Are they out to get you?
As the race to digital transformation heats up, Gareth Williams takes a behind-the-scenes look at some of the well-documented but little-publicised dangers of digital transformation.
As far back as a couple of years ago, Tech Pro Research reported that 70% of businesses that responded to its survey claimed to either have a digital transformation strategy in place or were working on one. Even considering the peculiarly vague response of ‘working on one’, that’s a lot of investment. Before we get into the detail, here’s a snapshot of where we are now.
According to idgesg.net, 40% (around $2 trillion) of all technology spending is going on digital transformation. IDC, In its report FutureScape: Worldwide Digital Transformation 2020 Predicitons, predicts that the global spend will rise to an estimated $7.4 trillion by 2022. It’s easy to see why.
Most digital transformations are driven by growth opportunities, followed by increased competitive pressure and new regulatory standards. A poll of ‘digital transformers’ (ptc.com) revealed that the top benefits expected from DX are: an improvement of operational efficiency (40%), a faster time to market (36%) and meeting customer expectations (35%). Another report, this time from idg.com, reported that the top five technologies already implemented to help realise these ambitions include big data/analytics (58%), mobile technology (59%), and APIs and embeddable tech (40%).
Perhaps unsurprisingly, additional research by IDC published in its Digital Transformation Spending Guide, shows that the financial services sector will see the fastest overall growth in the spend on digital transformation being made by the banking, insurance, and security and investment services, forecasting that the CAGR (compound annual growth rate) of investment will hit nearly 20% over the forecast period. The services sector, which includes industries like retail and professional services, is expected to be close behind with around 18.0% CAGR.
These figures are dwarfed, however, by the manufacturing sector. IDC expects manufacturing to account for nearly 30% of the worldwide total spend, due largely investments on connecting operational technology to information technology, and implementing robotic process automation, other automated operations and processes, robotic manufacturing and the like.
Wherever you look, whoever you talk to, it’s obvious that connectivity is key. According to ptc.com, 60% of executives say the Internet of Things will play a critical role in their digital business strategy. Remember that number: 60%. We’ll be coming back to it.
Everyone agrees that serious businesses are making serious investments for this once in a lifetime opportunity. But there are serious risks, too, about which we hear far less. And that’s where you need to take a long, hard look at cyber security and to make sure that your digital transformation is based on rock solid foundations.
Let’s be clear, you will be attacked many times, far more than ever before, and the risk of an attack being successful is high. The unhappy fact is that the bright and promising new digital landscape of Industry 4.0 comes with novel and abundant cyber security weaknesses, which probably aren’t even on your radar.
Cyber-attacks are at an all-time high
Depending on who you ask, the actual and predicted numbers, frequency and severity of cyber-attacks vary noticeably. That said, they are all, without exception, worryingly high and on an upward trajectory. And as the world hastens to digitally transform on the journey to Industry 4.0, it is clear that there will be some eye-wateringly painful, perhaps catastrophic failures.
Even a couple of years ago, UK businesses suffered more than 30 million cyber-attacks. That’s more than 80,000 cyber-attacks every single day. Independent research by Beaming revealed that the number of internet-borne attacks in 2019 was 152% higher than the preceding year, commenting that ‘on average, cybercriminals from around the world subjected UK businesses to 66 different attacks every hour during 2019.
At the time of writing this, we were less than halfway into 2020, but no one is suggesting anything other than a relentless rise in cyber-crime even during or, most likely, because of the global pandemic. Phishing and other cyber-attacks, often featuring fake medical suppliers and organisations such as the World Health Organisation are widely in evidence. Much of these are petty frauds selling non-existent hand sanitisers and face masks and the like. But a ransomware attack such as that which crippled the NHS in 2017 is surely just a heartbeat away.
As more business infrastructure gets connected, the global cost of online crime is expected to reach, according to Cyber Security Ventures, $6 trillion by 20219: That’s greater than the cost of all natural disasters in a year and more than the global trade of all illegal drugs.
In case you’re wondering, Statista estimated the average cost of a cyber-attack in the UK in 2018 was $11.46 million. That’s less than the average cost of successful cyber attacks in the USA and, marginally, Japan and Germany but more than any of the others it surveyed. We’re an attractive target, it seems.
