Radware

The security risk in change

21 October 2020 | Mike O’Malley

Mike O’Malley

Blog Author | Guest contributor

Cover

Creating a Covid resilient company could be a security risk. Mike O’Malley, VP of carrier services at Radware, shares his golden rules for secure digitalisation

As we start to see nations around the world review their rules for managing Covid-19 so we are reminded it could be a bleak winter. Discouraging people from commuting and instead staying at home to work is a reality for a further six months, at least in England. Boardrooms had in part planned for this with 80% of companies stating in the summer that they intended to maintain home working for at least a quarter of their staff for the foreseeable future.

Companies now face the challenge of helping people make a more permanent adjustment. Making sure people have the means to communicate and can collaborate has been, and will continue to be, a major emphasis for keeping people connected and learning, and propagating ideas and innovation. The life blood of any business.

Innovation has been crucial to the continuation of trading during the pandemic, indeed creating a contactless economy to include ecommerce, different delivery models and home working, has had a positive impact for 56% of companies.

Consumers witnessed the rapid shift. Larger online catalogues, subscription models, delivery partnerships between garden suppliers and supermarkets, more ‘drop box’ style delivery and return options, mobile apps for ordering food to avoid handling cash. You name it, innovations that have been talked about as possible in the coming years landed in months.

Changes become permanent

But for many it was done in haste, with two thirds of companies shifting far sooner than planned to the cloud. It was undoubtedly worth it. The cloud mobilised ideas and by accelerating their digital transformation plans companies could open up new business models and overcome the economic shock. It’s no surprise that the biggest move to the cloud happened in the retail sector.

Before the announcement on tighter restrictions, 83% of execs said they expected the changes they made to people, process and applications to become permanent. I wonder how close to 100% that might be now? The ability to keep people productive, and help consumers get what they want and pay for it quickly has visibly helped distinguish between the brands that can ride the storm and those that will struggle. Adapting technology strategies to adapt to the future challenges is now critical.

A growing security gap

Of course, it’s not easy to flick a switch when it comes to technology. It takes significant amounts of planning, integration and testing to get it right. While the outcomes for the consumer and the business may have been positive, execs said that rapid adoption of cloud technologies widened the security gap too. In fact, some 40% of companies said they suffered more cyber-attacks since the pandemic than before, and a third became reliant on their cloud partner for security.

Strategic planned change always comes with an element of risk. There’s always the potential for markets to wobble, consumer confidence to dip, a competitor to steal your thunder. However, this year has been about survival of the fittest and the pressure to respond required faster roll outs – sometimes making two year projects happen in two months - or tearing up plans and starting again.

Faced with launching an online sales model in weeks with minimal testing or waiting until it was watertight will have been a tough debate in the boardroom. Time is after all money.

I’m pretty sure, in fact I know, corners will have been cut. Not every company will have launched the optimum customer experience. In some cases, it will have been ‘ok’ for launch with the proviso that adjustments are made after launch. Sadly, experience tells me that ‘ok’ will have been the benchmark for security too.

It’s at this point promises are made to retro fit security, fix the vulnerabilities, check there isn’t a way into the customer data, billing systems and so on. But how many companies have the time to look back at decisions made in haste? We are about to face one of the toughest economic winters on record, maintaining momentum is critical.

However, in the same breath you can argue that momentum is as much about innovation and great service and products, as it is about staying available. If you are hit by a denial of service attack that takes your website down, or a bot attack that freezes your inventory then no amount of innovation can save you. The damage to the brand is done.

So, while the courage to try new things, adopt new applications and move to the cloud should be applauded, it can’t be understated how important it is to secure it all. For some companies the attack surface of the network and apps will have doubled or more in the last few months as more things are remotely accessed and in the cloud. The scale reflects the investment and struggle going on. But hackers know this and there’s nothing more they love than ambitious, high speed projects, mixed with an environment of chaos to capitalise on. 

They will find the weaknesses. They will exploit a patch before it can be applied, they will run phishing campaigns to trap newly remote employees, they will launch attacks on new public cloud workloads. Companies need to be ready for this and ensure that their cloud is not a weak link.

Rules to follow

There are a few golden rules to apply to all decisions being made now and they should always start with the level of risk a technology poses to data and IP. If the risk is very low then securing it can fall lower down the to do list, but if it integrates with other technology that is linked to highly sensitive data then it has to be secured, right away.

Equally, it’s really important to consider what risk the development cycle introduces. A DevSecOps model, where security is part and parcel of application design and delivery, provides a much better outlook for keeping the network and its assets secure.  

Next is to consider the capability in place to detect and mitigate attacks in real time. It can be the difference between a GDPR fine and a thriving delivery business. But it has to be supported by people who can plan the security strategy and anticipate the security requirements as the business evolves and adopts new technologies. When budgets are under pressure this forward looking capability can be easy to cut. However, there are numerous cases where security teams kept the business going under attack, and the consumer was none the wiser.

As that’s at the heart of the debate any board should be having. Right now, consumers need to be wise to a business’ proposition not question if the brand takes their personal security seriously. Any business that puts that front and centre of their technology decision making will create a business that’s not only secure but successful.