Companies rightly see much promise for future revenues and productivity by building and participating in emerging digital ecosystems — but most have not given enough consideration to the risks and threats inherent in such ecosystems. According to the TCS Risk & Cybersecurity Study, cyber threats within digital ecosystems may be an enterprise blind spot.
Digital ecosystems are dynamic, agile, interactive, borderless, multimodal, and decentralized. They often have multiple gatekeepers and participants. In short, they represent a target-rich environment for hackers and digital criminals seeking to steal or exploit sensitive data or disrupt operations. Are organizations aware? Do they know the potential costs? Most aren’t and don’t: In many industries, efforts to revamp security procedures, institute new policies and technologies, and close gaps are uneven, poorly supported, and poorly designed.
Here’s how to correct some of those flawed approaches.
Digital ecosystems come with systemic risks
Digital transformation represents a broad, multimodal, and systemic shift for organizations and entire industries. When marketing, supply chains, and other operations move to digital-only platforms, they dramatically change a company’s opportunities in its marketplace. The result is the creation of digital ecosystems: large, often shifting, and multiplayer spaces where information is shared, business is conducted, and suppliers are linked together.
But these digital ecosystems create opportunities of another kind — for cyberthreats and external attacks on company systems, loss of control over intellectual property (IP), and sometimes existential threats to a business. Multiple examples of hacks and cyberthreats exist and the issue is finally getting the attention it deserves.
Nevertheless, our experience is that many organizations are ill-prepared for the risks inherent in digital ecosystems. Organizations are often taking major risks simply by doing nothing, or by doing the wrong things. In manufacturing and technology, we observe that companies often share IP with their global ecosystem partners or suppliers but are unable to address the risks associated with such sharing, or fail to enforce required controls aimed at reducing those risks. The reason isn’t a lack of ability or understanding but mostly a byproduct of volume. There are simply too many suppliers to work with and track and organizations often lack a sustainable, repeatable, and effective process and framework for de-risking their digital ecosystem.
Cybersecurity should be embedded by design
The manufacturing industry is also investing heavily in smart factories; however, the efforts wouldn’t deliver on the promise if cybersecurity is not embedded by design. Connecting all that needs to be connected is the foundation of a smart factory, enabled by IoT. With ever-increasing connected devices, the attack surface expands, making digital ecosystems security more important and deserving of C-suite attention, in the smart factory context. For instance, an automobile manufacturer would have to suspend factory operations if just one small supplier in their digital ecosystem, unlikely to be on the radar of the C-suite, is attacked.
Similarly, for the aviation industry, which is no new victim of cyberattacks, the threat exposure is multiplied through a vast range of ecosystem participants — customers, aggregator portals, airport connectivity networks, banks issuing credit cards, and so on — all enabling their business. Given the amount of personally identifiable information airlines have access to, any security breach can impact millions of people and businesses worldwide.
Even in industries with more advanced track records of building and maintaining such de-risking processes, there remain holes. For example, in the banking, financial services, and insurance sectors there is a meaningful awareness of the risks and a corresponding interest by regulators in such processes. Yet even with them, solutions are not implemented effectively. We take note of the rise of FinTech providers whose innovative solutions address some of the de-risking priorities, but still require an accompanying focus on due diligence and security checks — something FinTech providers may not be able to appreciate.
Elsewhere, industries without significant regulatory exposure don’t have the same sense of urgency to take appropriate action. Where there is an appreciation for cyberthreats in general, that sense of risk does not affect the way organizations interact with the greatest sources of such risk — internal sources such as their own teams, partners, vendors, and suppliers.
Major problem areas for risk strategies
In short, in any de-risking framework, one must assume that the largest source of cyberthreats comes not from someone breaking in, but rather from a door left open for an uninvited guest. Organizations must adapt their mindset, their processes, and their resources accordingly. They need to identify major problem areas such as those below:
Lack of governance and accountability: In many organizations, the responsibility for closing risk gaps falls to several leaders, but not to a single point of authority. The failure is understandable as digital ecosystems touch multiple dimensions of an enterprise. But then responsibility for the total risk environment and de-risking is shared — though not necessarily met. A lack of accountability results in a lack of power to act and set de-risking as a priority within the organization.
Failure to correctly prioritize risk: Without understanding the context of the business, understanding and remediating risk is difficult to do effectively. For example, an outside vendor can be a potential source of risk but also plays a critical and central role in the business. Resolving and mitigating the issue may require special handling and attention. Yet other vendors for the same organization may not play as central a role therefore handling their risk may be a more cut-and-dried issue. Organizations should isolate special situations for special handling and try to create systemized and automated approaches for the less important entities. Too many organizations fail to consider that internal context and therefore don’t know where to prioritize their efforts.
