Certain procurement pain points can prove debilitating for a business, freezing it in its tracks when it’s trying to grow…
SHARE THIS STORY
Certain procurement pain points can prove debilitating for a business, freezing it in its tracks when it’s trying to grow and improve. This is where companies like Candex are able to step in and turn a headache into something so simple, it requires no further thought.
Danielle McQuiston is the Chief Customer Officer at Candex. She’s been with the fintech startup for five years, spending two decades prior to that working in procurement at Sanofi. Candex is a technology-based master vendor that allows customers to engage with and pay one-off or small suppliers without setting them up in their system. This means that the system doesn’t get clogged up with suppliers that are rarely or never going to be used again.
“We’re primarily used for what companies consider tail spend, and we typically deliver it as a punchout catalogue for a really simple user experience,” McQuiston explains. That ability to support lots of customers was what drew her to the role. “Coming to Candex, I was very excited about what they were doing and wanted to help as many companies as possible.”
Addressing tail spend
That ability to address tail spend in a unique way is the main thing that differentiates Candex. It’s an enormous problem for procurement professionals. The way Candex delivers it is through a digital plug-and-play solution, removing the need to be dependent on human intervention. “It’s a horizontal solution for any good or service, and it’s available in over 45 countries now,” says McQuiston. “It becomes part of the customer’s ecosystems and leverages the P2P process. It’s super compliant, and allows a lot of control.”
With this tool in place, Candex’s customers are able to gain much better control over their smaller purchases, defining what is allowed to be purchased. For many, this tool allows them to put tighter restrictions on purchases than their e-procurement systems are able to do. Additionally, Candex runs suppliers through screenings every day, which generally doesn’t happen for small, rarely-used suppliers.
“We run really detailed compliance and sanction screening against all those vendors, taking away a really daunting task from customers,” McQuiston states. “Customers probably check those suppliers once when they’re being set up, but then they never look at them again. Every day, we’re checking them, and keeping an eye on them when our customers can’t.”
Candex’s reporting is extremely detailed, and provides customers with the kind of real-time visibility they wouldn’t normally get – even in their own systems. Reports are generated weekly or monthly, including the diversity status of suppliers. This is data that a lot of clients then feed directly into their Power BI tools and data lakes, meaning they’re able to integrate it seamlessly into their other data.
Cleaning up the data
The whole purpose and aim of Candex’s tool is to make life easier for its customers, streamline its processes, and improve efficiencies. To that end, standardisation is key when it comes to business improvements, and that includes preparing data prior to implementing new technologies and processes. When it comes to ensuring a business’s data is healthy – before launching into major tech changes – accepting the necessity of making foundational change is key.
“Data cleansing processes are ugly, cumbersome, and long – and everyone has to do them,” McQuiston comments. “But you have to accept that you’re going to have to do something, if you want to get a handle on your spend. First and foremost, you need to standardise the way you name things, the way you put data in the system, and you need a really strict discipline around that. All of those things will make backend processes a lot easier.”
It’s just one of many considerations CPOs need to bear in mind when seeking out technology solutions and implementation. Modern procurement departments have a seat at the wider business table now, and what they do impacts the entire business. So when it comes to utilising solutions for the sake of the business at large, there are many factors to think about.
“As with any data or technology, it’s all about garbage in and garbage out,” says McQuiston. “Any advanced technology should be used with caution and viewed with a critical eye. You have to start with knowing what you want out of it.
“A lot of times, people put technology in place because it looks interesting, but you need to start with the problem and work backwards. If the issue is user experience, you need to make sure that whatever you’re implementing focuses on a positive UX. If the problem is unclean data, you need to make sure you’re putting in place all the foundational elements you need to make that better. Always start from the perspective of implementing a technology based on a problem, rather than the other way around.”
Improving UX in 2025
It’s a seriously dynamic time to be involved in procurement right now, as evidenced by the intense buzz around us at DPW Amsterdam as we sit with McQuiston. As we look ahead, she envisions that procurement will have an increasingly powerful impact on user experience. This is particularly important at a time when tasks are becoming increasingly automated, with less and less direct human interaction.
“We’re also seeing a pretty big leap forward in terms of best practice sharing amongst our clients,” says McQuiston, something that events like DPW also encourage. “For Candex, a big theme of 2024 has been getting our clients together to share best practices and information, helping them to develop further expertise in the field. 2025 will have more of the same, but there’s now a higher level of maturity out there in the way customers are considering tail spend. As people continue to onboard solutions, it will be interesting to see how that impacts the UX in relation to Candex. We’re always looking for ways to make our tool more user-friendly and add better functionality.”
All of this is why Candex’s customers love the company. On a base level, Candex takes a complex pain point and makes it simple. In a broader sense, the reason Candex is becoming so popular is the way it works with people. “The most common feedback we get from customers and suppliers is that we’re great to work with because we’re so flexible,” says McQuiston. “We hired a team of procurement experts, so our team is made up of people who really understand the pain of our clients, and can anticipate their fears, their needs, and cater to those.”
Our cover story this month focuses on the work of Arianne Gallagher-Welcher. As the Executive Director for the USDA Digital…
SHARE THIS STORY
Our cover story this month focuses on the work of Arianne Gallagher-Welcher. As the Executive Director for the USDA Digital Service, in the Office of the OCIO, her team’s mission is to drive a tech transformation at the USDA. The goal is to better serve the American people across all of its 50 states.
Welcome to the latest issue of Interface magazine!
Welcome to a new year of possibility where technology meets business at the interface of change…
“We knew that in order for us to deliver what we needed for our stakeholders, we needed to be flexible – and that has trickled down from our senior leaders.” Arianne Gallagher-Welcher, Executive Director for the USDA Digital Service reveals the strategic plan’s first goal. Above all, the aim is to deliver customer-centric IT so farmers, producers, and families can find dealing with USDA as easy as using an ATM.
BCX: Delivering insights & intelligence across the Data & AI value chain
We also sat down with Stefan Steffen,Executive Leader for Data Insights & Intelligence at BCX. He revealed how BCX is leveraging AI to strategically transform businesses and drive their growth. “Our commitment to leveraging data and AI to drive innovation harnesses the power of technology to unlock new opportunities, drive efficiency, and enhance competitiveness for our clients.”
Momentum Multiply: A culture-driven digital transformation for wellness
Multiply Inspire & Engage is a new offering from leading South African insurance provider Momentum Health Solutions. Furthermore, it is the first digital wellness rewards program in South Africa to balance mental health and physical health in pursuing holistic wellness. CIO, Ndibulele Mqoboli, discusses re-platforming, cloud migrations, and building a culture of ownership, responsibility, and continuous improvement.
Clark County: Creating collaboration for the benefit of residents
Navigating the world of local government can be a minefield of red tape, both for citizens and those working within it. Al Pitts, Deputy CIO of Clark County, talks to us about the organisation’s IT transformation. He explains why collaboration is key to support residents. “We have found our new Clark County – ‘Together for Better’ – is a great way to collaborate on new solutions.”
Also in this issue, we hear from Alibaba’s European GM Jijay Shen on why digitalisation can be a driving force for SMEs. We learn how businesses can get cybersecurity right with KnowBe4 and analyse the rise of ‘The Mobility Society’.
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent,…
SHARE THIS STORY
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent, Martyn Atkinson, to learn how an ambitious growth agenda, combined with a people-centred culture, is driving change for customers and colleagues across the Group.
Welcome to the latest issue of Interface magazine!
Welcome to a new year of possibility where technology meets business at the interface of change…
Lloyds Banking Group: A technology & business strategy
“We’ve made significant strides in transforming our business for the future,” explains Martyn Atkinson, CIO for Consumer Relationships & Mass Affluent at Lloyds Banking Group. “I’m really proud of what the team have achieved. There’s loads more to go after. It’s a really exciting time as we become a modern, progressive, tech-enabled business. We’ve aimed to maintain pace and an agile mindset. We want to get products and services out to our customers and colleagues. We’ll test and learn to see if what we’re doing is actually making a meaningful difference.”
AFRICOM: Organisational resilience through cybersecurity
We also speak with U.S. Africa Command’s (AFRICOM) CISO Ryan Larsen on developing the right culture to build cyber awareness. He is committed to driving secure and continued success for the Department of Defence. “I often think of every day working in cyberspace a lot like counterinsurgency warfare and my time in Afghanistan. You had to be on top of your game every minute of every day. The adversary only needs to get lucky one time to find you with that IED.”
OLYMPUS DIGITAL CAMERA
ALIC: Creating synergy to scale at speed with Lolli
Since 2009 the Australian Lending & Investment Centre (ALIC) has been matching Australians with loans that help build their wealth. It has delivered over $8.3bn in loans to more than 22,000 leading Australian investors and businesses. Managing Director Damian Brander talks ethical lending and the challenges of a shifting financial landscape. ALIC has also built Lolli – a broker enhancement platform built by brokers, for brokers.
Sime Darby Motors: Driving digital, cultural, and business transformation together
Sime Darby Berhad is one of the oldest and most successful multinational companies in Malaysia. It has a twin focus on the Industrial and Motors sectors. The company employs more than 24,000 people, operating across 17 countries and territories. Sime Darby Motors’ Chief Digital & Information Officer Tuan Jean Tee shares how he makes sure digital, cultural, and process transformation go hand in hand throughout one of APAC’s largest automotive multinationals.
Also in this issue, we hear from Microsoft on the art of sustainable supply chain transformation, Tecnotree map the key trends set to impact the telecoms industry in 2024 and our panel of experts chart the big Fintech predictions for the year ahead.
Cybersecurity leader Shinesa Cambric on Microsoft’s innovation journey to identify, detect, protect, and respond to emerging threats against identity and access
SHARE THIS STORY
This month’s cover story highlights a cybersecurity program protecting billions of users.
Welcome to the latest issueof Interface magazine!
Interface showcases leaders at the forefront of innovation with digital technologies transforming myriad industries.
Shinesa Cambric is on a mission to drive innovation for cybersecurity at Microsoft. Moreover, by embracing diversity and opening all channels towards collaboration her team tackles anti-abuse and delivers fraud-defence. Continuous Improvement doesn’t just play into her role, it defines it…
“In the fraud and abuse space, attackers are constantly trying to identify ways to look like a legitimate user,” warns Shinesa. “And this means my team, and our partners, have to continuously adapt. We identify new patterns and behaviours to detect fraudsters. At the same time, we must do it in such a way we don’t impact our truly ‘good’ and legitimate users. Microsoft is a global consumer business and any time you add friction or an unpleasant experience for a consumer, you risk losing them, their business and potentially their trust. My team’s work sits on the very edge of the account sign up and sign in process. We are essentially the first touch within the customer funnel for Microsoft – a multi-billion dollar company.”
