You don’t want to see a headline about your cybersecurity lapses. Nor do you want vocal critics to sully your carefully cultivated stellar reputation. You want to avoid the cost and disruption of cleaning up after a cybersecurity incident.
Treating cybersecurity as an afterthought or something others will address during digital transformation projects is always a mistake. It leads to leaving avoidable cybersecurity holes that bad actors love to exploit.
Thankfully, there are steps you can take to guard against the vulnerabilities that digital transformation initiatives often uncover. Here are the first five of the top 10 actions organizations can take to minimize cybersecurity risks during digital transformation.
Conduct an IT cybersecurity risk assessment
Conduct an information technology (IT) cybersecurity risk assessment for every digital transformation project. The characteristics of the project will influence what the highest risks are. However, the following risks occur frequently:
- Gaps in the internal cybersecurity defences.
- Insufficient cybersecurity maturity exhibited by the application software or the software as a service (SaaS) vendor.
- Varying supply chain vendor cybersecurity maturity.
- Uneven employee and contractor level of cybersecurity awareness.
The typical responses to reduce cybersecurity risk include implementing the following:
- Multi-factor authentication (MFA).
- Advanced threat detection solutions.
- More extensive use of encryption.
- An employee and contractor cyber awareness education program.
Use the conclusions of your cybersecurity risk assessment to influence the requirements and design of your digital transformation project.
The author further explains what a comprehensive IT cybersecurity risk assessment includes in this video.
Understand compliance obligations
Some digital transformation projects touch on processes and data subject to various regulations for which organizations must demonstrate compliance. Data about people are particularly sensitive. Major example regulations that all include a cybersecurity component are:
- The Personal Information Protection and Electronic Documents Act (PIPEDA).
- Federal Information Security Management Act (FISMA).
- General Data Protection Regulation (GDPR).
- Health Insurance Portability and Accountability Act (HIPAA).
- North American Electric Reliability Corporation Reliability Standards (NERC-CIP).
- National Institute of Standards and Technology (NIST Cybersecurity Framework).
- ISO 27001 Information security management.
- ISO 27002 Information security, cybersecurity and privacy protection.
- Payment Card Industry Security Council’s Data Security Standard (PCI DSS).
- Service Organization Control (SOC) Type 2.
Each of these regulations lays out requirements with which organizations must comply. Relevant software vendors typically describe implementation and operation strategies that are helpful for digital transformation project planning.
Include tasks to implement the cybersecurity requirements of applicable regulations in the scope of your digital transformation projects.
Avoid over-permissioned accounts
Most digital transformation projects require establishing and managing end-user accounts and roles. When end-users are issued over-permissioned accounts and roles that allow them access to more data and databases than they need to perform their assigned duties, bad actors can more easily penetrate your organization to cause havoc.
To minimize this cybersecurity risk at design, digital transformation projects:
- Design software with many roles to limit the access of any one role.
- Pay for enhancements to SaaS software to increase the number of roles.
Most database management software (DBMS) packages include functionality for restricting access to tables and columns. Using this functionality for managing roles is tedious and error-prone for your database administrator (DBA) staff. Ultimately it’s unsuccessful.
For operating the system that your digital transformation project will deliver, this limited access concept is implemented by:
- Centrally managing all permissions.
- Continuously reviewing permissions to identify misconfigured permissions, over-permissioned accounts and roles.
- Considering the implementation of specialized software that makes recommendations to remediate problem permissions rapidly and efficiently.
Together these measures lower the risk of cyberattacks.
Incorporate cybersecurity in application software design
Digital transformation projects typically design, build and test some application software. Completing digital transformation projects using only data integration and application software packages is rare.
Incorporate cybersecurity functionality in custom application software design by following best practices that include:
- Maintain security around the software development environment.
- Perform extensive data input validation.
- Encrypt the data your application is creating and implement HTTPS.
- Include authentication, role management and access control.
- Include auditing and logging.
- Adhere to best practices for configuring virtual servers.
- Don’t shortcut quality assurance and testing.
- Upgrade application software as security threats evolve.
- Delete inactive virtual servers and databases.
Following these best practices will significantly reduce the risk of successful cyberattacks when your digital transformation application is in routine production.
Restrict access to cloud management consoles
Digital transformation projects with a cloud component will operate an associated management console. The console is a highly sought-after target for cyberattacks because these consoles control all aspects of an organization’s cloud resources. Unauthorized use of these powerful cloud consoles can create immediate havoc or data breaches.
The best response to management console risks is to treat access to the cloud management console as privileged access. This best practice is implemented by:
- Requiring end-users to justify every login and track all logins to quickly identify unusual, inappropriate, or fraudulent access.
- Authorizing every userid for only specific, limited access for a specified period to contain the damage any compromised userid can cause.
- Employing single sign-on (SSO) so that end-users experience a secure and frictionless sign-in.
- Implementing MFA to add an extra layer of protection before granting access to cloud consoles.
Together these privileged access measures prevent cyberattacks against your cloud management consoles.
For a more in-depth discussion of securing cloud consoles, please read 5 Best Practices for Securing Privileged Access and Identities for the Cloud Management Console.
Organizations materially reduce cybersecurity risks by including these actions in the scope of their digital transformation projects.
What ideas can you contribute to help organizations minimize cybersecurity risks? We’d love to read your opinion. You can share that with us below. Select the checkmark for agreement or the X for disagreement. In either case, you’ll be asked if you also want to send your comments directly to our editorial team.