Sign In

Communications of the ACM

ACM News

Cyber Risk in Digital Transformation

View as: Print Mobile App Share:
Aspects of Digital Transformation

One study warns that organizations that rush to the cloud and third-party relationships to accelerate digital projects invite attacks via unsecured cloud environments and poorly vetted vendors.


Organizations globally are engaged in Digital Transformation (DX), a sort of cyber-industrial revolution promising digital automation and operational agility. According to Salesforce, "Digital Transformation uses digital technologies to create new—or modify existing—business processes, culture, and customer experiences to meet changing business and market requirements."

In a recent use case, Bed, Bath, and Beyond applied Digital Transformation to add same-day delivery services, buy-online-pickup-in-store, and contactless curbside pickup. The new services are attractive to customers, and are possible thanks to digital change.

Yet rapid, unbridled Digital Transformation adds cybersecurity risks. According to a Ponemon Institute report, organizations that rush to the cloud and third-party (vendor) relationships to accelerate digital projects invite attacks via unsecured cloud environments and poorly vetted vendors.

The pandemic was just cause for our digital cloud stampede, but the success of Work From Home has been seminal for attacks that leapfrog to the cloud. According to Tim Rawlins, senior adviser, NCC Group, a large global security consultancy, many organizations that responded to COVID-19 by rapidly enabling Work From Home took on new cloud services without their normal levels of due diligence around security and resilience.

Third parties enable companies to quickly graft in new digital capabilities, rather than needing to grow their own, but they've got to do their diligence or suffer the consequences. According to Rawlins, with organizations seeking useful third-party capabilities, it is tempting for them to choose the latest offering incorporating machine learning, artificial intelligence, and blockchain without understanding the attack surface.

According to McKinsey & Company, digital transformation without sufficient security exposes customer data to breach risks. McKinsey further cites vulnerabilities in customer-facing Web applications and integrations with the public cloud as cyber risks from digital transformation efforts.

Vulnerabilities in Web applications often spring from software development errors. According to Rawlins, organizations use Digital Transformation to better engage customers with increased personalization and faster Web application response times. However, Rawlins warns, when companies rush rapid prototyping, developers make mistakes, effective software testing does not happen, and hostile adversaries use the resulting vulnerabilities to put the customer and the organization at risk.

The public cloud is notoriously risky due to multitenancy, but organizations can move to the public cloud so fast that they may forget to loop in security in the first place. According to Bryan Harper, manager of Schellman & Company, LLC, a global independent security and privacy compliance assessor, when integrating with public clouds, if organizations change the intended use of the migrated system without telling the security architects, it can cause cybersecurity issues.

It is one thing to mull data breach maybes, and another to recall digital transformation nightmares that came true. In July 2019, a software engineer hacked a cloud-hosted Capital One server, stealing the personal data of more than 100 million customers, according to several news reports.

According to Richard Blech, founder of XSOC Corp., which describes itself as an "innovator and developer of extensible, adaptive, and quantum-safe cryptosystems and encryption key transport systems," Capital One went all-in on the cloud and digital transformation, which laid the foundation for personalized experiences for its consumers.

According to Security Boulevard, at the time of the breach, Capital One was a Digital Transformation leader, an example organizations followed. Yet somewhere in its race to cloud-first achievement, it left the keys to the kingdom dangling. A Massachusetts Institute of Technology Sloan School of Management study found that "Capital One had insufficient Identity and Access Management (IAM) controls for the environment that was hacked."

The Office of the Comptroller of the Currency of the U.S. Department of the Treasury required Capital One to pay a civil penalty of $80 million related to the breach.

In December 2020, news broke that nine U.S. government agencies and 100 companies took a wrong turn in their digital transformation journey. According to Wired, the Department of Homeland Security and the Department of Defense were among organizations that suffered data exfiltration, espionage, and reconnaissance under Russia's infamous SolarWinds supply-chain attack.

According to Anurag Gurtu, chief product officer (CPO) of StrikeReady, a cloud-based security operations and management company, SolarWinds customers were using the company's integrated management solution for on-premises, hybrid, and software-as-a-service (SaaS) environments in their digital transformation efforts.

According to CPO Magazine, customers' vulnerabilities to the SolarWinds hack included Single Sign-On (SSO) systems that granted too much access, weak MFA, and a lack of scrutiny of SolarWinds software updates, all of which go against the increasingly accepted Zero Trust cybersecurity approach.

The ultimate cost of cybersecurity oversights in the SolarWinds hack is undetermined. Nation-state hackers do reconnaissance missions for a reason—to prepare for future attacks. According to The New York Times, the cybercriminals may have secured backdoor access into the companies and agencies they breached. Who knows where those security holes lie, when the hackers will be back, and what the aftermath will be then?


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found