ABB: Digital Technolgies contributing towards Net Zero
Nigel Greatorex, Global Industry Manager for Carbon Capture and Storage (CCS) at ABB Energy Industries, explains how digital technologies can play a critical role in the transition to a low carbon world. He highlights the role of CCS in enabling global emissions reductions and how challenges can be overcome through digitalisation…
“It is widely recognised decarbonisation is essential to achieving net zero emissions by 2050. Therefore, it’s not surprising that emerging decarbonisation technology is becoming an increasingly important, and rapidly growing market.”
CSI: How can your IT estate improve its sustainability?
Andy Dunn, Chief Revenue Officer at IT solutions specialist CSI, reveals how digital technologies can contribute to ESG obligations: “Sustainability is a now seen as a strategic business imperative, so much so that 74% of companies consider Environmental, Social and Governance (ESG) factors to be very important to the value of their company. Additionally, we know almost three in four organisations have set a net zero goal. With an average target date of 2044, 50% of organisations are seeking more energy efficient products and services.”
https://www.youtube.com/watch?v=tsDaZiSO1ho
“Optimising energy use and consolidating servers and storage infrastructure form a strong basis for shaping a more environmentally friendly and efficient IT estate. It no longer needs to be the Achilles Heel of an ESG policy. “
Mia Platform: Sustainable Cloud Computing
Davide Bianchi, Senior Technical Lead at Mia Platform, explores the silver lining of sustainable cloud computing. He reveals how it can help us reduce our digital carbon thumbprint with collaboration, efficient use of applications, containerisation of apps, microservices and green partnerships.
“We’re already on an important technological path toward ubiquitous cloud computing. Correspondingly, this brings incredible long-term benefits too. These include greater scalability, improved data storage, and quicker application deployment, to name a few.”
Also in this issue, we hear from Doug Laney, Innovation Fellow at West Monroe and author of Infonomics and Data Juice. Also, we learn how companies can measure, manage and monetise to realise the potential of their data. And, Deputy CIO Melvin Brown discusses the people-centric approach to IT supporting America’s civil service at The Office of Personnel Management (OPM).
Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and how companies can measure, manage and monetise to realise the potential of their data
SHARE THIS STORY
Our cover story explores the rise of data and information as an asset.
Welcome to the latest issueof Interface magazine!
Interface showcases leadersaiming to take advantage of data, particularly in a new world of AI technologies where it is the fuel…
How to monetise, manage and measure data as an asset
Our cover star is pretty big in the world of analytics… We meet the guy who defined Big Data. Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and learn how companies can measure, manage and monetise to realise the potential of their information. In his first book Laney advised companies to stop being fixated on hindsight-oriented analytics. “It doesn’t actually move the needle on the business. In the stories I’ve compiled over the last decade, 98% have more to do with organisations using data to diagnose, predict, prescribe or automate something. It’s not about asking questions about what happened in the past.”
Canvas Worldwide: A data-driven media business
Continuing this month’s data theme, we also spoke with Alisa Ben, SVP, Head of Analytics at full-service media agency Canvas Worldwide. Data has transformed the organisation, and what its clients do. “We look holistically at the client’s business and sometimes the tools we have might be right for them, sometimes not. It’s more about helping our clients achieve their business outcomes.”
TUI Musement: from digital transformation to digital pioneer
At travel giant TUI, handling data effectively is paramount when communicating consistently and meaningfully with up to 25 million customers annually. David Garcia, CIO for TUI Musement, talks about the tech evolution driving the travel giant’s provision of experiences, transfers and tours. It’s a big part of its operational shift from local to global. “As a CIO, I’ve always been interested in how the tech innovations we drive can support the business and add value.”
Hiscox: making cybersecurity more accessible
Liz Banbury, CISO at Hiscox and president of (ISC)² London Chapter, talks to us about how cybersecurity can become a more accessible, realistic career path for almost anybody. “When I was at school, topics like computer science didn’t even exist,” Banbury explains. “In one of my first jobs, over in Hong Kong, we were still using a typewriter! A lot has changed. My key point here is that there’s a lot of cybersecurity professionals who are really good at their job. They are inspiring, and have come from all walks of life. Crucially, they don’t have a maths, computer science, or technological background at all. But they still make great cybersecurity professionals.
Portland Community College: Risk vs Speed in Cybersecurity
Reet Kaur, former Chief Information Security Officer at Portland Community College, discusses the organisation’s transition to the cloud amid a digital transformation journey. “I don’t want to work with people who just say yes all the time. I want my ideas challenged to help forge the excellence in the security programmes I help build.”
DBHDS: Cybersecurity in healthcare
The Virginia Department of Behavioral Health and Developmental Services (DBHDS) exists to create ‘a life of possibilities for all Virginians’ and transform behavioural health. Its focus is on supporting people across the entire commonwealth. It helps them get the support they need in order to take wellness and recovery into their own hands. In an area like healthcare, sensitive information is all over the place, meaning cybersecurity is a priority – and this is where Glendon Schmitz, CISO at DBHDS, comes in. “The security team exists to help the wider organisation achieve its objectives with data. We’re there to protect the business, not the other way around.”
Also in this issue, we schedule the can’t miss tech events and get the lowdown on IoT security from the Mobile Ecosystem Forum.
Expert analysis of the tech trends set to make waves this year
SHARE THIS STORY
Digital transformation is a continuing journey of change with no set final destination. This makes predicting tomorrow a challenge when no one has a crystal ball to hand.
After a difficult few years for most businesses following a disruptive pandemic and now battling a cost-of-living crisis, many enterprises are increasingly leveraging new types of technology to gain an edge in a disruptive world.
With this in mind, here are what experts predict for the next 12 months…
1. Process Mining
Sam Attias, Director of Product Marketing at Celonis, expects to see a rise in the adoption of process mining as it evolves to incorporate automation capabilities. He says process mining has traditionally been “a data science done in isolation” which helps companies identify hidden inefficiencies by extracting data and visually representing it.
“It is now evolving to become more prescriptive than descriptive and will empower businesses to simulate new methods and processes in order to estimate success and error rates, as well as recommend actions before issues actually occur,” says Attias. “It will fix inefficiencies in real-time through automation and execution management.”
2. The evolution of social robots
Gabriel Aguiar Noury, Robotics Product Manager at Canonical, anticipates social robots to return this year. After companies such as Sony introduced robots like Poiq, Aguiar Noury believes it “sets the stage” for a new wave of social robots.
“Powered by natural language generation models like GPT-3, robots can create new dialogue systems,” he says. “This will improve the robot’s interactivity with humans, allowing robots to answer any question.
“Social robots will also build narratives and rich personalities, making interaction with users more meaningful. GPT-3 also powers Dall-E, an image generator. Combined, these types of technologies will enable robots not only to tell but show dynamic stories.”
3. The rebirth of new data-powered business applications
Christian Kleinerman, Senior Vice President of Product at Snowflake, says there is the beginning of a “renaissance” in software development. He believes developers will bring their applications to central combined sources of data instead of the “traditional approach” of copying data into applications.
“Every single application category, whether it’s horizontal or specific to an industry vertical, will be reinvented by the emergence of new data-powered applications,” affirms Kleinerman. “This rise of data-powered applications will represent massive opportunities for all different types of developers, whether they’re working on a brand-new idea for an application and a business based on that app, or they’re looking for how to expand their existing software operations.”
4. Application development will become a two-way conversation
Adrien Treuille, Head of Streamlit at Snowflake, believes application development will become a two-way conversation between producers and consumers. It is his belief that the advent of easy-to-use low-code or no-code platforms are already “simplifying the building” and sharing of interactive applications for tech-savvy and business users.
“Based on that foundation, the next emerging shift will be a blurring of the lines between two previously distinct roles — the application producer and the consumer of that software.”
He adds that application development will become a collaborative workflow where consumers can weigh in on the work producers are doing in real-time. “Taking this one step further, we’re heading towards a future where app development platforms have mechanisms to gather app requirements from consumers before the producer has even started creating that software.”
5. The Metaverse
Paul Hardy, EMEA Innovation Officer at ServiceNow, says he expects business leaders to adopt technologies such as the metaverse in 2023. The aim of this is to help cultivate and maintain employee engagement as businesses continue working in hybrid environments, in an increasingly challenging macro environment.
“Given the current economic climate, adoption of the metaverse may be slow, but in the future, a network of 3D virtual worlds will be used to foster meaningful social connections, creating new experiences for employees and reinforcing positive culture within organisations,” he says. “Hybrid work has made employee engagement more challenging, as it can be difficult to communicate when employees are not together in the same room.
“Leaders have begun to see the benefit of hosting traditional training and development sessions using VR and AI-enhanced coaching. In the next few years, we will see more workplaces go a step beyond this, for example, offering employees the chance to earn recognition in the form of tokens they can spend in the real or virtual world, gamifying the experience.”
6. The year of ESG?
Cathy Mauzaize, Vice President, EMEA South, at ServiceNow, believes 2023 could be the year that environmental, social and corporate governance (ESG) is vital to every company’s strategy.
“Failure to engage appropriate investment in ESG strategies could plunge any organisation into a crisis,” she says. “Legislation must be respected and so must the expectations of employees, investors and your ecosystem of partners and customers.
“ESG is not just a tick box, one and done, it’s a new way of business that will see us through 2023 and beyond.”
7. Macro Trends and Redeploying Budgets for Efficiency
Ulrik Nehammer, President, EMEA at ServiceNow, says organisations are facing an incredibly complex and volatile macro environment. Nehammer explains as the world is gripped by soaring inflation, intelligent digital investments can be a huge deflationary force.
“Business leaders are already shifting investment focus to technologies that will deliver outcomes faster,” he says. “Going into 2023, technology will become increasingly central to business success – in fact, 95% of CEOs are already pursuing a digital-first strategy according to IDC’s CEO survey, as digital companies deliver revenue growth far faster than non-digital ones.”
8. Organisations will have adopted a NaaS strategy
David Hughes, Aruba’s Chief Product and Technology Officer, believes that by the end of 2023, 20% of organisations will have adopted a network-as-a-service (NaaS) strategy.
“With tightening economic conditions, IT requires flexibility in how network infrastructure is acquired, deployed, and operated to enable network teams to deliver business outcomes rather than just managing devices,” he says. “Migration to a NaaS framework enables IT to accelerate network modernisation yet stay within budget, IT resource, and schedule constraints.
“In addition, adopting a NaaS strategy will help organisations meet sustainability objectives since leading NaaS suppliers have adopted carbon-neutral and recycling manufacturing strategies.”
9. Think like a seasonal business
According to Patrick Bossman, Product Manager at MariaDB corporation, he anticipates 2023 to be the year that the ability to “scale out on command” is going to be at the fore of companies’ thoughts.
