Digital Trust and the Issue of “Mass Risk at Scale”

As organizations move assets online, the shift is revealing a new level of risk that many are not prepared to handle.

A few recent high-profile hacks have shown the level of vulnerability/intrusion we now face: more than 21 million personnel records lifted from the US Office of Personnel Management, more than 37 million personal/private online profiles exposed on Ashley Madison, and Fiat Chrysler recalling 1.4 million IoT-enabled vehicles open to devastating loss-of-control hacks. It’s not the hacks themselves that are telling, it’s the level of “mass risk at scale”—a significant, and often personalized, level of risk that occurs simultaneously across a wide range of individuals—that is of primary concern.

Each of these hacks appear to have taken advantage of strategies that are at the core of many enterprise strategies today: the rapid adoption of IoT (the Internet of Things), the dominating shift from legacy data systems to the cloud, and the need to become more tech/process efficient in an increasing digital ecosystem.

Unfortunately, digital transformation often stresses technology first (i.e., what cool things can we do?) and security second (i.e., what do we have to secure?).

Security and data integrity are no longer a guarantee, even with world-class protections in place, so enterprises need to carefully assess their security architectures, as well as the capabilities of their technology and security service providers. Moreover, organizations should focus on how they collect, store and interconnect high and low-value digital assets.

Digital transformation, and the increasing trend of interconnecting high and low-value digital assets, may make good business sense, but it significantly increases the likelihood of mass risk at scale.

As technology proliferates, including automation and intelligent computing, the ability of outside entities to compromise seemingly secure assets will only increase. There are six important questions that enterprises should ask as they assess their vulnerabilities:

• Do we have low-value (moderately secured) digital assets that are placing high-value (highly secured) assets at risk?
   
• Have we properly considered the value of compartmentalizing certain digital assets (perhaps at an economic disadvantage) to minimize the risk or severity of individual systems that are compromised?
   
• Does our risk valuation strategy properly account for potential economic damages (including the loss of consumer trust) that result from a breach?
   
• Are we properly addressing the behavioral aspects of security to ensure internal lapses, which are often the cause of high-profile breaches, are not increasing our risk profile?
   
• Do we have adequate collaboration between, and transparency with the extended enterprise (including our employees, business units, partners and service providers) to identity gaps in our overall security strategy?
   
• Are we still treating security as a means to lock down assets, or are we embracing security as an integral part of our program to promote online/digital trust in our brand and heighten the overall consumer experience?