Reducing risk in a digital future
The vision of a fully connected, digitized world – an interlinked ubernet of everything spanning business, governance and leisure – comes laden with promises of innumerable societal benefits. It doesn’t matter who you are, we are told: A faster, more productive and more satisfying way of living is on the way.
And hopefully that is indeed the case. If you run a business, just as we do here at Abdul Latif Jameel, you can personalize products and services to target customers with unprecedented precision. If you manage a public service, you can respond to live user data and assign resources accordingly for seamless operation. If you are a patient, you can have your health monitored remotely and treatments prescribed instantly, like some of the healthtech innovations discussed in this Abdul Latif Jameel Health article. And if you are, well, almost anyone, you can manage your shopping online and have goods appear on your doorstep with uncanny timeliness – almost as if the store had read your mind.
Except, maybe the store had read your mind. In a way. Maybe it had trawled the web for your consumption habits, followed the telltale footprints of your data trail, and drawn conclusions about you even before you had arrived at them yourself.
In which case, let’s take the scenario further.
What if one day the store’s suffered a data breach and the knowledge they hold about you fell into the hands of less scrupulous parties?
Let’s take the scenario further still.
You might expect ‘the system’ to come to your aid – banks, lawmakers, justice departments – but what if those systems have themselves been routinely weakened by cyber-attacks and rendered toothless?
For some, the dream of a digital transition might suddenly be starting to sound a little eerie. That eerie feeling is, perhaps, the sound of millions of people simultaneously awakening to the idea that our transformation into a digital society is not without danger. Research shows the digital transition of our work, home and governance comes laden with risks and the potential for exploitation.
Such anxiety seems unlikely to halt the transition. The 2023 Digital Business Study, which quizzed almost 1,000 IT leaders in North America, APAC and EMEA, showed 93% of decisionmakers were now pursuing a digital-first business strategy.[1] Moreover, they were actively investing in enabling technologies such as cloud-native platforms, cybersecurity mesh, decision intelligence and generative AI (artificial intelligence) to do so.
If we wish to reap the extraordinary rewards of the digital journey on which we are embarking, we must identify the pitfalls ahead of time and, where possible, lay the groundwork for neutralizing risk. Because the threat is real. Some 85% of organizations reported falling victim to at least one successful cyberattack in 2021, with the average cost of a data breach reaching US$ 4.24 million.[2]
Foresight can help ensure the coming digital transformation is democratic, safe, and for the benefit of the many rather than the few. Only then can we enjoy the efficiencies of our new plugged-in, switched-on, joined-up reality.
Quantifying the risk matrix
No journey towards digitalization should be embarked upon without a thorough understanding of associated risks, along with strategies to minimize their impacts.
Global business advisory firm Deloitte has identified a series of key risk areas that organizations are destined to encounter on the digital transformation.[3]
- Technology: How to future proof tech which is inherently vulnerable to failures and rapid obsolescence. Risks include problems with compatibility, scalability, and accuracy.
- Cyber protection: Fortifying digital properties against unauthorized access and maintaining confidentiality throughout an integrated system.
- Data leakage: The complexity of ensuring data integrity across an entire ecosystem, whether data is being used, transferred, or stored.
- Third parties: Any organization which works with third-party partners is exposed to external risks around data sharing and technology integration.
- Privacy: Sensitive personal data concerning employees and customers must be handled with utmost care and include key controls around choice and consent.
- Forensics: Systems and data must be open to scrutiny in the event of frauds or security breaches – and evidence gathered must be robust enough to be used in court.
- Regulatory adherence: In-house expertise must be sufficient to ensure operations remain within national laws and any industry-specific regulations.
- Resilience: Closely intertwined technologies are the bedrock of many modern enterprises, yet failures within one part of the system can quickly spread and render entire services unavailable.
Despite these evident dangers, one survey showed just 29% of respondents considered their organizations to possess a ‘completed’ data security strategy, with 41% describing theirs as ‘in development’, and 23% merely at the ‘planning’ stage.[4]
Some of these risk areas, particularly those clustered around digital dependencies and cyber vulnerabilities, indicate potential pathways to more sustainable resilience, and so are worth exploring in finer detail.