“Organisations will need the infrastructure in place to grow on command and scale back once demand lowers,” he says. “The winners in 2023 will be those who understand that all business is seasonal, and all companies need to be ready for fluctuating demand.”
10. Digital platforms need to adapt to avoid falling victim to subscription fatigue
Demed L’Her, Chief Technology Officer at DigitalRoute, suggests what the subscription market is going to look like in 2023 and how businesses can avoid falling victim to ‘subscription fatigue’. L’Her says there has been a significant drop in demand since the pandemic.
“Insider’s latest research shows that as of August, nearly a third (30%) of people reported cancelling an online subscription service in the past six months,” he reveals. “This is largely due to the rising cost of living experienced globally that is leaving households with reduced budgets for luxuries like digital subscriptions. Despite this, the subscription market is far from dead, with most people retaining some despite tightened budgets.
“However, considering the ongoing economic challenges, businesses need to consider adapting if they are to be retained by customers in the long term. The key to this is ensuring that the product adds value to the life of the customer.”
11. Waking up to browser security
Jonathan Lee, Senior Product Manager at Menlo Security, points to the web browser being the biggest attack surface and suggests the industry is “waking up” to the fact of where people spend the most time.
“Vendors are now looking at ways to add security controls directly inside the browser,” explains Lee. “Traditionally, this was done either as a separate endpoint agent or at the network edge, using a firewall or secure web gateway. The big players, Google and Microsoft, are also in on the act, providing built-in controls inside Chrome and Edge to secure at a browser level rather than the network edge.
“But browser attacks are increasing, with attackers exploiting new and old vulnerabilities, and developing new attack methods like HTML Smuggling. Remote browser isolation is becoming one of the key principles of Zero Trust security where no device or user – not even the browser – can be trusted.”
12. The year of quantum-readiness
Tim Callan, Chief Experience Officer at Sectigo, predicts that 2023 will be the year of quantum-readiness. He believes that as a result of the standardisation of new quantum-safe algorithms expected to be in place by 2024, this year will be a year of action for government bodies, technology vendors, and enterprise IT leaders to prepare for the deployment.
“In 2022, the US National Institute of Standards and Technologies (NIST) selected a set of post-quantum algorithms for the industry to standardise on as we move toward our quantum-safe future,” says Callan.
“In 2023, standards bodies like the IETF and many others must work to incorporate these algorithms into their own guidelines to enable secure functional interoperability across broad sets of software, hardware, and digital services. Providers of these hardware, software, and service products must follow the relevant guidelines as they are developed and begin preparing their technology, manufacturing, delivery, and service models to accommodate updated standards and the new algorithms.”
13. AI: fewer keywords, greater understanding
AI expert Dr Pieter Buteneers, Director of AI and Machine Learning at Sinch, expects artificial intelligence to continue to transition away from keywords and move towards an increased level of understanding.
“Language-agnostic AI, already existent within certain AI and chatbot platforms, will understand hundreds of languages — and even interchange them within a single search or conversation — because it’s not learning language like you or I would,” he says. “This advanced AI instead focuses on meaning, and attaches code to words accordingly, so language is more of a finishing touch than the crux of a conversation or search query.
“Language-agnostic AI will power stronger search results — both from external (the internet) and internal (a company database) sources — and less robotic chatbot conversations, enabling companies to lean on automation to reduce resources and strain on staff and truly trust their AI.”
14. Rise in digital twin technology in the enterprise
John Hill, CEO and Founder of Silico, recognises the growing influence digital twin technology is having in the market. Hill predicts that in the next 20 years, there will be a digital twin of every complex enterprise in the world and anticipates the next generation of decision-makers will routinely use forward-looking simulations and scenario analytics to plan and optimise their business outcomes.
“Digital twin technology is one of the fastest-growing facets of industry 4.0 and while we’re still at the dawn of digital twin technology,” he explains. “Digital twins will have huge implications for unlocking our ability to plan and manage the complex organisations so crucial for our continued economic progress and underpin the next generation of Intelligent Enterprise Automation.”
15. Broader tech security
With an exponential amount of data at companies’ fingertips, Tricentis CEO, Kevin Thompson says the need for investment in secure solutions is paramount.
“The general public has become more aware of the access companies have to their personal data, leading to the impending end of third-party cookies, and other similar restrictions on data sharing,” he explains. “However, security issues still persist. The persisting influx of new data across channels and servers introduces greater risk of infiltration by bad actors, especially for enterprise software organisations that have applications in need of consistent testing and updates. The potential for damage increases as iterations are being made with the expanding attack surface.
“Now, the reality is a matter of when, not if, your organisation will be the target of an attack. To combat this rising security concern, organisations will need to integrate security within the development process from the very beginning. Integrating security and compliance testing at the upfront will greatly reduce risk and prevent disruptions.”
16. Increased cyber resilience
Michael Adams, CISO at Zoom, expects an increased focus on cyber resilience over the next 12 months. “While protecting organisations against cyber threats will always be a core focus area for security programs, we can expect an increased focus on cyber resilience, which expands beyond protection to include recovery and continuity in the event of a cyber incident,” explains Adams.
“It’s not only investing resources in protecting against cyber threats; it’s investing in the people, processes, and technology to mitigate impact and continue operations in the event of a cyber incident.”
17. Ransomware threats
As data leaks become increasingly common place in the industry, companies face a very real threat of ransomware. Michal Salat, Threat Intelligence Director at Avast, believes the time is now for businesses to protect themselves or face recovery fees costing millions of dollars.
“Ransomware attacks themselves are already an individual’s and businesses’ nightmare. This year, we saw cybergangs threatening to publicly publish their targets’ data if a ransom isn’t paid, and we expect this trend to only grow in 2023,” says Salat. “This puts people’s personal memories at risk and poses a double risk for businesses. Both the loss of sensitive files, plus a data breach, can have severe consequences for their business and reputation.”
18. Intensified supply chain attacks
Dirk Schrader, VP of security research at Netwrix, believes supply chain attacks are set to increase in the coming year. “Modern organisations rely on complex supply chains, including small and medium businesses (SMBs) and managed service providers (MSPs),” he says.
“Adversaries will increasingly target these suppliers rather than the larger enterprises knowing that they provide a path into multiple partners and customers. To address this threat, organisations of all sizes, while conducting a risk assessment, need to take into account the vulnerabilities of all third-party software or firmware.”
19. A greater need to manage volatility
Paul Milloy, Business Consultant at Intradiem, stresses the importance of managing volatility in an ever-moving market. Milloy believes bosses can utilise data through automation to foresee potential problems before they become issues.
“No one likes surprises. Whilst Ben Franklin suggested nothing can be said to be certain, except death and taxes, businesses will want to automate as many of their processes as possible to help manage volatility in 2023,” he explains. “Data breeds intelligence, and intelligence breeds insight. Managers can use the data available from workforce automation tools to help them manage peaks and troughs better to avoid unexpected resource bottlenecks.”
20. A human AI co-pilot will still be needed
Artem Kroupenev, VP of Strategy at Augury, predicts that within the next few years, every profession will be enhanced with hybrid intelligence, and have an AI co-pilot which will operate alongside human workers to deliver more accurate and nuanced work at a much faster pace.
“These co-pilots are already being deployed with clear use cases in mind to support specific roles and operational needs, like AI-driven solutions that enable reliability engineers to ensure production uptime, safety and sustainability through predictive maintenance,” he says. “However, in 2023, we will see these co-pilots become more accurate, more trusted and more ingrained across the enterprise.
“Executives will better understand the value of AI co-pilots to make critical business decisions, and as a key competitive differentiator, and will drive faster implementation across their operations. The AI co-pilot technology will be more widespread next year, and trust and acceptance will increase as people see the benefits unfold.”
21. Building the right workplace culture
Harnessing a positive workplace culture is no easy task but in 2023 with remote and hybrid working now the norm, it brings with it new challenges. Tony McCandless, Chief Technology Officer at SS&C Blue Prism, is well aware of the role organisational culture can play in any digital transformation journey.
“Workers are the heart of an organisation, so without their buy in, no digital transformation initiative stands a chance of success,” explains McCandless. “Workers drive home business objectives, and when it comes to digital transformation, they are the ones using, implementing, and sometimes building automations. Curiosity, innovation, and the willingness to take risks are essential ingredients to transformative digitalisation.
“Businesses are increasingly recognising that their workers play an instrumental role in determining whether digitalisation initiatives are successful. Fostering the right work environment will be a key focus point for the year ahead – not only to cultivate buy-in but also to improve talent retention and acquisition, as labor supply issues are predicted to continue into 2023 and beyond.”
22. Cloud cover to soften recession concerns
Amid a cost-of-living crisis and concerns over any potential recession as a result, Daniel Thomasson, VP of Engineering and R&D at Keysight Technologies, says more companies will shift data intensive tasks to the cloud to reduce infrastructure and operational costs.
“Moving applications to the cloud will also help organisations deliver greater data-driven customer experiences,” he affirms. “For example, advanced simulation and test data management capabilities such as real-time feature extraction and encryption will enable use of a secure cloud-based data mesh that will accelerate and deepen customer insights through new algorithms operating on a richer data set. In the year ahead, expect the cloud to be a surprising boom for companies as they navigate economic uncertainty.”
23. IoT devices to scale globally
Dr Raullen Chai, CEO and Co-Founder of IoTeX, recognises a growing trend in the usage of IoT devices worldwide and believes connectivity will increase significantly.
“For decades, Big Tech has monopolised user data, but with the advent of Web3, we will see more and more businesses and smart device makers beginning to integrate blockchain for device connectivity as it enables people to also monetise their data in many different ways, including in marketing data pools, medical research pools and more,” he explains. “We will see a growth in decentralised applications that allow users to earn a modest additional revenue from everyday activities, such as walking, sleeping, riding a bike or taking the bus instead of driving, or driving safely in exchange for rewards.
“Living healthy lifestyles will also become more popular via decentralised applications for smart devices, especially smart watches and other health wearables.”
Todd Salmon, Executive Advisor for Strategic Services at GuidePoint Security, on the cybersecurity challenge of keeping up with the pace of the ever-changing digital world
SHARE THIS STORY
This month’s cover story explores how GuidePoint Security, an elite team of highly trained and certified experts, cut through cybersecurity chaos and confusion to put control back in customers’ hands.
Welcome to the latest issueof Interface magazine!
Interface welcomes in 2023 with a need-to-know list of what we can expect from technology this year and how it can allow enterprises to gain a competitive edge in a disruptive and increasingly digital world. Faced with everything from process mining and AI to quantum-readiness and the metaverse we cut through the hype to bring you the facts.
