Digital transformation increases vulnerability to cyberattack

To securely digitize, companies must rethink their siloed response to cybersecurity risk

To securely digitize, companies must rethink their siloed response to cybersecurity risk.

The COVID-19 pandemic has accelerated digital transformation—the use of digital technology to change, optimize, or invent new business models—for organizations worldwide. To meet the evolving needs and demands of customers and employees, businesses are investing heavily in digital tools that enhance customer experience (CX) and employee experience (EX).

New data from ServiceNow and ESI ThoughtLab, which surveyed 900 C-level executives across 13 countries, finds that all major industries are on the fast track to digitize CX and EX. Furthermore, many firms are starting to think beyond improving CX and EX in isolation; rather, they’re bridging the two disciplines with workflows, teams, and technologies to multiply their improvements. In fact, businesses see the most benefits when they integrate CX and EX into a unified “total experience” (TX), creating a virtuous cycle of benefits from customers and staff experience.

Many business leaders believe Internet of Things (IoT) devices and sensors are critical for digitizing TX. IoT devices enable businesses to predict technical problems before they surface, collect data from customers and suppliers, and connect devices in the company’s network. Of the C-level executives surveyed, 73% say they’re prioritizing adoption of IoT and sensors over the next one to two years.

At the same time, businesses are taking steps to protect their customers and assets from cyberattacks, which have increased 300% since the start of the pandemic. In healthcare, manufacturing, telecommunications, and the public sector, about half of all C-level executives say they plan to make further investment in data privacy and security over the next two years.


C-level executives surveyed who are prioritizing adoption of IoT and sensors over the next 1-2 years

The problem, however, is that businesses are making these investments—IoT on the one hand and cybersecurity on the other—separately. Chris Taylor, chief transformation officer at ServiceNow, says organizations are “quite slow” to realize they need to link their digital transformation initiatives with their cybersecurity strategy.

“People don’t really understand how those risks change when you embark on digital transformation,” says Taylor. “You need to change strategically in response. This should start in the boardroom but extend throughout the organization as a whole.”

If organizations don’t embark on digitization initiatives with cybersecurity in mind, they could end up losing ground on both.

Businesses rely on IoT to digitize

Businesses are working diligently to digitize EX and CX. For customers, that means everything from telehealth to online courses to augmented-reality shopping experiences. According to the ServiceNow and ESI ThoughtLab survey, 30% of firms have made “high or very high” progress in customer experience over the past year. Over the next one to two years, that percentage is projected to increase by more than two-thirds. Organizations are prioritizing tools that help them unify customer service operations, create intuitive customer experiences, and leverage a single digital platform through which customers can resolve issues.

For employees, digitizing EX means deploying tools for remote and hybrid work, collaboration, hiring and onboarding, and online video conferencing. About 25% of business leaders report that their companies made “significant progress” on digitizing EX. Roughly half expect to make significant progress in the next two years. Looking ahead, companies are prioritizing digital tools that support data privacy, remote-flexible work, and easy access to corporate data.

Many of these tools leverage IoT technologies, which connect distributed sensors with a range of assets and devices so employees have greater visibility into core business functions.

The growth of IoT has been rapid. According to market research firm IoT Analytics, the number of connected devices was close to 1 billion in 2010. That number will reach more than 30 billion by 2025—almost four such devices for every human on the planet.

Looking ahead, companies are prioritizing digital tools that support data privacy, remote-flexible work, and easy access to corporate data.

IoT devices aren’t just consumer-focused smart refrigerators or wearables. Business-to-business companies use IoT devices to monitor their products in the field. Healthcare companies leverage IoT devices to detect problems with medical devices before and after they occur. IoT is revolutionizing the manufacturing sector, which uses sensors and other devices to maintain visibility into shipping and processing, monitor storage conditions of raw goods and materials, track inventory, and streamline supply chains.

IoT technology has played a critical role in digital transformation. Organizations rely on IoT to get the data they need to improve EX and CX, diagnose problems, and figure out what they can do better. For the financial services industry, healthcare, the public sector, and telecoms, investing in IoT will be a top priority over the next two years.

Silos increase risk

As more companies make progress toward digital transformation, cybercriminals are capitalizing on this evolution in technology and strategy. Many organizations take a siloed approach to digitization and security, investing in teams, processes, and tools in isolation rather than connecting them. For example, while one set of teams might decide where and how to deploy future IoT devices, another set of teams might process day-to-day security tickets. If security isn’t embedded into the decision-making process, then the organization will be stuck in a perpetual cycle of reacting to vulnerabilities rather than designing and deploying products with risk in mind.

