Addicted to Tech: Balancing the Risk of Technological Dependence
Paul Taylor, Partner and UK Head of Cyber Security at KPMG discusses why a shift in thinking is needed in the way we think about the role of cyber in business risk planning. In the race to improve efficiency, increase productivity and outstrip rivals, the adoption of new technologies is now a permanent characteristic of […]
Paul Taylor, Partner and UK Head of Cyber Security at KPMG discusses why a shift in thinking is needed in the way we think about the role of cyber in business risk planning.
In the race to improve efficiency, increase productivity and outstrip rivals, the adoption of new technologies is now a permanent characteristic of the business landscape. The prospect of rapid productivity gains and breakthrough opportunities is driving organisations to automate processes, connect systems and leverage new kinds of infrastructure before the competition can. However, the reliance on competiveness through technological adoption has blurred the boundaries between devices, systems and employees, creating new vulnerabilities that are increasingly exploited by cyber criminals and nation-state backed groups.
In today’s digital landscape, connected medical devices provide physicians with faster and more accurate patient diagnoses, whilst retrofitted smart sensors allow production equipment to automatically signal to other devices once a process is complete and when the next processes need to begin, speeding up manufacturing time and efficiency. At the other end of Industry 4.0, rail providers adopt real-time cab signalling and traffic management systems, which have the potential to add time to train pathways and avoid the need for extra lines of track by increasing capacity on existing lines. In the public sphere, vehicle manufacturers race to deploy driverless cars with the latest automated control systems and sensory equipment, designed to help identify safe navigation paths, obstacles and traffic light systems.
The unrelenting pursuit of better, faster and more efficient ways of deploying and creating technology has driven innovation in our businesses and across our economy, ensuring the UK is a world leader in a multitude of industries. Yet this position at the top of the leader board has to an extent come at the cost of security. The current nature of cyberspace means it is far easier and simpler for malicious actors to carry out vulnerability-based attacks over targeted hacking campaigns. Taking full advantage of the constantly evolving technological landscape, hostile individuals and criminal groups invest their time researching digital infrastructures and devices in order to design attack software that exploits vulnerabilities and weak points.
This kind of exploit-based hacking was seen when criminals took advantage of an overlooked vulnerability in Sony’s computer systems, which gave them full access to the company’s wider network. The alleged group behind the attack crippled the company network before they released sensitive corporate data, including four unreleased films, business plans, contracts and the personal emails of senior staff – having a huge impact on the business. Such attacks are not only restricted to large company networks. Advances in the UK’s rail signalling system to upgrade to a ‘connected network’ have also been shown to be vulnerable to hackers who could use software to tell a train that it’s speeding up when it is slowing down or even give a false location. These fears were almost realised last year when it was revealed the UK rail network had been compromised in four major ‘exploratory’ cyber-attacks. In Finland, hackers hit a building management system with a distributed denial of service (DDoS) attack that left residents with no central heating and in 2015, Chrysler was forced to recall 1.4 million cars after security researchers revealed that the vehicle’s internet-connected entertainment system could be hacked. To add the icing on top, at last year’s cyber security contest DEF CON, contestants found 47 vulnerabilities in 23 IoT devices, including smart door locks, refrigerators, and solar panel arrays.
Whether it’s increased connectivity, automating systems or upgrading networks, organisations – both public and private – are finding themselves dependent on new technological capabilities long before they have even begun to consider how they are leaving them open to cyber-attacks.
Many businesses are taking steps to begin to deploy things like RegTech (Regulatory Technology) as part of preparation for regulations such as GDPR and MiFiD II, possibly taking this more seriously due to the fact that the cost of non-compliance is clear and outlined, however the impact and cost of a cyber hack could be just as bad, so there needs to be a shift in thinking – a cyber hack is not just a cyber hack, it’s a risk to the whole business.
The impact that these kinds of attacks can include lost revenue, losses to intellectual property and customer loyalty and reputational damage. The practice of innovation at the expense of security cannot therefore be maintained, and leaders need to start to think of a lack of security for what it really is – a risk to the whole business.
As outlined in a recent white paper on cyber security business risk by information security professionals body (ISC)2 titled, ‘What Every Business Leader Should Know About Cyber Risk’ organisations must ultimately incorporate cyber into the wider risk plan of the business. Within this, key operational dependencies that are being overhauled, upgraded or introduced must be identified and any critical technology that needs protection must be prioritised. This could be your organisation’s server network, the website upon which your customer’s financial trades take place or even individual devices. Bringing the CISO into risk evaluation discussions should also be made compulsory going forward.
Technological transformation is an inherent part of the world in which businesses operate, but in order to mitigate the threat, accepting cyber security as a business risk is paramount. Cyber attacks are only going to increase and businesses are offering hackers an open door by failing to incorporate cyber security within the risk register. If the uptake in new capabilities by businesses is to be maintained securely, then cyber security must come become a deciding factor in the implementation of any technology.