GuidePoint Security: digital transformation in cybersecurity
“Cybersecurity is in such a reactive mode because of the sheer volume of risks and vulnerabilities an organisation faces,” says Todd Salmon, Executive Advisor for Strategic Services at GuidePoint Security. “We see a lot of copycats and repeat attacks happen, but at the end of the day it’s all about creating solutions to help combat those problems.”
GuidePoint’s elite team of highly trained and certified experts, cut through cybersecurity chaos and confusion to put control back in customers’ hands. Helping them make the smartest, most informed cyber risk decisions, and choose and integrate the best-fit solutions to build the most effective cybersecurity program, Salmon discusses the challenge of keeping up with the pace of the ever-changing digital world.
bp: a strategic reinvention
“We are investing in digital to drive process efficiency and improve insights; but also to develop our people with the skills we need for now, and the future at bp. This means we are playing to win while caring for our people through investing in their personal development,” says Head of Strategic Transformation Nick Hales.
“After setting the right foundations through various remediation and compliance initiatives, we embarked on our digital transformation journey,” adds Strategy & Transformation Manager Emmanouela Vlachantoni. “There was a clear opportunity to standardise and streamline our controls environment to reduce complexity and increase insight.”
Fairfax County: winning the IT war with cybersecurity
Meanwhile, across the pond, we learn how Fairfax County in the State of Virginia is reaping the rewards of a cybersecurity program enabling government services and keeping citizens safe. “My role is to educate our leadership to ensure they understand the business value of cybersecurity as it relates to government services. Being accountable for the security of their systems and data is a key factor in developing a successful cyber program,” explains CISO Michael Dent.
Also in this issue, we round up the key tech events and conferences across the globe and, with the help of the experts at Fasthosts, take a deep dive into the metaverse… Can virtual reality become our reality? Read on to find out.
Nick Hales, Head of Strategic Transformation and Emmanouela Vlachantoni, Strategy & Transformation Senior Manager, on the journey to reinvent business processes that are reimagining bp
SHARE THIS STORY
This month’s cover story reveals how bp’s Strategic Transformation leaders are on a journey to reinvent business processes that are reimagining the energy giant.
Welcome to the latest issueof Interface magazine!
Our final issue of Interface for 2022 covers some of this year’s hot tech topics: digital transformation, cybersecurity, data & analytics, customer-centricity and more…
“We are investing in digital to drive process efficiency and improve insights; but also to develop our people with the skills we need for now, and the future. This means we are playing to win while caring for our people through investing in their personal development,” says Nick Hales.
“After setting the right foundations through various remediation and compliance initiatives, we embarked on our digital transformation journey,” adds Emmanouela Vlachantoni. “There was a clear opportunity to standardise and streamline our controls environment to reduce complexity and increase insight.”
Fairfax County: winning the IT war with cybersecurity
Meanwhile, across the pond, we learn how Fairfax County in the State of Virginia is reaping the rewards of a cybersecurity program enabling government services and keeping citizens safe. “My role is to educate our leadership to ensure they understand the business value of cybersecurity as it relates to government services. Being accountable for the security of their systems and data is a key factor in developing a successful cyber program,” explains CISO Michael Dent.
Piedmont Healthcare: data & analytics at the heart of growth
The power of data cannot be under-estimated… At Piedmont Healthcare Mark Jackson, Executive Director of Business Intelligence is building a data strategy driving speed to insight at scale. “Tool selection has played an important role in our ability to scale the BI program and deliver rapid insights in a dynamic environment.”
Also in this issue, CalArts CTO Allan Chen explains how an IT strategy based on coordination and collaboration is supporting six schools; Information Tech VP Fausto Sosa de la Fuente reveals the people-centric transformative IT process at construction industry giant CEMEX; and we take a look at the latest insights from McKinsey highlighting the lessons CEOs can learn from successful digital transformations.
John MClure, CISO at Sinclair Group – a diversified media company and America’s leading provider of local sports and news – talks about the evolution of cybersecurity and the cultural shift placing it at the forefront of business change
SHARE THIS STORY
This month’s cover story explores how Sinclair Broadcast Group is embracing the evolution of cybersecurity and placing the role of the CISO at the forefront of business transformation.
Welcome to the latest issueof Interface magazine!
Communication, secure and at speed, is a vital component of the transformation journey for both the modern enterprise and its relationship with stakeholders, be they customers or partners. Putting the right building blocks in place to deliver successful change management is at the heart of the inspiring stories in the latest issue of Interface.
Our cover star John McClure progressed from a career in the military and work as a consultant in the intelligence industry to fight a new kind of foe… As CISO for Sinclair Broadcast Group, a diversified media company and America’s leading provider of local sports and news, he talks about the evolution of cybersecurity, the battle to meet the rising velocity and sophistication of cyber-attacks and the cultural shift of the role of CISO placing it at the forefront of business change.
“Sinclair is unique in terms of its different business units and how it operates. It’s my job as CISO leading our cyber team not to be an obstacle for the business; we’re here to help it move faster to keep up with market forces, and to move safely. We’re here to engineer solutions that work for the enterprise but also help us maintain a positive security posture.”
State of Florida: digital government services
We also hear from CIO Jamie Grant who is leading the State of Florida’s Digital Service (FL[DS]) on its charge to transform and modernise the way government is accessed and consumed. He is building a team of talented, goal-oriented and customer-obsessed individuals to drive a digital transformation with innovation at its heart. “Leadership is really about developing the team and investing in the people. And it turns out that when you get their backs, they appreciate it and then you can achieve anything.”
ResultsCX: putting people first
Jamie Vernon, SVP for IT & Infrastructure at AI-powered customer experience solution specialist ResultsCX, discusses what drives customer care in the 21st century, and the part technology has to play.
“We are the custodians of our customers’ customers,” says Vernon. “In this increasingly tenuous relationship with their customers, they trust us. My leadership takes that responsibility very seriously, and charges each of us with doing everything we can to provide a perfect call, or email, or chat, every time, thousands of times a minute, around the clock and around the calendar.”
Jamie Vernon, SVP for IT & Infrastructure at AI-powered customer experience solution specialist ResultsCX, discusses what drives customer care in the 21st century, and the part technology has to play.
“We are the custodians of our customers’ customers,” says Vernon. “In this increasingly tenuous relationship with their customers, they trust us. My leadership takes that responsibility very seriously, and charges each of us with doing everything we can to provide a perfect call, or email, or chat, every time, thousands of times a minute, around the clock and around the calendar.”
Also this month, Sarita Singh, Regional Head & Managing Director for Stripe in Southeast Asia, talks about how the fast-growing payments platform is driving financial inclusion across Asia and supporting SMEs with end-to-end services putting users first, and we get expert advice for the modern CEO from the University of Oxford’s Saïd Business School.
Our cover story investigates how the latest cybersecurity technologies ensure the Commonwealth Bank and its customers are protected from cybercrime
SHARE THIS STORY
Our cover story this month charts how the Commonwealth Bank is strengthening its cybersecurity posture to protect 16 million customers
Welcome to the latest issue of Interface magazine!
Cybersecurity, and the need to share data safely and securely, goes beyond the day to day requirements of one organisation, it’s about enterprises at all levels collaborating to develop an ecosystem for the greater global good.
Our cover star Memo Hayek, General Manager Group Cyber Transformation & Delivery at CommBank, is leading a team on such a journey while executing the technology transformation required to fortify cybersecurity for CommBank. Leveraging the latest cutting-edge technologies from partners including AWS and Palo Alto Networks – in demand as the global attack surface grows – Hayek is flying the flag for women in STEM careers and delivering the strategies to ensure the bank, its Australian community and the wider global economy are protected from cybercrime.
https://www.youtube.com/watch?v=jQNXY2duLZs
Philip Morris International
Also in this issue, we learn how Philip Morris International (PMI) is instigating a digital revolution in the travel retail sector, merging the physical and online worlds by implementing a number of CX-driven initiatives framed around PMI’s IQOS brand which is helping smokers to non-smoke products.
Valtech
We hear again from global business transformation agency Valtech on its efforts to embrace diversity across the length and breadth of its organisation to make it better able to provide solutions that touch all of society. Una Verhoeven, VP Global Technology, gives her perspective on the diversity debate and how that’s further supported in the technological evolution with the rise of composable architecture.
Digital Transformation
Elsewhere, we discover how biotech firm Debiopharm’s digital transformation journey is ushering in a new era for drug development and clinical trials. We also reveal the innovative global IT transformation plans of market-leading tile manufacturer Terreal.
Our exclusive cover story this month takes a drive down the information superhighway with Auto Club Group and the Automobile…
SHARE THIS STORY
Our exclusive cover story this month takes a drive down the information superhighway with Auto Club Group and the Automobile Association of America.
Welcome to the latest issue of Interface magazine!
A customer centric approach to the creation and deployment of digital services is something that unites the business transformation journeys we explore in this issue of Interface.
Our cover story examines how one of the oldest organisations in the US – the Automobile Association of America (AAA) – and Auto Club Group, among its largest affiliates, are building trust in technology through cybersecurity to support more than 14 million members with a range of digital services. Chief Information Security Officer, Gopal Padinjaruveetil, explains: “Cybersecurity can be the brake in the information vehicle so a business doesn’t have to slow down, enabling it to accelerate change with confidence without putting the organisation, and its members, at risk.”
Elsewhere, we discover how insurance giant Generali is leveraging analytics and AI on a global scale for a structured approach to insurance services delivering long term security and peace of mind for its customers as a lifetime partner.
Delivering innovation on a global scale, SAP’s customer-centric business technology platform currently serves 91% of the organisations making up the Forbes Global 2000, while a staggering 70% of all global transactions touch an SAP system. We find out more…
Also in this issue, we hear from Insider on why Apple’s iOS15 update will impact ecommerce and data gathering; we get the lowdown from EY on the four key steps organisation should take to accelerate their digital transformation and learn from Pulsant how to identify and achieve your business transformation goals.
Martin Riley, Bridewell Consulting’s Director of Managed Services, explains why a cyber security strategy can future proof your business and provide the platform for a successful digital transformation
SHARE THIS STORY
Regardless of sector, digital transformation has become a business necessity for organisations in 2021. Described as the most important trend in business today, 65% of the globe’s GDP is expected to be digitalised by the end of 2022. And with promised benefits including improved operational efficiency, agility and employee productivity, it’s no surprise that businesses are going digital.
However, while there’s no denying the importance of digital transformation, different levels of organisational maturity can lead to different approaches and this is particularly apparent when it comes to security. Many organisations often take a reactive approach, whereby business and technology transformation are the priority and security is only considered afterwards. However, the risks from putting security on the backburner can be numerous, including higher costs and extended timelines to retrofit crucial security fixes.