Failure to adopt basic policies: Surprisingly, many organizations do not have simple protocols and policies when it comes to cyber threats. Such a failure means every risk receives a curated and therefore expensive response. But simple de-risking rules can deliver an enormous amount of protection without a lot of discussion or debate. Think of checklists used to reduce medical error in surgery: Through a review of a six-item checklist, the risk of error in surgery is reduced by half.
In the same way, sources of cyber-risk can be addressed, with mechanized or automated approaches to eliminating some of the most common errors. This allows risk professionals to focus attention on special sources of risk and threats or “black swan” events.
Lack of asset inventory: Organizations often gain the first appreciation of their digital assets — such as intellectual property (IP) — when they’re at risk or in crisis. This is untenable and impractical. The first step towards an effective defense is understanding the value of what you’re defending and investing accordingly. Yet too many organizations fail to execute a proper asset discovery framework when it comes to digital assets, intellectual property, customer information, and other critical elements.
Failure to score risk: Even when organizations assess their ecosystem for sources of risk, they don’t necessarily follow a clear path of action. An assessment of potential risk in the supply chain can lead to specific actions different from those required when addressing sources of risk among vendors or employees. Each subpart of the ecosystem requires its own priority status for remediating those sources of risk and this should be set, objectively, by a standard risk calculation mechanism.
Geographic sensitivity: Organizations in North America and Europe have developed some appreciation for the sensitivity to digital ecosystem risks and threats; the same cannot be said for organizations native to Asia and the Far East. This may be of special concern to multinationals, whose operations span multiple major regions. It also may speak to the relative focus of regulators. Either way, organizations must meet the same, high standard for ecosystem risk assessment and remediation frameworks, regardless of where they operate.
Essential steps for de-risking an enterprise
At a minimum, organizations seeking to address the risks associated with digital ecosystems must adopt an approach that moves beyond chasing the latest crisis. It must accept that certain risks pose a greater threat than others, that some can be greatly reduced through automated assessment and mitigation, and that some will be of particular concern because of their closeness to the core of the business.
Organizations that adopt a systematic approach to de-risking their digital ecosystems will have a far greater sense of the nature of those risks, relevant to their industry and geography, and will be able to build a far more comprehensive approach to proactively heading off threats. Here are some essential steps you can take to de-risk an enterprise:
Perform a doomsday scenario: Nothing clarifies the nature of risk quite like visualizing the total failure of systems and strategy. Perform a “doomsday” prioritization of your risk set by layering in the additional context of each potential source of threat, its geography, its unique vulnerabilities, and anything else informed by your best threat intelligence. Assess the potential loss of your most valuable and vulnerable assets and build a defense and mitigation strategy from there.
Create a “burn-down” plan: Addressing a large set of your vulnerabilities, create a realistic but still ambitious plan to greatly reduce your vulnerabilities. You will have a metric for accountability. When TCS supported a major US manufacturing client, we used this approach as part of an overall strategy, and it reduced the vulnerabilities 70% faster over a year.
Automate: While not widely available, an automated approach to assessment and risk management can produce meaningful reductions in the threat environment. Most solutions available to organizations rely on bespoke approaches; automation, however, is the only realistic strategy that meets both the volume and dynamic nature of fresh threats.
Deploy a prioritized approach: Since the work of addressing vulnerabilities can’t be completed at the same level of intensity, break the work into specific scoreable parameters: shared IP, shared personal data (personally identifiable information, personal health information, and payment card industry data), volume of data, and regulations covering the disbursement or accidental release of such data. These parameters may suggest a prioritization for the work to be done, since they may well resolve questions about the severity of the relative risk.
Set a schedule for work: One should assume a protocol for continuous monitoring through external risk-scoring solutions. At the same time, anyone focused on these issues can’t maintain their focus on the same sources of risk all the time. Therefore, set a schedule to determine when to assess supply chain and other ecosystem players for their vulnerabilities.
Employ dynamic assessment: It’s not wise, considering the dynamic and shifting nature of risk, to calendarize risk assessment. Rather, organizations need to build in systems that test digital ecosystems dynamically and unpredictably, with continuous monitoring and interdiction.
Create frameworks bound to policies and protocols: These may draw from industry frameworks developed by ISO/IEC 27001 and NIST. These frameworks will include all legal, physical, and technical controls in an organization’s risk management systems — at the very least, these provide a strong foundation for an individualized framework.