13th February 2018

Five principles to help balance opportunity and threat and secure your digital transformation 

The increasing use of digital technology means that organisations’ applications are more accessible and data more frequently transmitted. However, more accessible can mean more vulnerable. In this blog, Kevin Gordon, Lead Architect, Civica, looks at five key principles to frame your organisation’s approach to data security. 

The opportunities of digital transformation
Increasing the use and value of data represents a fundamental opportunity for organisations as they go through digital transformation. Making more of your processes available via digital channels and improving how you use data to analyse, target and serve citizens and customers will unlock benefits for all. However, as more data is held, shared and transferred, there is also a need to have the right level of control of your systems, not least to be able to manage data in line with regulations such as GDPR. 

Identifying the appropriate level of security
At Civica, we’re experienced working with data security scenarios across the spectrum. From online banking to handling classified information to helping staff collaborate during an international crisis, our experience tells us that the key is to find the right level of security in each case. The cost of building and protecting a system increases with the level of security required. The amount of processes and controls increases and it’s typically a compromise based upon the acceptable level of risk and the likely costs and consequences of a breach.

As well as protecting against a breach, the other issue to consider is how well your organisation can respond if something happens. Reacting to and reporting on incidents in the right timeframe, with the right detail and with a clear plan is almost as important as how you protect and prepare in the first place. So where should you focus your data security efforts for digital transformation?

#1: Design security into the solution
From the outset, we always look to identify the appropriate level of security and the acceptable level of risk. It’s a key conversation between stakeholders in their role as information owners and those creating and operating the solution. The process of assessing and exploring the security requirements needs to be completed early and in collaboration with the customer. Whether driven by standards, regulations or best practice, security risks and requirements should be considered in the context of the cost and the potential impact of a breach. We will typically present the potential risks and impacts to the customer and explore in design review workshops. While the customer has a responsibility in their role of information owner, we also have a responsibility in our role as supplier and, often, operator of the customer systems.

The key is often asking the right questions and having experienced a range of security scenarios. A good team will be aware of the architecture approaches, software patterns and practices, frameworks and tools that mitigate against attacks. However, the solution is never a foregone conclusion; it’s about considering the requirements, predicting the likely challenges and modelling how data will move through the system. It’s important to take a holistic view, not just focus on the technology or the hardware or the infrastructure. Often, when there has been a breach, it’s because the system was designed without an understanding of the potential threats or because the design had been driven without a proper understanding of security.

#2: Monitor your applications, data and infrastructure
It is essential that we are all proactive about security. Knowing immediately when a system is threatened or compromised is not only key to preventing large-scale breaches, it means you’re able to respond quickly. Some recent, high-profile incidents have seen organisations making public responses to breaches that they only discovered weeks or months after the fact. Not only does this damage confidence in the organisation, but when GDPR comes into force (May 2018) there will be a duty to report on incidents and the regulator will have real ‘teeth’ to act and issue fines.

Monitoring for breaches means auditing and logging data, access and activity and implementing systems to look for suspicious or unexpected activity. Of course, it also requires an effective system patching and upgrade regime.

#3: Access control and encryption
A ‘traditional’ approach to security would be to prevent change, use your own infrastructure and strictly limit access. For the highest levels of security, some of these remain the best option. However, for many solutions, the cost-benefit doesn’t stack up, and encryption and access control are the appropriate way to maintain data security. Best practice for authenticating users is to make users use multiple types of information to gain access (multi-factor authentication). This is the best way to combat phishing attacks where hackers attempt to steal a user’s credentials.

The use of multiple pieces of information or devices needs to be balanced against usability for the customer. We would recommend only using an additional factor to support the most sensitive transactions (such as setting up a new payment destination). However, it should definitely be used for highly privileged users (e.g. administrators).

#4: Security awareness in your organisation
After unpatched software, people are typically the weakest link in data security. Multi-factor authentication (see above) can address some of this ‘soft’ vulnerability but having employees that are alert to potential threats is a real barrier to attack. Additionally, it’s important to be aware that factors like coercion or the compromise of an individual can come into play, especially where there is a high value on the data being transmitted and stored. Combating insider threats mean giving only the appropriate, need-to-know level of access to each individual and ensuring all access is audited and monitored – something that should be considered in the security assessment and modelling process.

#5: C-Level commitment
Security needs to be a stakeholder in decision-making around digital transformation. The integrated nature of delivery for digital means that not only do your security team need to understand business requirements and direction, but your business team need to understand the security implications. We find that fostering close, effective dialogue to move as quickly as possible and seize opportunities, requires support and commitment from senior management.

To talk about the security implications for your own digital transformation, contact Civica today.