Guard against cybersecurity risks during digital transformation by checking for weak spots with an IT risk assessment
You don’t want to see a headline about your cybersecurity lapses. Nor do you want vocal critics to sully your carefully cultivated stellar reputation. You want to avoid the cost and disruption of cleaning up after a cybersecurity incident.
Treating cybersecurity as an afterthought or something others will address during digital transformation projects is always a mistake. It leads to leaving avoidable cybersecurity holes that bad actors love to exploit.
Thankfully, there are steps you can take to guard against the vulnerabilities that digital transformation initiatives often uncover. Here are the first five of the top 10 actions organizations can take to minimize cybersecurity risks during digital transformation. I will cover another five tips to reduce cybersecurity risks during digital transformation in my next column.
Conduct an IT cybersecurity risk assessment
Related Stories |
Secure your data with the indestructible datAshur PRO+C flash drive
|
Canada is not ready for the cybercrime era
|
Alex Stamos’s secrets to better cybersecurity
|
Conduct an information technology cybersecurity risk assessment for every digital transformation project. The characteristics of the project will influence the highest risks. However, the following risks occur frequently:
- Gaps in the internal cybersecurity defences.
- Insufficient cybersecurity maturity exhibited by the application software or the software as a service vendor.
- Varying supply chain vendor cybersecurity maturity.
- Uneven employee and contractor level of cybersecurity awareness.
The typical responses to reduce cybersecurity risk include implementing the following:
- Multi-factor authentication (MFA).
- Advanced threat detection solutions.
- More extensive use of encryption.
- An employee and contractor cyber awareness education program.
Watch Yogi explain what a comprehensive IT cybersecurity risk assessment looks like. |
Use the conclusions of your cybersecurity risk assessment to influence the requirements and design of your digital transformation project.
Understand compliance obligations
Some digital transformation projects touch on processes and data subject to various regulations for which organizations must demonstrate compliance. Data about people are particularly sensitive. Major example regulations that all include a cybersecurity component are:
- The Personal Information Protection and Electronic Documents Act (PIPEDA).
- Federal Information Security Management Act (FISMA).
- General Data Protection Regulation (GDPR).
- Health Insurance Portability and Accountability Act (HIPAA).
- North American Electric Reliability Corporation Reliability Standards (NERC-CIP).
- National Institute of Standards and Technology (NIST Cybersecurity Framework).
- ISO 27001 Information security management.
- ISO 27002 Information security, cybersecurity and privacy protection.
- Payment Card Industry Security Council’s Data Security Standard (PCI DSS).
- Service Organization Control (SOC) Type 2.
Each of these regulations lays out requirements with which organizations must comply. Relevant software vendors typically describe implementation and operation strategies that are helpful for digital transformation project planning.
Include tasks to implement the cybersecurity requirements of applicable regulations in the scope of your digital transformation projects.
Avoid over-permissioned accounts
Most digital transformation projects require establishing and managing end-user accounts and roles. When end-users are issued over-permissioned accounts and roles that allow them access to more data and databases than they need to perform their assigned duties, bad actors can more easily penetrate your organization to cause havoc.
To minimize this cybersecurity risk at design, digital transformation projects:
- Design software with many roles to limit the access of any one role.
- Pay for enhancements to SaaS software to increase the number of roles.
Most database management software (DBMS) packages include functionality for restricting access to tables and columns. Using this functionality to manage roles is tedious and error-prone for your database administrator (DBA) staff. Ultimately, it’s unsuccessful.
For operating the system that your digital transformation project will deliver, this limited access concept is implemented by:
- Centrally managing all permissions.
- Continuously reviewing permissions to identify misconfigured permissions, over-permissioned accounts and roles.
- Considering the implementation of specialized software that makes recommendations to remediate problem permissions rapidly and efficiently.
Together, these measures lower the risk of cyberattacks.
Incorporate cybersecurity in application software design
Digital transformation projects typically design, build and test some application software. Completing digital transformation projects using only data integration and application software packages is rare.
Incorporate cybersecurity functionality in custom application software design by following best practices that include:
- Maintain security around the software development environment.
- Perform extensive data input validation.
- Encrypt the data your application is creating and implement HTTPS.
- Include authentication, role management and access control.
- Include auditing and logging.
- Adhere to best practices for configuring virtual servers.
- Don’t shortcut quality assurance and testing.
- Upgrade application software as security threats evolve.
- Delete inactive virtual servers and databases.
Following these best practices will significantly reduce the risk of successful cyberattacks when your digital transformation application is in routine production.
Restrict access to cloud management consoles
Digital transformation projects with a cloud component will operate an associated management console. The console is a highly sought-after target for cyberattacks because these consoles control all aspects of an organization’s cloud resources. Unauthorized use of these powerful cloud consoles can create immediate havoc or data breaches.
The best response to management console risks is to treat access to the cloud management console as privileged access. This best practice is implemented by:
- Requiring end-users to justify every login and track all logins to quickly identify unusual, inappropriate, or fraudulent access.
- Authorizing every userid for only specific, limited access for a specified period to contain the damage any compromised userid can cause.
- Employing single sign-on (SSO) so that end-users experience a secure and frictionless sign-in.
- Implementing MFA to add an extra layer of protection before granting access to cloud consoles.
Together, these privileged access measures prevent cyberattacks against your cloud management consoles.
For a more in-depth discussion of securing cloud consoles, please read 5 Best Practices for Securing Privileged Access and Identities for the Cloud Management Console.
Organizations materially reduce cybersecurity risks by including these actions in the scope of their digital transformation projects.
Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.
For interview requests, click here.
The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.
© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.