Martin Riley
More mature companies have a different approach – one that puts security transformation first, ahead of digital transformation, to ensure the best possible future-proofed outcome. Their success is now providing a valuable proven blueprint for other firms to follow. So, to reap the benefits of this approach where should you start?
Shift your mindset
Before embarking on any transformation, it’s imperative to get your strategy right. Move away from thinking purely about digital transformation and cyber security as separate strategies and instead develop a cyber security transformation strategy. This will ensure that you can reduce risk and improve your cyber resilience, even as your attack surface grows.
It may be that security transformation becomes the driver of your digital transformation. For example, if you have identified vulnerabilities within your legacy IT infrastructure that necessitates a need to move critical data to the cloud.
Take critical national infrastructure as an example… The convergence of IT and Operational Technology (OT) as well as increased legislative requirements, such as the Network and Information Systems (NIS) Regulation, is driving a clear need for cyber security transformation. Organisations need to adapt to gain a holistic view of cyber security across physical OT and cloud systems before transformation can take place.
Understand your risks
Digitalising your business ultimately introduces new risks. For example, new digital channels can broaden your attack service, while poorly configured cloud-based infrastructure can pose easy targets for cyber attackers. There’s also risks from the internet of Things (IoT) which increases sensitive data proliferation (and by association, vulnerabilities), as well as authentication and access risks posed by remote working and connected supply chains. Before embarking on a transformation plan, you need to understand the security implications of any changes.
Assume zero-trust
In order to ensure that security is front of mind in your transformation you need to adopt a philosophy of a zero trust, where no individual or device is trusted. This involves verification by authenticating and authorising based on all available data points, utilising just-in-time and just-enough-access to limit user access and using analytics to drive threat detection. Not only does this help businesses to be prepared for cyber threats, but also articulates the value of security transformation to other departments.
Embed security from the outset
It can be tempting to simply keep investing in a growing number of security technology tools as and when your transformation takes place. However, all too often there is little integration, overlap and there are gaps in the coverage these tools offer. And while a well-configured set of security tools can provide coverage, many drive threat alerts that are false positives or benign positives, leading to fatigue and alert blindness. Instead, ensuring security is a critical part of the initial design of your transformation strategy.
Use security intelligence to your advantage
Move away from a focus on prevention to response and make security intrinsic throughout the business by implementing proactive measures such as Managed Detection and Response (MDR). By combining human analysis, artificial intelligence and automation to rapidly detect, analyse, investigate and actively respond to threats, MDR can encourage alignment of security transformation with digital transformation.
Cyber Technology Security Protection Monitoring
An adaptive and customisable security model, MDR can be deployed rapidly and cost-effectively as a fully outsourced service or via a hybrid SOC. It helps develop a reference security architecture that enables you to safeguard on-premise and legacy systems, cloud-based infrastructure applications and SaaS solutions, whilst also protecting and responding to new security and user identity threats as well as reducing cyber risk and the dwell time of breaches.
Engage third party support
Finally, don’t neglect to seek help from outside your organisation. By engaging a security architect early on in your project lifecycle, you can benefit from robust and detailed analysis and expertise to ensure the correct decisions are made, tracked and traced from beginning to end. They can also help you understand the interdependencies across your IT estate, identify risks and suggest best practice, as well as legal and regulatory obligations to ensure you continue to be able to withstand a range of cyber attacks throughout your transformation.
Reaping the rewards of cyber security transformation
Every business is on a digital transformation journey, regardless of size or objectives. However, as organisations transform, so do technology and cyber threats. Those that fail to adopt a more proactive and efficient system for mitigating risks and handling, responding, detecting and learning from cyber security attacks will find themselves falling behind and the security function unable to keep up.
Ultimately, cyber and digital security should be thought of as inseparable – and those that can plan and integrate both into their transformation projects from the very beginning will be in the strongest position to succeed and future-proof their business.
By implementing a robust cyber security transformation process and proactive security measures, such as MDR that can support secure digital transformation, you can reap the benefits of a stronger, structured system for managing, isolating and reducing threats and continue to pivot, transition and serve in the new digital economy without leaving security on the side-lines.
Bridewell Consulting
Bridewell Consulting is a specialist cyber security and data privacy consultancy. NCSC Certified and CREST accredited, it provides reliable, high-quality security and risk consulting services; helping its customers protect not just their data, but their reputation, customer trust and bottom line. Providing four core service areas: cyber security, data privacy, penetration testing/red team assessments and managed security services, Bridewell’s expert team of professionals possess specialist industry experience and proven capabilities. They can deliver effective cyber security and data privacy services across financial services, pharmaceutical, manufacturing, technology, retail, media, government, aviation and 24×7 critical services. As a vendor agnostic business, Bridewell is able to effectively and honestly engage with business executives and provide advice, guidance and services in a way that is most appropriate for each organisation, ensuring that proposed solutions are aligned with its clients’ strategy, business objectives and the wider IT architecture.
Learn more about emerging trends across the tech panorama in the latest issue of Interface
Three in four senior corporate executives believe increasing financial investment is necessary to protect intangible trade secrets, according to new analysis commissioned by global law firm CMS and conducted by The Economist Intelligence Unit…
SHARE THIS STORY
A new report released today commissioned by global law firm CMS and conducted by The Economist Intelligence Unit reveals that trade secret protection is rapidly rising up the corporate agenda as firms widely recognise the commercial imperative to protect vulnerable assets in light of more business conducted online and across borders.
With more companies relying on an ever-greater proportion of intangible or ‘secretive’ assets, the findings show a marked shift in how executives are planning to tackle employee leaks, supply chain vulnerability, corporate espionage and cyber-attacks. According to a global survey of 314 senior executives across a range of industries, the three most valuable types of proprietary information held by organisations are customer databases (42%), product technology (40%), and R&D information (23%).
The report, ‘Open secrets? Guarding value in the intangible economy’, reveals that trade secret protection is no longer just a concern for the legal department, but a top priority at the board and C-suite level. The majority (75%) of respondents agree that increasing financial investment was necessary to protect their trade secrets. Measures must be taken to raise awareness of these assets more widely among employees, with 28% of respondents viewing a lack of in-house experience with trade secrets as a safeguarding challenge.
The most significant threats to the security of trade secrets are weaknesses in cybersecurity (49%) and employee leaks (48%). As firms increasingly store and share sensitive information across virtual and distributed workforces, companies face a range of unpredictable insider threats, including intentional leaks from disgruntled employees. This is the biggest concern for the UK, whilst the fear of cybercrime is front-of-mind for business leaders in France, China and the US, worsened by poor internal cybersecurity expertise.
Tom Scourfield, Co-Head of IP Group at CMS said: “Fifty years ago, a company’s value was derived solely from its physical capital. Today, the world’s most successful firms are built on intangible assets that are often secretive by nature – algorithms, customer data, product formulae. This report shows that firms must start taking a more holistic approach to protecting these intangible assets, from computer software to company valuesbalancing restrictions with incentives – and importantly engage every level of their workforce. Without this strategy, protecting trade secrets will remain an uphill battle for many.”
Significantly, four out of five of the top measures that companies are planning to implement over the next two years focus on minimising employee leaks. These range from harsher measures such as closer surveillance of employee’s electronic activity through to more collaborative approaches that centre on improving the company culture and introducing innovative staff incentives.
“Willingness to snoop” is highest in China, Singapore and the United States. It is also a top preferred measure for executives in Technology, Media and Telecommunications, with 36% of respondents planning to implement surveillance over the next two years, reflecting the growing tensions between employers and employees in the technology sector. Efforts to improve work culture are clearly felt more widely in other industries, with almost a third (31%) calling for corporate values to shift towards encouraging trade secret protection.
As companies become increasingly wary of cybercrime and ransomware attacks, the majority (82%) agree that leveraging cybersecurity software is key to protecting their organisation in the long-term. However, only half (53%) believe it is the most effective deterrent or have already restricted digital and physical access to confidential information (55%).
Hannah Netherton, Employment Partner at CMS adds: “It’s overwhelmingly clear that the threat of employee leaks is driving a need for new strategies to guard valuable assets. Companies must find the right balance between perfecting their cybersecurity protections and creating a healthy company culture that incentivises trade secret protection and encourages speaking up through appropriate channels – even the most rigorous of protocols won’t prevent every employee leak or a disgruntled whistleblower.
“The pandemic has opened doors to a digital workspace, where it’s easier for employees to accidentally or purposefully access and expose confidential information. It is impossible to protect trade secrets if employees are not aware of the sensitivities around these assets, so putting the right values and measures in place has never been more important to an organisation’s success.”
Aukje Haan, Co-Head of Commercial at CMS added: “With the introduction of the Directive on Trade Secrets, businesses will get a range of options to safeguard their most prized proprietary information. However, there are prerequisites to be able to invoke those options. Identifying and taking reasonable steps will be crucial, from NDAs, cybersecurity efforts through to employee regulation, as well as specific requirements depending on the nature of the business, e.g., online businesses will need to take more cybersecurity measures whereas manufacturing companies will need to take more physical measures on the factory floor.“
Governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years…
SHARE THIS STORY
Business ecosystems have expanded over the years owing to the many benefits of diverse, interconnected supply chains, prompting organizations to pursue close, collaborative relationships with their suppliers. However, this has led to increased cyber threats when organizations expose their networks to their supply chain and it only takes one supplier to have cybersecurity vulnerabilities to bring a business to its knees. To this point governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.
Looking beyond your own perimeter
Over the last few years, many organizations have worked hard to improve their cyber defenses and are increasingly “harder targets”. However, for these well-defended organizations, now the greatest weaknesses in their defenses are their suppliers, who are typically less well-defended but with whom they are highly interconnected.
At the same time, the cyber threat landscape has intensified, and events of the past year have meant that security professionals are not only having to manage security in a remote working set up and ensure employees have good accessibility, they are also having to handle a multitude of issues from a distance whilst defending a much broader attack surface. As a result, points of vulnerability have become even more numerous, providing an attractive space for bad actors to disrupt and extort enterprises. Threats have escalated, including phishing and new variants of known threats, such as ransomware and Denial of Service (DDoS) attacks, as well as increases in supply chain attacks.
But where supply chains are concerned, it is nearly impossible to effectively manage this risk unless you know the state of your suppliers’ defences and continually ensure that they are comparable to your own. Organizations must deeply understand the cyber risks associated with the relationship and try to mitigate those risks to the degree possible.
However, that’s easier said than done. With the sending and receiving of information essential for the supply chain to function, the only option is to better identify and manage the risks presented. This requires organizations to overhaul existing risk monitoring programs, technology investments and also to prioritize cyber and data security governance.