Hack to the future: From malware to ransomware
Multiple technology platforms converging within a decentralized ‘Web 3.0’ (a new iteration of the internet incorporating concepts such as blockchain technology and token-based economics) threaten “a more complex cyber threat landscape and a growing number of critical failure points”.[5]
The dangers are not just financial. They also pose challenges for fundamental pillars such as vital infrastructure and societal cohesion. And there is no simple solution. The World Economic Forum (WEF) warns how “growing cyberthreats are outpacing societies’ ability to effectively prevent and manage them”.
It highlights the example of software library Log4j, which in late 2021 was experiencing more than 100 hack attempts per minute within days of a critical security flaw being exposed. The attacks demonstrated the contagious vulnerability of free access coding. The previous year, the SolarWinds Orion attack targeted IT monitoring and management software, shattering the defenses of global cybersecurity supply chains – and hundreds of thousands of businesses – in its wake[6].
Malicious activity online is spiraling, with perpetrators facing few barriers to entry and little chance of prosecution. In 2020, reports of malware increased by 358%, while cases of ransomware increased by 435%.[7] The same period recorded a four-fold rise in the total amount of cryptocurrency snared by ransomware.
Hackers are also able to blackmail targets via data leaks and distributed denial-of-service (DDoS) attacks, using resources from multiple remote locations to attack an organization’s online operations.
Victims of digital exploitation to date have included public utilities, healthcare systems and data-rich companies – which these days includes most corporations of any scale.
The problem will not resolve itself. Looming AI-driven malware could potentially see extorted sums grow exponentially, heralding greater reputational as well as financial threats. Little wonder that, as explored in our previous Abdul Latif Jameel Perspectives article, the Global Risks Perception Survey (GRPS) ranks ‘cybersecurity failure’ among the top 10 growing risks, or that 85% of the WEF’s Cybersecurity Leadership Community believe it presents a major concern for public safety.[8] Regionally, ‘cybersecurity failure’ ranks as a top five risk across East Asia, the Pacific and Europe, with four countries (the UK, Ireland, Australia and New Zealand) declaring it risk number one.
Future technological trajectories are causing concern. Quantum computing could soon become powerful enough to break encryption keys, shattering this longstanding firewall protecting financial and personal data. The metaverse, meanwhile, will provide more access points for hacks and data breaches. With metaverse-based digital commerce tipped to exceed US$ 800 billion by 2024, these attacks will inevitably become more aggressive.[9]
Priced out of protection
Whether one operates within the public or private sector, digital transformation risk mitigation comes at a price, and will be felt disproportionately by those who can least afford it. Small or medium-sized businesses face having to spend 4%+ of their budgets on cybersecurity, while larger competitors exploiting economies of scale plan for investments of around 1-2%. With ransomware so frequently in the headlines, cyber-insurance threatens to become cripplingly expensive or downright unaffordable to some. In Q3 2021, cyber-insurance costs rose 96% in the US and 73% in the UK.[10]
So, what strategies can businesses and governments put in place to soften the risks of the digital transformation while still extracting maximum value from its myriad opportunities?
Hardening defenses against digital dilemma
It is important to safeguard the integrity of your systems. In other words, keep those out who have no business being there, and prevent unwanted interference from parties with bad intentions.
Here, several strategies are emerging as reliable defenses. Chief among them is a process known as ‘platform hardening’, which encompasses several techniques for reducing vulnerability across servers and computers:
- Network hardening: Protecting digital infrastructure with hardware and software-based firewalls, featuring intruder prevention and alert controls.
- Operating system hardening: Deleting obsolete services and erasing nonessential accounts, while ensuring security settings meet industry standards.
- Remote systems hardening: Ensuring remote systems and devices have access protocols as robust as their in-house equivalents, and that these are frequently examined for emerging threats.
- Database hardening: Employing access controls, encryption and advanced security settings to make critical databases less prone to malicious infiltration.
- Application hardening: Adjusting the settings of third-party apps to guard against scripting attacks such as macros.
All these protocols need frequent vulnerability testing to ensure ongoing protection against digital risks. The benefits are many: stronger security, better performing systems, even streamlined compliance and auditing.
