Digital Business and Cybersecurity Risks
Many organisations are now finding that they have to compete as digital businesses. Banks and financial institutions are an obvious example; a bank which does not offer its services online, through internet portals and mobile apps, is one that has little future in a world that is increasingly digital and technology-enabled. Furthermore, financial institutions are already being challenged by the next wave of digital disruption, namely cryptocurrencies and fintech.
Incumbent companies, or the so-called ‘established players’ in industries that were previously non-digital, need to go through a digital transformation journey to convert their products, services and channels into one that fits the shift towards digital. Change can be challenging for these organisations due to legacy business models, mindsets and systems. On the other hand, smaller start-ups have a greater opportunity to disrupt as they are ‘born’ digital and do not suffer from the same legacy issues.
However, while digital business is exciting, it also carries huge risks, one of the biggest being cybersecurity. The risk around cybersecurity are very real. Almost every day incidents of cybercrime are reported in the media. One of the largest instances of online data breach occurred in July 2017, when confidential data on 143 million US citizens was leaked by Equifax, one of the major credit reporting agencies in the US. To put that number into perspective, the breach affected 2 out of 3 US citizens.
Singapore suffered its largest data breach to date in July 2018 when person details of 1.5 million patients in SingHealth, Singapore’s largest group of healthcare institutions, were leaked, including that of the current prime minister. The incident put a major dent in the nation’s push to be a ‘smart city’ which was the first to introduce a Cybersecurity Act in 2018.
There are many sophisticated tools and techniques available to cybercriminals. Malware is malicious software that is secretly installed on a computer, tablet or even smartphone. One type of malware is keylogging software which records what is typed by a user, including potentially sensitive information such as username and passwords. Another type of malware is ransomware. In May 2017, the infamous WannaCry ransomware threatened users by encrypting and deleting files on their computer unless they paid a US$300 ransom in Bitcoin.
Phishing is a common technique used to fool unsuspecting users. In phishing, one might receive an email seemingly from a bank, government agency or other credible institution. On first glance, the email will look very realistic, with the right logos and text. Typically, the email will either provide you with a hyperlink that will direct you to a fake website or ask you to open an attachment that will download malware.
We tend to think of cybersecurity as a technology issue whereas in reality much of it is down to awareness and human behavior. If a user is aware of phishing, and takes simple precautions with suspicious emails, much of the problem can be avoided. You might also find it interesting to know that the biggest risk for organisations is not so much from external cybercriminals but cybercrime from within by an organisation’s own employees.
Organisations need to treat cybersecurity holistically rather than in a piecemeal fashion. Fortunately, frameworks and standards do exist that can guide organisations if they are willing to adopt them.
One of the most established is the US National Institute of Standards and Technology (NIST) security framework. NIST defines 5 overarching functions in cybersecurity, namely identify, protect, detect, respond and recover. Within each function, organisations are required to establish good if not best practice. For example, one of the things organisations are required to do in the ‘identify’ function is a comprehensive risk assessment and devise a risk management strategy including plans for business continuity. In the ‘protect’ function, organisations are required to instill good practice for data security. What NIST effectively does is provide the organization with a checklist of areas that they need to work on in order to address cybersecurity in a holistic fashion. ISO standard 270001, the Information Security Management System, is an alternative to NIST.
For larger organizations that are highly dependent on digital business, it is strongly recommended to use an external agency to carry out independent cybersecurity audits. Such audits typically take a few months but can prove valuable to identify risks that an internal team might otherwise have missed.
The article is authored by Professor Wing Lam. Wing is Provost at the University of Reading Malaysia and a member of the Centre for Global Business Enterprise and Cloud Analytics (CGBECA).