Integration points – Integration between services is typically are conducted through Application Programming Interfaces (API). APIs offer the ability to customise features of services to fit business needs, but they also authenticate, provide access, and effect encryption. APIs can be a threat to cloud security because of their very nature. The vulnerability of an API lies in the communication that takes place between applications via the API. As a result, it is important to consider regular security testing for these external gateways into services to ensure they are not a back door for hackers to enter.

• Proactive Security Monitoring. With services being available 24x7 and likely hosted in the cloud, beyond your corporate environment, having the activity of service(s) continuously monitored for suspicious or threatening behaviour enables businesses to be able to immediately respond to an incident.
   
  It is very common for business to assume the cloud provider / environment is secure by default and they therefore don't need to monitor the security and integrity of their services. For this reason, cyber criminals often focus on cloud-based services, and it also explains why detecting an attack can take so long – as no one is looking for it!

If you don’t do your housekeeping, things get messy quickly and its no different here. Organisations need to consider a continuous housekeeping program for their services to ensure they operate smoothly and securely. Areas of consideration include:

• User access. Managing user access including removing old / redundant users, the latter ensuring that no dormant accounts are left for hackers to abuse.
   
• Vulnerability management. Think of online service(s) as a ship and part of maintaining it means ensuring that there are no leaks. Vulnerabilities - in the software code, operating systems, etc. -  are potential leaks and are found on an ongoing basis. So part of any house keeping regime means implementing a continuous vulnerability management system that informs you of any vulnerabilities affecting your service / system.
   
• Patching, Patching, Patching! The flip side of vulnerability management is that once an organisation is made aware of the leak (vulnerability), it needs to be fixed. The importance of vulnerabilities also needs to be taken into account, as this may result in different patching cadences depending on their criticality to the operational state of a service / system.
   
• Penetration testing. Services and systems are ever changing and so are the threats to their integrity and availability. Regular penetration testing is vital to assessing the effectiveness of an organisation’s cyber security defences. It is a well-recognised means of discovering how vulnerable a company is to becoming the victim of a data or cyber security breach, and customers and suppliers are increasingly specifying this as a condition of doing business. As a result, having your service / system (and people) regularly tested by cyber security experts is key.

With services now digitised they will contain data relating to services, business and customers. This comes with its own set of challenges relating to how to manage and handle confidential and personal data in particular. Areas of consideration include:

• Data Governance. Data governance means managing the availability, usability, integrity and security of the data an organisation holds. Effective data governance ensures that data is consistent, trustworthy and doesn't get misused. This should include regular assessments of data protection processes and policies.
   
• Data Quality. This is a measure of the condition of data based on factors such as accuracy, completeness, consistency. Ensuring the integrity of data is as important as its availability and confidentiality.
   
• Data Management. This involves giving appropriate consideration to what data is held, its sensitivity, who has access to it, it’s hosted location(s), whether is the data shared with third parties, user consent as well as data retention and data removal.
   
• Privacy & Compliance. Linked to data management, many countries and industries have introduced laws and regulations that focus on privacy and the security of data - such as the GDPR. Many of these mandate that controls are put in place to restrict the misuse of data as well as provide privacy rights for data subjects, including the right to see the data through DSARs. They encourage good data accountability, and that processes and mechanisms are in place to ensure data is collected, handled and disposed of responsibly both by the company processing the data and any associated organisations.
   
  Implemented well this can lead to improvements in customer service, competitive advantage increased customer loyalty. Failure to comply with these laws and regulations can not only lead to industry fines, but also brand damage which leads to customer distrust harm to the financial viability of your organisation.
  
  
  

The integrity of online services builds customer confidence and encourages them to return to those services time and time again. Demonstrating the integrity of these services comes in many forms, such as compliance with accreditations which serve as an independent stamp of approval. Compliance badges show your customers and partners that an organisation has the correct policies, procedures and measures in place to protect the integrity and availability of confidential information assets. Things to consider include:

• Cyber Essentials & Cyber Essentials Plus. These accreditations are considered to be a demonstration of the government-backed NCSC’s 10 basic steps to cyber security. These focus on the technical controls you have in place to secure a business and its customers from cyber threats.
   
• ISAME Governance or ISO27001. These accreditations focus more on processes and people, and similar to Cyber Essentials are aligned to the NCSC’s 10 Steps to Cyber Security. They specifically address the requirements of the General Data Protection Regulation (GDPR).
   
• Data Privacy Policy and Data Protection Officers (DPO). In this data-driven age, where personal data is a key and valuable asset of any organisation, defining the data an organisation holds, how it is managed and who is accountable is essential. Implemented well this can lead to improved customer service, competitive advantage and increased customer trust / revenue.
   
  In many cases organisations should consider appointing a person (such as Data Protection Officer) to ensure that data is used responsibly and protected well. Organisations can either manage this in-house or consider and and external specialist to assist them in managing this.

Embracing digital transformation brings significant efficiencies, financial stability and customer engagement. Organisations that want to thrive rather than simply survive should be utilising and embracing digital solutions to transform their organisation for the better.

To help your organisation manage the security and data protection challenges arising from digitalisation, speak to the specialists at norm. We can help you implement a security and data protection digital strategy that cuts costs and increases service experience.