Ensuring the basics are in place
At the very least organizations should ensure that both they and their suppliers have the basic controls in place such as Cyber Essentials, NIST and ISO 27001, coupled with good data management controls. They should thoroughly vet and continuously monitor supply chain partners. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organization and the supplier should be established.
As well as effective processes, people play a key role in helping to minimize risk. Cybersecurity training should be given so that employees are aware of the dangers and know how to spot suspicious activity. They should be aware of data regulation requirements and understand what data can be shared with whom. And they should also know exactly what to do in the event of a breach, so a detailed incident response plan should be shared and regularly reviewed.
IT best practices should be applied to minimize these risks. IT used effectively can automatically protect sensitive data so that when employees inevitably make mistakes, technology is there to safeguard the organization.
Securely transferring information between suppliers
So how do organizations transfer information between suppliers securely and how do they ensure that only authorized suppliers receive sensitive data? Here data classification tools are critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organization. Through appropriate classification, using visual labelling and metadata application to emails and documents, this protects the organization from the risk of sensitive data being exposed to unauthorized organizations further down the line through the supply chain.
Likewise, data that isn’t properly encrypted in transit can be at risk of compromise, so using a secure and compliant mechanism for transferring data within the supply chain will significantly reduce risks. Managed File Transfer (MFT) software facilitates the automated sharing of data with suppliers. This secure channel provides a central platform for information exchanges and offers audit trails, user access controls, and other file transfer protections.
Layering security defenses
Organizations should also layer security defences to neutralize any threats coming from a supplier. Due to its ubiquity, email is a particularly vulnerable channel and one that’s often exploited by cybercriminals posing as a trusted partner. Therefore, it is essential that organizations are adequately protected from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business.
And finally, organizations need to ensure that documents uploaded and downloaded from the web are thoroughly analyzed, even if they are coming from a trusted source. To do this effectively, they need a solution that can remove risks from email, web and endpoints, yet still allows the transfer of information to occur.
Adaptive DLP allows the flow of information to continue while removing threats, protecting critical data, and ensuring compliance. It doesn’t become a barrier to business or impose a heavy management burden. This is important because traditional DLP ‘stop and block’ approaches have often resulted in too many delays to legitimate business communications and high management overheads associated with false positives.
Cyber criminal attacks set to rise
Many of the recent well publicized attacks have been nation state orchestrated. Going forward this is going to turn into criminal syndicate attacks. Cybercriminals already have the ransomware capabilities and now all they need to do is tie this up with targeting the supply chain. Therefore, making sure you have the right technologies, policies and training programs in place should be a top priority for organizations in 2021. If you are interested in finding out more about protecting your supply chain, why not download our eGuide: “Managing Cybersecurity Risk in the Supply Chain.”
With industrial organisations ramping connectivity to accelerate digital transformation and remote work, threat actors are weaponising the software supply chain and ransomware attacks are growing in number, sophistication and persistence.
SHARE THIS STORY
A new report from Nozomi Networks Labs finds cyber threats to industrial and critical infrastructure have reached new heights as threat actors double down on high value targets. With industrial organisations ramping connectivity to accelerate digital transformation and remote work, threat actors are weaponising the software supply chain and ransomware attacks are growing in number, sophistication and persistence.
“This report leaves no doubt that the time for action is now,” said Nozomi Networks Co-founder and CTO Moreno Carullo. “The recent Oldsmar, Florida, water system attack and the ongoing SolarWinds investigation are dramatic reminders that the critical infrastructure and other systems that we rely on are vulnerable and at constant risk of attack. Understanding the effectiveness of defenses against the emerging threat and vulnerability landscape is vital to success.”
Nozomi Networks’ latest “OT/IoT Security Report,” gives cybersecurity professionals an overview of the OT and IoT threats analysed by Nozomi Networks Labs security research team. The report found:
Ransomware activity continues to dominate the threat landscape, growing in sophistication and persistence. In addition to demanding financial payments, Ryuk, Netwalker, Egregor and other ransomware gangs are exfiltrating data and deeply compromising networks for future nefarious activities.
Supply chain threats and vulnerabilities show no signs of slowing. The unprecedented SolarWinds attack not only infected thousands of organisations including U.S. Government agencies and critical infrastructure, but it also demonstrates the massive potential for attack via supply chain weaknesses.
Threat actors are targeting healthcare. Nation states are using off-the-shelf red team tools to execute attacks and perform cyber espionage against facilities involved with COVID-19 research. Ransomware crews are targeting healthcare providers and hospitals, in some cases disrupting patient treatment.
Analysis of 151 ICS- CERTs published in the last six months found memory corruption errors are the dominant vulnerability type for industrial devices.
“Urgency has never been higher. As industrial organisations race toward digital transformation, threat actors are taking advantage of greater OT connectivity to create attacks that aim to disrupt operations and threaten the safety, profitability and reputation of enterprises around the globe,” said Nozomi Networks CEO Edgard Capdevielle. “While threats may be on the rise, the technologies and practices to defeat them are available today. We encourage organisation to act quickly to implement the recommendations in this report. It’s never been more important or more possible to take the necessary steps to detect and defend critical infrastructure and industrial operations.”
Nozomi Networks’ “OT/IoT Security Report” summarises the biggest threats and risks to OT and IoT environments. The report provides information on 18 specific threats that IT and OT security teams should study as they model threat vectors and evaluate risks across operational technology systems. It includes 10 key recommendations and actionable insights to improve defenses against the current threat landscape.
A global shift to remote working has accelerated digital transformation and prompted a higher degree of focus on cybersecurity, according to Kaspersky’s latest report.
SHARE THIS STORY
A global shift to remote working has accelerated digital transformation and prompted a higher degree of focus on cybersecurity, according to Kaspersky’s latest report.
Transitioning from a corporate office environment to working from home, coupled with financial restraints due to economic recession, has seen challenges presented to cybersecurity experts not many had seen before.
From February to March 2020, a 569% growth in malicious website registrations was detected and reported to INTERPOL, including malware and phishing. In April, there was a huge spike in ransomware attacks by multiple threat groups that had been previously dormant for months.
Cybercrime threats are expected to rise as more opportunities present themselves in the coming months. Fake vaccine registration websites will aim to steal data, whilst business email compromise schemes aim to take advantage of the economic downturn and shift in the business landscape.
Protecting the perimeter of a company is no longer enough: there is a desperate need now for home office assessment with tools to scan the level of security. Discouraging poor internet practices such as connecting to an unprotected Wi-Fi hotspot should be top of the list, with VPNs and multifactor authentification systems being offered as a solution.
With an increased reliance on cloud technology and services, dedicated management and protection measures are now a necessity for businesses. Around 90% of employees use non-corporate software and cloud services, such as messaging apps, and this is unlikely to change any time soon.
To ensure that any corporate data is kept under control, better visibility over cloud access will be necessary. IT security managers will need to align themselves with this cloud paradigm and develop skills for cloud management and protection.
This is why, according to Kaspersky, the quality of protection is “no longer up for discussion.”
“Quality protection is now a must have,” report Alexander Moiseev, Chief Business Officer at Kaspersky.
“Another major trend is that deep integration between various components of corporate security, ideally from a single vendor, now plays a bigger role. For instance, there was a long-held belief in the industry that various specialised solutions from various vendors can help create the best combination for protection.
“Now, organisations are looking for a more unified approach with maximum integration between different security technologies.”
You can read Ksapersky’s “Plugging the gaps: 2021 corporate IT security predictions” report in full HERE.
James Hall, Commercial Director, Striata UK, explores the threats customers face and how to combat them.
SHARE THIS STORY
With cybercrime escalating in volume and sophistication every year, consumer trust is a bigger challenge for organisations than it’s ever been. And while legislation such as the EU General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA) have made things simpler by setting minimum standards for organisations to adhere to, they need to do more to truly guarantee trust.
They should not, for instance, assume that their responsibility is over once a document has been delivered safely to the customer. If a customer’s personal devices are unsecured, there is still a risk that one gets hacked or stolen. This means that confidential information sent by the organisation could find its way into the public eye, or worse, get exploited for criminal purposes. Even if the organisation’s own security protocols are watertight, it could still end up shouldering the blame or have its reputation tarnished.
When considering why it’s so important for organisations to protect customer communication even once it’s on the end device, it’s worth remembering just how many threats customers face.
The millions of mobile phones stolen every year alone represent a massive danger of identity theft. That’s before even getting to the number of people every year who fall victim to phishing scams or who have their information compromised after inadvertently installing malware.
According to Kaspersky Labs, the number of unique malicious objects detected by its web antivirus solution reached 24,610,126 in 2019. Some 85% of web threats detected were malicious URLs making the risk of a customer unwittingly clicking on a URL an ever present threat to data protection.
In short, while organisations have never been more aware of the need to keep their customer data safe internally, the threat to that data once it’s on the customer’s device continues to increase.
Data protection by design
One solution to mitigate these threats is for organisations to bake data protection into the design of their customer communications. Data protection by design is about considering data protection and privacy issues upfront in everything the organisation does, especially when it comes to customer communication. This not only ensures compliance with relevant legislation, it can save the organisation reputational damage and, ultimately, revenue.
But what does data by design look like practically?
Well, encryption and password protection should be non-negotiable for starters. Encrypting and protecting important documents ensures that even when it resides on the customer’s smartphone or laptop, the information cannot be easily accessed if the device is stolen or hacked.
Encryption is a process that encodes a message or file so that it can only be read by the intended recipient. Encryption scrambles, or encrypts, data which the receiving party can only unscramble, or decrypt, using a key (a string of values or an application).
Password protection, meanwhile, means a document cannot be opened without entering a shared secret known only to the sender and recipient. Requiring a password to access a secured document not only adds another layer of protection, but has other benefits. In the unlikely event that a document is sent to the wrong person, the incorrect recipient cannot open the document (personal information remains private) thereby avoiding a data breach.
Customer education is key
While it’s obviously important that the organisation does everything in its power to protect and encrypt information, customer education remains the most powerful weapon in its arsenal. Cybercriminals can find their way around new technologies, but tech-savvy customers are much harder to crack.
If an organisation can help its customers avoid risky behaviour and protect their personal information, no matter where it sits, they’re much less likely to fall victim to cybercrime. That, in turn, means reduced reputational and financial risk.
As existing technologies reach maturity and innovations make the leap from consumer applications to business (and vice versa), it’s imperative…
SHARE THIS STORY
As existing technologies reach maturity and innovations make the leap from consumer applications to business (and vice versa), it’s imperative that we constantly seek to find those that have the potential to add value to our own business and those of our customers. As we look ahead to 2020, Johan Paulsson, CTO, Axis Communications has identified five trends that will have an impact on the physical security industry.