Figures demonstrate the value of security prioritization. One study shows more than half of organizations have suffered a data leak via external sources with remote access, while 61% of security breaches exploited a known vulnerability for which a patch was available but not deployed.[11]
What would a secure digital policy look like? According to experts like Dick Schrader, an IT security specialist at US software firm, Netwrix, a secure digital regime would be one where:
- old, under-used technology is regularly removed from servers
- platforms, networks and apps are individually shielded against unauthorized access
- cloud computing is protected with multi-factor authentication (MFA) for every user regardless of time/productivity costs
- data is protected throughout an entire ecosystem, focusing on classification, retention, processing and encryption
- third-party technology integration, operations dependency and vendor resiliency are considered as part of a holistic digital transformation package
- privacy is paramount and personal data adheres to principles of consent, notice, choice and accuracy
- regulatory frameworks are respected, and breaches are evidenced forensically
- resilience is ensured by adequate planning for business continuity, crisis management and IT disaster recovery.
A closeted, isolationist approach is unlikely to inspire the widespread changes needed. Cooperation between companies and nations can reveal solutions applicable to almost every organization, with emerging tech such as blockchain and quantum computing providing particular promise.
Within the business community, leaders must be trained in issues surrounding cybersecurity, while debates on cyber-resilience must become routine at board level.
Above all, no digital transformation should be embarked upon without buy-in from the most important segment of any organization: its clients and customers. If they are not ready for the transition, or if they are corralled into systems and services damaging to their experience, they are likely to find another option that meets their needs.
Perhaps one of the unheralded threats of the digital changeover is simply getting it wrong, and alienating previously satisfied partners in the process.
Safeguarding a dynamic era of human progress
The accelerated shift to home working has advanced a trend which has been under way for the past two decades. It is distinguished by a growing reliance on digital systems and an explosion in the number of enabling intermediary technologies including cloud servers, application programming interfaces (APIs) and others, each of which carries unique risks and susceptibilities. Simultaneously, the demand for interconnected technologies continues to expand.
External and seemingly uncontrollable factors serve to exacerbate the potential perils. At government level, widening geopolitical rifts neuter the kind of coordinated international efforts that could safeguard future digital security. Cross-border cyberattacks and ongoing misinformation campaigns are growing, with inadequate checks and balances to counter their spread. Inconsistent laws and enforcement mechanisms across competing nations are notably failing to deter cybercrime.
In a world which is increasingly ‘VUCA’ (volatile, uncertain, complex and ambiguous), private enterprises are too often having to ‘read the tea leaves’ to anticipate shifting international allegiances. Businesses should remain open to the possibility of moving data processing to jurisdictions with a better grip on data privacy.
Inaction against digital transformation risks could carry consequences far beyond the fate of individual organizations. What if a devastating Trojan horse crypto virus, self-replicating and ever-mutating to avoid remedies, began commandeering major government or commercial servers, effectively reversing the digital progress of recent years? What if the trend towards private IT infrastructure and cryptocurrency stymies regulatory efforts to protect financial systems and private data? And what if cyber-espionage ultimately discourages R&D investment, leaving society stuck in middle gear through lack of commercial confidence?
The digital transition will eventually encompass every public body and every business, regardless of sector or size, yet certain industries must be mindful of the extra responsibilities they incur. If one works in a business where an intimate knowledge of customers is salient to success – retailing or marketing, for instance – our pathway to a digitally-driven world carries both risk and reward. Never before has there been such an abundance of opportunity for gathering monetizable data – nor so much pressure to keep those personal insights out of the wrong hands.
“In our ever more deeply connected society, digital trust is vital for long-term innovation and prosperity,” says Mo Chaara, Chief Information Digital Officer at Abdul Latif Jameel. “And trustworthy technologies are the foundation on which we can build a fairer, more transparent, and more cohesive society. Unless we keep working to strengthen digital trust and reduce the inherent risks of digital transformation, the promise and potential of one of the most exciting and dynamic eras of human progress could be lost.”
[1] https://resources.foundryco.com/download/digital-business-executive-summary
[2] https://blog.netwrix.com/2023/02/22/system-hardening/
[3] https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-managing-risk-digital-transformation-1-noexp.pdf
[4] https://resources.foundryco.com/download/digital-business-executive-summary
[5] https://www.weforum.org/reports/global-risks-report-2022/in-full/chapter-3-digital-dependencies-and-cyber-vulnerabilities/
[6] https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
[7] https://www.weforum.org/reports/global-risks-report-2022/in-full/chapter-3-digital-dependencies-and-cyber-vulnerabilities/
[8] https://www.weforum.org/reports/global-risks-report-2023/
[9] https://www.bloomberg.com/professional/blog/metaverse-may-be-800-billion-market-next-tech-platform/
[10] https://www.marsh.com/bg/en/services/insurance-market-and-placement/insights/global_insurance_market_index.html