Taylor says the “traditional cybersecurity model” is causing problems for organizations that are investing in digital experiences. In the traditional model, Taylor explains, IT and security teams mostly exist to tell employees what they can’t do. “They’re the security police, not a business enabler,” he says.

As other teams work to digitize EX and CX and to expand the company’s digital footprint, IT and security are reactive, struggling to keep pace with change. Stretched and under-resourced, IT and security become increasingly marginalized as the company expands further. Employees and teams begin to invest in tools and technologies without consulting IT or security teams, enlarging the company’s “shadow IT”—applications, software, or hardware that are installed and used without the IT team’s knowledge. This approach creates unnecessary tradeoffs between privacy and progress, security and digitization.

Taylor, who previously served as vice president of commercial cybersecurity at Airbus, says decentralization increases a business’s risk. “When you’re digitizing and connecting your value chain,” he says, “your [defensible] perimeter increases in size, and everything becomes more complicated and susceptible to attack. When people consume data and services in a decentralized way, the way you work and the scale of work increases your risk.”

IoT exacerbates the problem

Unlike laptops and phones, IoT devices are generally difficult to secure. They don’t have the processing and storage capabilities to deploy anti-virus, firewall, and other security applications. As a result, large-scale deployment of IoT devices can increase supply-chain vulnerabilities.

Supply-chain attacks, in which bad actors deploy malicious code into trusted hardware or software, are becoming increasingly common. One of the most recent and large-scale was the widely reported 2020 attack on software company SolarWinds. Russian-sanctioned hackers allegedly breached and inserted code into the company’s Orion software, used by 320,000 customers worldwide to manage large-scale IT infrastructure. Once breached, the hackers gained unrestricted access to customer systems.

Such attacks are becoming increasingly common. According to a report by the European Union Agency for Cybersecurity, which was released after the SolarWinds attack, 2020 saw eight major supply-chain attacks. That number is expected to quadruple by the end of this year.

As businesses build out their digital infrastructure to satisfy the expectations of customers and employees, the complexity of IoT increases their security vulnerabilities while decreasing visibility into their attack surface. This year, 61% of organizations say they have already experienced an IoT-related security incident. However, that figure might be much higher; since these organizations lack visibility into their supply chains, many breaches may have gone undetected.

Desiloing digital transformation

In the gap between digitization and cybersecurity, hackers are innovating. Since the start of the pandemic, about 20% of cyberattacks used previously unseen malware, tools, or methods. That figure has since risen to 35%, according to Deloitte.

To meet this evolving challenge, Taylor says organizations must rethink their approach to risk.

“Risk isn’t just an IT problem,” he says. “It’s a business problem.” For successful businesses, Taylor says “digital transformation goes hand-in-hand with cybersecurity.”

As more businesses digitize to improve total experience, Taylor says they should leave behind the legacy approach to cybersecurity. He is seeing successful companies embrace an approach he calls “digital cybersecurity,” in which a security-first culture permeates the entire business. Workflows, teams, and processes connect cybersecurity to other teams and functions.

Since IT and security teams are interfacing with the rest of the organization, teams are less likely to go rogue and install unauthorized software and hardware.

“It’s about making risk-based, data-driven decisions,” says Taylor, “and collaborating across the enterprise. It’s a business enabler.”

As they embark on digital transformation, businesses that take a “digital cybersecurity” approach unlock several key advantages. Taylor says they’re better at “know[ing] their assets” by gaining clear visibility into their supply chain and securing their critical systems.

Once they have visibility, organizations can then attempt to protect their employees’, suppliers’, and affiliates’ data. That means supplier risk management, supplier access management, and identity management—in other words, working to mitigate supply chain disruptions, limiting suppliers’ access to mission-critical assets, and controlling users’ access to information.

If security and digitization are de-siloed in this way, Taylor says businesses can better secure their digital perimeter. Since IT and security teams are interfacing with the rest of the organization, teams are less likely to go rogue and install unauthorized software and hardware.

Similar to embracing total experience for employees and customers, business leaders would do well to embrace this “total cybersecurity” approach, in which business leaders and front-line employees make decisions in consultation and connection with the cybersecurity function.

If digital transformation is an all-out effort for companies, then security must be as well.