Digital transformation offers an incredible opportunity for most organizations. From enhancing productivity to improving the customer experience to cost savings, scalability, agility, enhanced efficiency, and much more, digital transformations are driving IT and business plans worldwide. Research leader IDC even projects spending on digital transformation investments to reach $3.4 trillion in 2026.
Yet, as with any opportunity, comes risks. In the rush to remake IT and business infrastructure and enable all the benefits listed above, it’s essential to realize that digital transformation also brings some downsides—some of which can be significant.
Data Expansion Creates Greater Risks
Specifically, digital transformation achieves many of its benefits by moving data, applications, and systems to the cloud instead of keeping them on-premises, integrating more tightly with partners, customers, and suppliers, and leveraging third-party services and software. Yet, you can’t have greater connectivity, more integration, and external components without expanding your attack surface.
Once an organization starts relying on cloud services and providers, integrating with partners and suppliers, and enabling work-from-anywhere for employees and users, any breach within that complex and ever-expanding digital supply chain is a risk to the organization and can potentially lead to an attack on it. In effect, with digital transformation an organization’s supplier’s or partner’s security problems are now its own problems.
Unfortunately, from a risk perspective, this significant expansion of the threat attack surface is a potentially massive downside to digital transformation that most organizations and CISOs still need to account for. In fact, according to Gartner, “Digital transformation initiatives have been instrumental in the expansion of enterprises’ attack surface, which is increasingly exposing them to threat actors’ activities.”
Whether you know it or not, the digital landscape that cybercriminals can attack just became a lot larger with digital transformation. Your organization’s attack surface now includes all your business partners, their users, their partners, and on and on. An organization’s digital supply chain is typically around 3X larger than the number of assets it owns and controls, resulting in a new and tremendous challenge for even the most proactive organizations.Case Study of a Security Breach
Consider a current textbook example of what can go wrong in this type of situation and how a security breach at one company can dramatically impact many other organizations.
Capita plc, a 50,000-employee consulting, transformation, and digital services company based in London that works extensively with local governments, the military, Britain’s National Health Service, and more experienced two separate breaches of its IT systems in the spring of 2023. Hackers were able to access approximately 4% of servers, stealing files and customer, supplier, and employee data from them.
While that would be bad enough for any company, Capita’s security breach also significantly impacted its customers since its solutions are used by large organizations, such as the Royal Mail, to administer pension funds and their customers, the policyholders. As a result, the UK's Pensions Regulator contacted 300 pension funds asking them to look for related security breaches. Some of those pension funds have also reached out to hundreds of thousands of their members, alerting them that their data may be at risk. In addition, as of May 29, 90 organizations had contacted the UK’s Information Commissioners Office (ICO), a privacy and data watchdog group, reporting breaches of personal data held by Capita. So far, the financial damages to Capita are estimated at up to $25 million.
In another example, Progress Software announced three newly discovered SQL injection exploits on its MOVEit Transfer cloud file transfer service that thousands of companies and 3.5 million developers use. The May and June 2023 attacks left users open to extortion attempts against MOVEit users by the Clop ransomware group, which claimed it had exfiltrated data from hundreds of organizations.
For any CISO, corporate board, or organization focused on digital transformation, the thought of 90 or hundreds of organizations negatively (and perhaps financially) impacted by a single cyberattack should be both sobering and thought-provoking.
When outsourcing operations to a third party, an organization alleviates some operational burden but must also realize they’re assuming new risks. That third party, whether a service provider, a cloud provider, or a partner, is now part of the organization’s digital supply chain and attack surface. A cyberattack on any of those third-party providers automatically becomes a potential problem for the organization.
Managing Risk
But it’s also a problem that can be managed, and the risks can be reduced, provided an organization’s CISO, board of directors, and business leader take a proactive approach.
- The first step in mitigating the cybersecurity risks of digital transformation is simply understanding the extent of the problem and how attacks against partners, remote employees, third parties, and more may be threats against corporate systems and data.
- The second step is for business leaders and boards of directors to recognize that this isn’t a one-and-done situation. Instead, there are no single silver bullets that will eliminate all third-party risks. At the same time, there’s no end date—the cyber threats from this greatly expanded attack surface are ongoing and never-ending, so organizations need to take a more strategic approach to address them, consistently adapting as new threats and new third-party connections arise.
- The third step organizations should take to reduce the downside of digital transformation is to put a program in place that focuses on exposure management and risk reduction over time. The idea is to implement a digital transformation security platform that can deliver continuous programmatic improvement of an organization’s overall security posture.
Instead of focusing on a single tactical solution or addressing just one component of the risks, organizations should invest in putting a more mature security program in place that will be able to assess possible risk areas, identify specific threats, provide mitigation suggestions or capabilities, and enable ongoing monitoring and metrics so that continued progress can be charted. Ideally, the platform would be able to calculate feasibility scores for various attack scenarios and/or attack paths based on weighted scoring and detection by security controls.
No company will stop its digital transformation strategy due to potential security issues that might arise from third parties, partners, or other outside threats. The benefits are just too significant. But what every company can do as they implement their digital transformation is to proactively work to make their new, extended digital ecosystem as safe as possible.
