Digital transformation is changing the business operations and activities of every organization, through new technologies that enhance the competitive advantages, efficiency, flexibility, and customer experience. Simultaneously with the increasing threat of information security, digital transformation may not be successful without an appropriate security strategy.
Technology trends in digital transformation and information security risks
The occurrence of the Covid-19 pandemic has prompted the business digital transformation trend, renovating many activities into the online environment and activating the remote working regime of employees on personal devices (“Bring your own device” – BYOD), including laptops, smartphones, and tablets with diverse connections ranging from home WiFi networks, public WiFi networks to 4G networks.
However, this may also increase the enterprise information security risks, for example, in Vietnam in 2020, 23 malware related to COVID-19 were detected. If employees work remotely on a file containing malicious code, the hacker will be able to get control of the computer. This leads to many risks such as unauthorized access to online meetings, data leakage, remote login information disclosure, and increasing phishing attempts via email or fake websites.
For the IT system, the rapid deployment of digital initiatives on the cloud platform and the emergence of a variety of devices and sensors connecting production systems with IT applications have increased the number of data, applications, and users of the enterprise and created many security holes.
For example, connected devices in an enterprise using IoT technology can include HVAC systems, automated robots, lighting systems, thermostats, etc., to help increase production and business efficiency, but also can add hundreds of unsafe devices to the network if the device vendors cannot ensure timely security updates.
The IT systems of Vietnamese businesses have also been hit by multiple DDoS attacks, ransomware, and incidents associated with data security issues and user management. For example, according to a ransomware report conducted by VirusTotal and Google, ransomware in Vietnam in the first 7 months of 2021 has increased by nearly 200% compared to the same period in 2020.
Therefore, enterprises are required to build a target IT architecture including all the initiatives that will be developed in the roadmap, set up requirements on information operation and safety at various levels for all systems, to ensure the best advantage of digital transformation and simultaneously reduce the risks of the data leakage and non-compliance.
Information security strategy and digital transformation implementation at once
Information security is always a key factor that needs to be continuously assessed in the process of brainstorming, designing, and implementing digital initiatives, to ensure a successful and secured transformation.
Here are some suggestions for businesses to implement information security strategy effectively:
Adjust information security strategies in line with business objectives
An information security strategy will be rigid and may prevent flexibility and development in business activities if it is excessively focused on imposing strict requirements and regulations in every department. The strategy, therefore, needs to consider information security requirements with business objectives and ensure the right balance between mitigating risk and enabling business innovation. First, the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) needs to understand the business strategy, goals, and other concerns of directors in other business functions. Through discussions, CISO can understand the areas that provide the most value to the business, and the risks, to prioritize the implementation of the most appropriate security measures. At a lower level, the information security team should also have close relationships with the sales and production teams to participate in project development right from the beginning. For example, if a business decides to develop a mobile app or a new social platform for customers, its security group must know about these plans and design security features at the development stage.
Balancing security risks with productivity and convenience
When it comes to information security, many organizations face an awkward situation, where they want to be safer and remain effective at the same time. Information security procedures tend to cause access to tools and data for work to take longer. For example, user authentication and (MFA) authentication are effective security measures to prevent attackers from directly accessing applications and data. Moreover, to minimize the impact on the productivity of employees, the security team can apply SSO technology and configure one-time MFA authentication to the systems that do not require excessive security levels, supporting users in accessing different applications using just one validation. To implement these measures, the enterprise needs to assess risks and security of the system, understand risks and implement proper solutions to infrastructure and application.
Building an information security culture
People are always important assets of the organization but also the most vulnerable chain. A report of Verizon on the data violation shows that employees granted with legal access are a common cause of information security violations. These employees may be attacked by the virus, the social network attack techniques, or due to unexpected failures, resulting in information leakage. Therefore, enterprises need to build an information security culture throughout the company to ensure that employees not only understand the importance of information security but also actively participate in the protection of enterprises against cyberattacks. Before proceeding with the implementation, the enterprise needs to develop a user’s awareness and knowledge about information security for all levels of staff, establish clear security policies, with clear reward and punishment mechanism regarding information security incidents.
Information Security Consulting and Information Security Operation services
During the implementation of digital transformation, the number of services, applications, and data will increase rapidly while the existing IT team is in shortage of capability and experience to design, operate, governance, and resolve security problems. Therefore, businesses need to consider information security assessment services, consulting services on information security management and operation, as well as information security operation services from professional information security vendors, to ensure security right from the beginning of system design, and to detect, prevent and respond to information security threats that may occur during daily operation.
Digital transformation is a process of combining many aspects, from strategy, process, culture, to technology, that may bring innovative changes to the business, but also pose challenges and risks in network security, possibly affecting the credibility and value of the enterprise. Therefore, appropriate advice on information security from professional consulting service providers and close coordination between the security department and other departments throughout the digital transformation process will support the enterprises to build a long-term information security system with stable operations for future well-being.