So how bad is it?
To a lay spectator, it must be puzzling that some of these attacks are succeeding against tech-savvy businesses which are (or at least should be) at the very top of their game. Famous brands such as Adidas, Boots, eBay, Equifax, LinkedIn, FedEx, the National Health Service, Maersk, Delta Airlines, Kmart, YouTube and, in 2020, Boots and Tesco Clubcard, have all been successfully attacked. How is this even possible?
Cyber security for IT systems is well-understood. It’s as old as, well, it’s as old as cyber-attacks, I suppose. Yet we see on the news that attackers ranging from friendless teenage cyber-geeks through to well-organised crime syndicates, and beyond to hostile nation states, are all apparently able to waltz through the networks of their choice with impunity, inflicting terrible damage. So, what’s to be done?
In truth, and when one takes a calmer look beyond these OMG headlines, the overwhelming majority of attempted attacks are easily defeated and unsuccessful (although the thoughtful reader might well suspect that the number of successful attacks is somewhat underreported).
Leaving such cynicism aside, it seems that the huge majority of cyber ‘incidents’ rarely come close to morphing into full scale cyber ‘events’ and we can be sure that IT cyber security is of a generally high standard – enough to foil all but the most determined attacks unless there is a human element involved. That’s true of attacks against IT systems, anyway. But what happens when we add operational technology and the Internet of things which, as you’ll remember, ‘60% of executives say will play a critical role in their digital business strategy.’
The risks of connecting Operational Technology
Connecting Operational Technology to Information Technology is an essential step on the journey to DX. It’s what puts the ‘Industry’ in ‘Industry 4.0’. Of course, that’s not a new thought - industry commentators have been saying it for years. What is less widely reported, however, is the substantially increased risk of cyber-attack.
Operational technology, which is typically old and often only dimly understood by IT cyber security specialists, presents a whole host of new risks. So when it comes to connecting OT and IT to harvest the wealth of data that you want to exploit, you’d better find a partner which not only understands how to implement, monitor and protect your IT systems, but which has good, old-fashioned engineering expertise, too.
It is cyber-attacks against OT that will lay the knockout punch, and you won’t even see it coming.
Hiscox calculated that the financial loss attributed to successful hacks has risen by 61%, with attackers now considering Internet of Things devices to be easy, high value targets. Bluntly, the more you connect, the greater the risk. Keep that in mind when you’re working out how to connect to your operational technology. You might be in for a bumpy ride.
Here’s another number for you: a survey by Ponemon Institute and Tenable12 revealed that 90% of OT organizations admitted that their environments have been damaged by at least on cyber-attack over the past two years, with 62% experiencing two or more attacks.
Investing to protect your future
Clearly, the world is well on its way to Industry 4.0. Yet, according to technology researcher Canalys, cyber security accounts for only 2% of total IT expenditure13. 2%! At the risk of being accused of special pleading, I find that figure shocking at a time when we know that cyber-attacks are at an all-time high and growing faster than ever.
Technology budgets, which equate to only 3.3% of overall revenue, go to business operations (57%), incremental business change (26%) and business innovation (16%). In other words, businesses are investing 2% of 3.3% of their overall revenue on the cyber security. That’s just 0.066% of total revenue to defend against tens of thousands of attacks, with an average loss of $11.46 million when one succeeds. One day, the luck will run out.
So, what do we have? Enterprises around the world are racing to connect their OT and IT as they move into the largely unmapped digital landscape of Industry 4.0. The majority of these are looking at the Internet of Things to achieve their business objectives. Even quite small factories have thousands of data points to connect. The number of cyber-attacks on OT and IT and the damage that they are causing are on a steady rising upward trajectory. And IT security and OT security are separate disciplines.
But here’s the kicker: according to Cisco, 50% of the security risk that organizations face stems from having multiple security vendors and products.
Digital transformation, I think, is a good thing. Like the industrial revolutions that preceded it, this fourth revolution will be a historical milestone. It is rare that we get the chance to make such a profound socio-economic transition which inarguably benefits businesses, individuals and society as a whole. Industry 4.0 is now within our reach. We will get there. But, before we do, we all need to take a long, hard look at the real but rarely mentioned security risks as we continue to invest in digital transformation.