The world on the edge We are seeing a growing momentum towards computing at the ‘edge’ of the network[1]. More of the devices that are connected to the network require or would benefit from the ability to analyse received data, make a decision and take appropriate action. Autonomous vehicles are an obvious example. Whether in relation to communications with the external environment or through sensors detecting risks, decisions must be processed in a split second. It is the same with video surveillance. If we are to move towards the proactive rather than reactive, more processing of data and analysis needs to take place within the camera itself.
Processing power in dedicated devices Dedicated and optimised hardware and software, designed for the specific application, is essential with the move towards greater levels of edge computing. Connected devices will need increased computing power, and be designed for purpose from the ground up with a security first mindset. The concept of embedded AI in the form of machine and deep learning computation will also be more prevalent moving forwards.
Towards the trusted edge Issues around personal privacy will continue to be debated around the world. While technologies such as dynamic anonymization and masking[2] can be used on the edge to protect privacy, attitudes and regulation are inconsistent across regions and countries. The need to navigate the international legal framework will be ongoing for companies in the surveillance sector. Many organizations are still failing to undertake even the most basic firmware upgrades, yet with more processing and analysis of data taking place in the device itself, cybersecurity will become ever more critical.
Regulation: use cases vs technology Attitudes towards appropriate use technology cases and the regulations around them differ around the world. Facial recognition might be seen as harmless and even desirable. However, when used for monitoring citizens and social credit systems it is regarded as much more sinister and unwanted. The technology is exactly the same but the case is vastly different. Regulations are struggling to keep pace with advances in technology. It’s a dynamic landscape that the industry will need to navigate, and where business ethics[3] will continue to come under intense scrutiny.
Network diversity As a direct result of some of the regulatory complexities, privacy and cybersecurity concerns, we’re seeing a move away from the open internet of the past two decades. While public cloud services will remain part of how we transfer, analyse and store data, hybrid and private clouds are growing in use. Openness and data sharing was regarded as being essential for AI and machine learning, yet pre-trained network models can now be tailored for specific applications with a relatively small amount of data. For instance, we’ve been involved in a recent project where a traffic monitoring model trained with only 1,000 photo examples reduced false alarms in accident detection by 95%.
Critical guide published today calls for effective cyber security lifecycle management of IoT devices to improve the security of retail…
SHARE THIS STORY
Critical guide published today calls for effective cyber security lifecycle management of IoT devices to improve the security of retail systems and the protection of customer data in a stringent GDPR era.
Axis Communications, the market leader in network video technology, has published its latest whitepaper, Cyber security: the biggest threat to retail which highlights the increasing threat posed by cyber-attacks to today’s retail industry. The paper documents the measures that should be understood by data controllers, loss prevention & security personnel through to heads of operations to ensure the highest levels of security and provide the appropriate education and training for all key stakeholders to effectively mitigate the mounting cyber security threat.
The growth in and use of IoT devices and cloud technologies have opened up boundless possibilities for modern retail organisation across physical and digital platforms. However, customer data is at the heart of a frictionless shopping experience and presents an attractive commodity to cybercriminals, with attacks growing in number on those retailers whose systems are inadequately secured. It has been reported that in the last 12 months there have been 19 significant data breaches[1], which present a major risk for both retailers and customers.
In addition to the
immediate disruption and downtime a breach can cause, the damage to the
reputation of a business or brand can be lifelong. Furthermore, GDPR related
fines from the ICO can now be as much as €20m or 4% of global annual turnover,
whichever is higher, and demands that necessary steps be taken to guard against
attack and protect existing infrastructure. Axis’ whitepaper creates awareness
of the challenges being faced and looks at how effective cybersecurity
lifecycle management of IoT devices will help to better manage security and
ultimately maintain customer trust.
“Any organisation that
generates or manages personally identifiable information (PII), effectively any
data that could potentially identify a specific individual, must comply with
GDPR. Establishing a truly secure retail solution can only be accomplished if
security has been analysed at every stage. The key is to ensure that everyone involved
understands the security implications of a breach and how to prevent one.
Collaboration with system vendors, integrators and installers is also hugely
important, and conversations across the supply chain will ensure requirements
are met and security risks are adequately addressed,” Steven Kenny, Industry
Liaison Architecture and Engineering, Axis Communications.
Alongside greater awareness
of the need to comply with the GDPR, the Axis whitepaper stresses the
importance of looking to guard against system vulnerabilities by working with
trusted vendors who can install only those security technologies that are
deemed to be Secure
by Default. These technologies have been built from the ground up with
cybersecurity considerations at the forefront. Technologies that are cyber
secure offer peace of mind when connected to a network, and come with
assurances that stringent guidelines are followed during the design and
manufacturing process. Surveillance camera technology designed and manufactured
in this way assures retailers that these security solutions will not be used as
a backdoor into the network; such is the risk of introducing non-secured
hardware.
Key points covered
in the retail whitepaper include:
Review of cybersecurity challenges – Supply chain attacks, IoT vulnerabilities, the impact of operational downtime
GDPR, data protection and privacy – Examining the necessary actions to ensure full compliance with the GDPR and DPA 2018
Video surveillance insights – Understanding how data analysis can inform security and business decisions, and supply chain evaluation
Managing security effectively – Processes and tools to help the design, development and testing of systems in accordance with cybersecurity principles
Converged security – A collaborative approach to addressing cybersecurity risks
“The retail industry is
deemed the most at risk to cyber threats. It is crucial to find the balance
between enhancing the customer experience and maintaining GDPR compliance;
providing adequate security whilst not violating customer privacy,” says Graham
Swallow, Retail segment lead, Northern Europe, Axis Communications. “While
video surveillance systems are a necessity within the retail environment, many
organisations have re-evaluated their entire strategy in order to ensure full
GDPR compliance. Retailers must be able to rely on technologies that support
their operational requirements and address associated risks, while at the same
time, supporting IT security policies.”
This whitepaper provides
retailers with expert guidance, highlighting the appropriate policies and
procedures around the cybersecurity of IoT devices, and reinforces the
importance of selecting trusted vendors and partners. Axis is passionate about
using technology to help create a smarter and safer world. This is demonstrated
by a commitment to helping retailers understand the benefits of connected
physical security systems that deliver on the promise of better protection of
the business and customer.
Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A…
SHARE THIS STORY
Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there is still a discernible impact on the organisation’s stock valuation three years post-event.
By Josh Lefkowitz, CEO of Flashpoint
Business impacts at this
level affect the fundamental financial performance and sustainability of an
organisation, which means cybersecurity must no longer be considered an IT
issue; it’s a matter for the board in its role as custodian of shareholder
value. By managing cyber risk as part of the overall organisational risk
strategy, boards can put it into a commercial context and drive the cultural
awareness of risk that is essential to promote cyber resilience across the
business.
Making the shift from technology-centric to business-centric risk
management
Elevating cyber risk
management to the board level is not without challenges, however. We are still
very much in the midst of a shift in mindset from a technology-centric to a
business-centric view of cyber threats. This can result in a disconnect: many
boards find it difficult to interpret the information they receive from the IT
team, while many IT functions struggle to understand what data the board really
needs to carry out effective oversight. This challenge was underlined by
EY interviews that found difficulties “obtaining relevant, objective and
reliable information, presented in business-centric terms…[and this] affects
board members’ ability to understand the risk facing their organisations and
evaluate management’s response to these risks.”
This area is where the
evolving role of the CISO—sitting between the business and the board—requires a
mix of skills. CISOs need both technical expertise in analysing and
interpreting threat metrics and technology performance, and the ability to
apply these skills in a broader business context for board directors so they
can deliver strategic cyber risk oversight and governance for the business.
Reporting to the board – from numbers to narrative
While increasingly boards
are factoring cyber skillsets into their succession planning when recruiting
new board members, most current board directors don’t have deep experience in
cybersecurity. This means that any metric-based reporting should be simple to
interpret, including auditable figures that provide an overview of the
organisation’s security posture.
Reports should also be
framed in terms of the impacts specific security incidents have on the
business. For example, a DdoS attack might cause reputational risk, operational
risk and strategic risk. And, of course, the flipside of risk is compliance, so
the board also needs to know how cybersecurity incidents could impact data
privacy and governance.
It’s the role of the board
to challenge senior management robustly in order to deliver effective
oversight, so CISOs should be ready to answer questions around the
organisation’s cybersecurity maturity and the frameworks established to manage
emerging threats.
However, while numbers and
frameworks are valuable in helping boards evaluate and audit cyber risk
posture, when it comes to setting a risk-aware culture, directors really need
deeper context around the types of threats specific to their organisation. If
board directors are given a window into the environment, tactics, and
motivational psychology of actors that target their sector and business, they
can better understand the risks themselves. Once that has been achieved, board
directors can become an asset to the CISO in promoting a cyber risk-aware
culture not just as a tick-box exercise, but because they have genuine
appreciation of the factors, and indeed actors, in play.
To achieve this board-level
buy-in, CISOs need to move from numbers to narrative to drive the message home.
This is where business risk intelligence provides the context that helps bring
risk to life.
It’s undoubtedly useful for
senior leaders to understand the frequency and type of the cyber-attacks the
business experiences, but it’s also valuable for them to know the extent to
which the organisation is the topic of conversation in the illicit online
communities that initiate those attacks.
Deep and dark web forums,
chat services, and other platforms are often where cybercriminals discuss
tactics to defraud or infiltrate the organisation. These types of venues are
also where company secrets, intellectual property, and stolen data may be
offered for sale. An overview of the company’s profile across the deep and dark
web, as well as other illicit online communities, and the kinds of tactics that
are being discussed, is a powerful way CISOs can help directors gain context to
understand what the business faces.
Illustrating third-party risk
Third-party risk, including
supply chain weaknesses, is a hot topic among board rooms as businesses realise
that keeping their own house in order is not enough. Intelligence gleaned from
illicit online communities can also be used to illustrate potential weaknesses
in, or threats to, partner organisations. This intelligence can help boards
meet objectives to manage supply chain risk.
Successful cyber risk
oversight by company boards relies on them receiving a combination of auditable
metrics, risk impact assessments and contextual information enabling them to
provide informed oversight of cyber risk. Greater understanding of the threat
actor environment also assists boards in leading a risk-aware culture across
the business, moving from a tick-box approach to a genuine cultural shift.
How digitalisation is bringing the fight to industrial security threats ~ It’s no longer a question of whether your business…
SHARE THIS STORY
How digitalisation is bringing the fight to industrial security threats ~
It’s no longer a question of
whether your business will be attacked, but rather when it will be attacked.
Cyber attacks, particularly those on public sector and utility businesses, are
now a regular, often daily occurrence. Here, Robin Whitehead, managing director
of systems integrator
Boulting Technology, explains how this is impacting the role of the chief
information security officer (CISO) and resulting in the need for end-to-end
digitalisation.
