Special Feature
Part of a ZDNet Special Feature: Digital Transformation: A CXO's Guide

Digital transformation is creating new security risks, and businesses can't keep up

Digital transformation without cybersecurity is a recipe for disaster.

Remote work has increased the attack surface for hackers

Business strategies around technology are constantly evolving. Usually it's a process that takes time, carefully plotted out in order to avoid disruption.

But that wasn't the case when many office workers were rapidly shifted over to remote working for the past 18 months. Employees who might not have experienced remote working suddenly found themselves working from a laptop on their living-room table, kitchen worktop or bedroom as a result of the pandemic.  

Special Report

Digital Transformation: A CXO's Guide

Reimagining business for the digital age is the number one priority of many of today's top executives. ZDNet offers practical advice and examples of how to get your digital transformation right.

Read More

The sudden shift may have helped organisations keep operating, but for many it also came at the expense of cybersecurity. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Organisations had to transform their business processes, but security didn't necessarily keep pace, says Ian Wood, head of technology for UK and Ireland at enterprise data management software company Veritas.

"That was more of an afterthought -- it was all about 'how do I get up and running, how do I transform the business?' Not thinking about how to secure things," he adds. 

And it's not just offices that were forced to change. For example, bars and restaurants suddenly found that, due to social distancing rules, they had to alter how they worked. Customers couldn't queue up to order their food and drinks, so pubs and bars had to provide digital ordering services.

"Pubs which didn't have much IT infrastructure suddenly had to adopt a huge amount of it," says Wood. 

But without guidance some struggled, with privacy activists expressing concerns over the amount of information these applications were collecting -- particularly when a lack of experience with collecting and storing all this data could lead to issues with information not being correctly secured.

The rush to build new systems caused by the pandemic is an extreme example of digital transformation -- one done with a deadline of days, rather than months or even years. However, the same problem -- cybersecurity as an afterthought -- is also a significant risk in long-term projects.

Some boardrooms are focused primarily on efficiency and the bottom line -- and when spending on applications and tools to help keep the company secure cuts into those areas, there's reluctance to spend the money

"There's this split between the business decision and the view of the business risk, and then the view of the cyber risk, and at the moment, the two can't combine, don't collaborate and don't come together in the way that they need to," says Lorna Rea, consultant for central government at BAE Systems.

That split in decision making means that in some cases of digital transformation, rolling out new ways of doing things takes priority over making sure the methods of doing business are secure. For example, digital transformation projects tend (obviously and inevitably) to involve doing more with technology. From a security point of view, that means they can expand the potential attack surface of the organisation -- unless that risk is understood and tackled. 

"Security just isn't keeping pace with the digital transformation. Organisations have finite resources, and it's very difficult to mobilise the limited resources," says Alastair Williams director of solutions engineering for EMEA at Skybox Security.

But even if organisations have limited resources, that doesn't mean that cybersecurity should simply be ignored: the cost of falling victim to a data breach or ransomware attack could cost a business much more than implementing cybersecurity practices ever would. And that's without the ongoing damage that could be caused if consumers and partners lose faith in a business because it fell victim to an avoidable cyberattack.

SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack

Digital transformation in many cases means investing in cloud computing services. And the basics of securing cloud services is a well understood, if sometimes, ignored practice.

For example, securing the cloud means ensuring that multi-factor authentication (MFA) is applied to every user. Then, if usernames and passwords are breached, there's an additional step that can prevent attackers gaining direct access to the network. Some executives might grumble that MFA cuts down productivity, because people need to take a little time out to verify their identity -- but it's one of the most effective actions that can be taken to help prevent unauthorised access to company services.

Ultimately, when looking at digital transformation, one of the best ways to help ensure data protection is prioritised is to invest in an information security team and involve them in every step of the journey. There might sometimes be tension between the business and information security units, but such integration will ultimately ensure that security is baked into the whole process.

"Have your security consultants embedded, so the decisions are being made together as a collaborative team," says Rea. 

One of the key benefits of digital transformation is that employees can collaborate from anywhere. But to make sure they can do that securely, cybersecurity needs to be a key part of the process from the very start.