It’s a simple fact that data makes the modern economy turn.
Being the first business to take action, based on the insights gained from some
pivotal piece of information, gives businesses a distinct competitive
advantage. However, it’s also quickly becoming a fact of life that the same
data is being targeted by skilled cybercriminals intent on stealing this new
currency and even causing maximum damage to infrastructure.
We can see the potential scale of cyber crime if we look at
the number of data breaches made each month. For example, in December 2017,
security firm IT Governance reported that 33.8m records — including a mixture
of personal and business information — had been leaked around the world. In
November 2017, the number was 59m.
Sophisticated
cyber attacks
With the world facing the likes of WannaCry, Petya and NotPetya
in 2017, sophisticated cyber threats are the biggest technological fear in
2018. Although sectors such as financial services and the public sector are
most at risk, there have also been numerous high-profile attacks on utilities,
oil and gas and food manufacturing environments in recent years.
At 9:30am on 27 June, 2017, confectionary manufacturer
Cadbury was hit by a cyber attack, which halted production at its Hobart
factory in Australia. Computers at the facility were infected with the Petya
ransomware virus and displayed a message on the screen demanding payment in
cryptocurrency.
Later that same day, NotPetya — a variant of the Petya
virus — went on to do further damage to facilities across Europe. NotPetya exploits
a backdoor in the update system of a Ukrainian tax-preparation programme
running on Windows and used by around 80 per cent of all Ukrainian businesses.
It uses a vulnerability in the Windows operating system called
EternalBlue — originally believed to have been developed by the US National
Security Agency (NSA) — to encrypt the filesystem’s master file table (MFT),
preventing the system from locating its own files.
Launched on June 27, 2017 — on the eve of Ukraine’s
Constitution Day holiday — NotPetya quickly spread to networks in Russia,
France, Germany, Italy, Poland, the UK and the US and affected many sectors.
“It’s massive,” Christiaan Beek, a lead scientist and principal
engineer at McAfee, told WIRED about the situation in Ukraine. “Complete
energy companies, the power grid, bus stations, gas stations, the airport, and
banks are being targeted.”
The new CISO
It should come as no surprise then that the advice of IT
and security experts is now being sought at the highest levels of business. The
role of the chief information security officer (CISO) is also changing in
response. Acting as the head of IT security, the CISO has traditionally been
responsible for things like operational compliance and adherence to ISO
standards as well as performing IT security risk assessments and ensuring that
the business is using the latest technologies.
However, increasingly, the CISO must now also drive IT
security and strategy, guiding everyone from the shop-floor staff to the most
senior officials in the business on how best to protect them from cyberattacks.
The modern CISO now takes a seat at the boardroom table, ensuring business
continuity, come what may.
Modern CISOs need to be visionaries and good communicators
in their own right, exerting their influence at all levels of the business to
bring about long lasting technological and security change.
End-to-end digitalisation
For industrial businesses, this change cannot come soon
enough. The desire to integrate manufacturing networks with the outside world
and the increased use of smart data is driving efficiencies and cost savings in
sectors from food and beverage, pharmaceutical and automotive to utilities such
as gas, water and energy. At the same time, it’s also leaving them vulnerable
to attacks that can lead to business disruption and extended periods of downtime.
Part of the reason for this is that many businesses have
traditionally operated in silos, with information technology (IT) and
operational technology (OT) experts not historically well aligned to the same
objectives and outcomes. However, as we increasingly use more
internet-connected devices such as PLCs, HMIs, intelligent motor control
centres (MCCs), telemetry devices and smart meters — all relaying millions of
data points to centralised and often remote SCADA and ERP systems — it will
become crucial to take a joined-up approach to industrial operations. Cue
end-to-end digitalisation.
For many businesses, replacing hardware and software to
allow functionality such as standardised Fieldbus communications, real-time
cloud data, analytics and centralised control across every aspect of their operations
is neither a cheap undertaking nor one that is quick to enact.
After all, most engineering plant managers have built up a
complex system over many years, retrofitting new components and modules to
existing equipment. This is driving the need for end-to-end digitalisation,
moving away from fragmented system control, maintenance and upgrade towards a
holistic approach that encompasses system-wide transparency, alarms and notifications,
including analytics that can deliver actionable insights to improve process
efficiency.
At Boulting Technology we’re helping our customers
introduce cybersecurity measures to retrofitted equipment in existing
industrial setups. Our range of control systems, networking products,
intelligent motor control centres and more, form an integrated system that
gives engineers easy and secure access to their operation around the clock.
Ultimately, end-to-end digitalisation will help companies respond to attacks
and breaches in minutes rather than hours or days.
So, while we come
to the realisation that cyber attacks are simply a normal part of doing
business, take heed of your CISO’s advice and rethink your end-to-end
digitalisation strategy.
By Bernard Parsons, CEO of Becrypt The world of encryption is growing exponentially. Many smaller businesses, including those in the…
SHARE THIS STORY
By Bernard Parsons, CEO of Becrypt
The world of encryption is growing exponentially. Many smaller businesses, including those in the public sector supply chain, are looking at implementing encryption for the first time. This adoption has been driven by recent regulations such as GDPR, and the requirement to add encryption as a privacy-enforcing mechanism.
However, despite
the numerous security benefits that encryption offers, there are a number of
aspects for these businesses to consider. Based on the experience and feedback
that Becrypt has attained working closely with our customers, I have summarised
the top-five areas that small businesses should assess if they are looking at
adopting disk encryption in 2019, or if they’re looking at undertaking wider
rollouts of disk encryption.
Ease of use
Organisations
must look for products that are easy to use, easy and quick to install. These
are obvious requirements that are partly about reducing the time and expertise
required to install products in the first place. An important subsequent point
is also total cost of ownership. If a product is not easy to install, it is
usually a good indicator of a level of complexity that will remain as a
long-term business overhead.
The more
complex a product is, the more complexity there is to manage. This leads to
higher levels of required expertise. It also increases the potential for
support issues to occur over time. This drives up the product’s total cost of
ownership for the organisation.
Accessible support
Encryption
can be a business-critical asset, as well as a business-enabling technology.
It’s therefore important that you’re working with an organisation – whether that’s
a vendor or the vendor’s partner – that can offer good, and accessible technical
support.
Even if
you’re choosing a product that’s easy to use, i.e. that’s going to reduce the
amount of required technical support, you should still think about the
potential for requiring support over the total life of the product. In a couple
of years, you may be looking at doing something slightly differently, such as looking
at encrypting new devices that may be non-standard (such as RAID Servers).
Therefore, you will want to ensure that you can pick up a phone and talk to
someone with sufficient expertise.
The option
of phone-based support is important; being able to jump onto a call in a
reasonable amount of time and actually talk to an expert. Therefore, we’d
certainly recommend testing this process with a vendor or the partner before
you go ahead and procure.
Proof of encryption
It’s a good first
step to encrypt laptops, as organisations will always lose laptops. Encryption turns
what would potentially be an information-loss, into just the loss of a physical
asset. It protects the organisation’s information and addresses the organisation’s
liabilities.
However, under regulations such as the General Data Protection Regulation (GDPR), there is often a requirement to prove that devices actually were encrypted in the event of a loss. This addresses some of the reporting requirements within these regulations. Proving that a device loss is not an information loss and avoiding the need to undertake breach notification, is something you want to be able to think about in advance. If you’re deploying a product that includes centralised management, that functionality should already be there. But many small businesses will choose to deploy in a more stand-alone configuration. Deploying with a central management platform increases cost but also increases risk.
With standalone
installs, you should still ensure that that product has a reporting capability
of some kind, such as online. This allows the encryption status of your estate of
devices to be reported.
Extendibility
In the first
instance, you may be looking at deploying encryption within an estate of
Windows devices. As technology changes and refreshes, it could be the case
within a year or two that you have other requirements. You might need to manage
encryption on Mac devices, or on smartphones and mobile devices within that
same suite of products. Therefore, it’s a good idea to look for vendors that
have multi-platform offerings, helping to future-proof your technology choice.
This will ensure that you’re not tied to a vendor, but at least ensuring that
your existing vendor is an option as your requirements grow.
Using product certification and assurance schemes
It’s a good
step to encrypt devices and be able to prove that you’ve encrypted them.
However, there is an increasing regulatory requirement to demonstrate that
you’ve gone through some process of ensuring that the technology you’re
adopting represents best practice. For example, GDPR explicitly references ‘state-of-the-art’
technology.
To fully ensure
that you’re managing liabilities, you need to evidence that you’re not just
adopting technology, but that it’s appropriately ‘state-of-the-art’. Achieving
this level of confidence can only be done by looking at technology that has third-party
validation, normally through product assurance or certification. This provides
independent validation that the product is of an appropriate quality.
There are a
variety of common certification schemes relevant for encryption products. One of
these is the US standard, Federal Information Processing Standard (FIPS), which
ensures that algorithms have been correctly implemented. However, organisations
must be wary of adopting technology just because it has a FIPS certification. The
majority of products use the same algorithms, such as Advanced Encryption
Standard (AES). FIPS ensures that a third-party has validated that the vendor
has correctly implemented the algorithm. However, vendors can, and still do,
implement products inappropriately which leave vulnerabilities.
A good
example of such vulnerabilities in encryption products is within Solid State
Drives (SSDs). Recent research from Radboud University in The Netherlands has
highlighted vulnerabilities in not just one vendor, but a whole range of
vendors’ SSDs. Vendors can take shortcuts, which means that resulting vulnerabilities
can be discovered. In this case, researchers were able to bypass the encryption
within SSDs.
Organisations
are better off looking for certification schemes that are more comprehensive.
One example is the Commercial Product Assurance (CPA) scheme, run by the UK National
Cyber Security Centre (NCSC). CPA works alongside FIPS for validating algorithms,
but it says more about the overall product quality and implementation, looking
at the security architecture to make sure that it has been designed and
implemented in a sensible way.
It also looks
at the vendor coding and build standards, thereby reducing the risk of there
being a vulnerability in the product. The risk is never fully mitigated, but it
certainly goes down to a point that allows you to say that, as an organisation,
you are adopting best practice.
The importance of due diligence when adopting encryption
Organisations,
particularly SMEs, should consider these five key steps as they adopt encryption.
Alongside security and liabilities, they also need to be concerned about the
cost of being caught out by products with publicised vulnerabilities. Subsequently,
they also need to think about the cost of then changing to a different
solution.
Ultimately,
adopting encryption is not rocket science. During their studies, the
aforementioned researchers from Radboud University highlighted that
implementing encryption well is not easy, and it is easy to make mistakes. However, most good vendors, or their partners,
should be able to advise you on the above best practice steps to take.
