Every business wants to attract more customers, however an expanding customer base brings with it a potential increase in cyber security risks across your company. As a result of the COVID-19 pandemic, the use of all digital channels by consumers has rapidly expanded. From websites to social media, businesses had to quickly scale these channels to meet the demand – however, security was often lacking in the haste to do so.
“Enterprises have acted quickly to meet the additional demand for online interaction during the pandemic,” says Jim Allum, director of commercial and technical at Macro 4. “But any digital transformation initiative needs to consider end-to-end security and IT teams will be revisiting those short-term solutions to see how they can be strengthened.”
Attracting more customers is, of course, a competitive advantage no business will ever refuse. Securing these customers as they interact across the multiple digital touchpoints they now use is the challenge facing many enterprises. The current technology stack that is in place will potentially need to be overhauled and in some cases, older legacy systems that are still in place won't have robust security and privacy measures, such as multi-factor authentication.
Speaking to IT Pro, Tim Harrison, co-founder and director of WatchPilot, gives an overview of how his company approached the expansion of customer interactions and how this influences their approach to improving digital security.
“As an e-commerce business, our most valuable data assets are our customers' personal data and their associated financial information,” he says. “Our customers' credit card data is the most likely target of a cyberattack so should be guarded closely. As our business continues to grow, more people require access to our site. To mitigate the increased security risk, we seek to adopt a ‘least privilege’ principle by providing an appropriate level of store access only for that which is required [for them] to perform their jobs. We also plan audits on who has access, including any third-party apps, with a view to further increasing the security of our website.”
Paul McKay, principal analyst, Forrester, points out that how threat actors approach their attacks has also changed.
“From a customer security point of view, the big shift has been in the volume of customers now using digital channels as opposed to face-to-face stores or physical locations. This has increased the size of the prize somewhat,” he says. “As a result, we have seen an increase in attempts to disrupt these channels and ransomware attacks aimed at disruption and extortion of customer data from these firms. This is now expanding into sectors not traditionally thought of as targets, such as links in the supply chain such as JBS foods in the US, which cause harm as much as the ‘front-end.’”
New security landscapes
Businesses have been re-drawing their digital transformation roadmaps as the pandemic has continued. Considering how their enterprises will trade in a post-COVID-19 landscape means paying more attention to security. As consumer behaviour has shifted almost wholesale to digital channels, the threat surface that companies must now secure has expanded and diversified. What this means from a practical standpoint is that IT leaders are now widening their security remit.
Adam Phipps, cyber security manager at Walsall Housing Group (WHG), tells IT Pro how the Group approaches the security of its staff and customers. "In the last 18 months, Walsall Housing Group’s security strategies and practices have been tested like no other period,” he explains. “Our rapidly accelerated digital transformation programme that enables home working, opportunistic phishing campaigns, and the discontinuity of information security operations created the perfect storm in a COVID-19 disrupted world.”
“Understanding these challenges helps WHG identify what solutions are required,” Phipps continues. “We chose Trend Micro Vision One, which helps detect and correlate threats across endpoint, network, cloud, server, and email security, offering increased risk visibility and faster response times.”
When customer numbers expand, privacy and security compliance become even more critical. GDPR is now three years old and will potentially be joined by new EU legislation (the Digital Services and Digital Markets Acts) that would place more responsibilities on data ‘gatekeepers.’ A potential class-action lawsuit against Google for allegedly tracking millions of iPhones without their owners' consent in the UK again shifts how businesses should construct digital security services that protect their organisations and their customers.
Concern about possible group legal challenges is a core finding from Egress, which surveyed 250 UK security leaders and data protection officers, and 2,000 UK customers in May this year. It revealed that 90% of security leaders are concerned about class action by data subjects in the event of a severe data breach, whereas 85% are concerned about regulatory fines. And strikingly, nearly half (50%) of UK consumers would join a class action against a company that had misused or leaked their personal data.
“The greatest financial risk post breach no longer sits with the regulatory fines that could be issued,” says Lisa Forte, partner at Red Goat Cyber Security. “Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.”
Also, the European Commission recently gave details of its intention to regulate AI. As more businesses adopt this technology and apply this to their expanding customer bases, it could add another layer of regulation for them to comply with.
Forrester’s Paul McKay points to how authentication and identity are critical to the long term security of all businesses: “There is now a widespread recognition that getting security right is vital for customer trust as well as the organisation protecting its own revenue base and brand. Therefore, one of the biggest shifts we have seen is an increase in both focus on streamlining and modernising customer authentication processes in the customer identity access management (CIAM) space. Organisations are now focusing on making this a key part of their identity and access management (IAM) roadmaps."
Customer protection
One way that all businesses can improve their security is via education and training.
Neil Sinclair, national cyber lead at the Police Digital Security Centre in London, tells IT Pro: “In our experience as trainers, only about a third of UK employees receive regular email security training, while about a quarter of UK organisations are not providing regular employees with any cyber awareness training at all.”
As the use of digital channels by all consumers shows little sign of slowing, it's critical to have a comprehensive and integrated approach to security. As Phipps concludes, many cyber security challenges remain and it's how organisations react to these threats to keep their staff, networks, and customers safe that matters.
“WHG realises that there is no quick fix to the issues presented by the global pandemic. Even as society and businesses manage the health and humanitarian aspects, WHG, like so many organisations, has had to deal with the economic and operational fallout, which is creating financial and budget challenges for all companies’ information security operations in the mid-to long-term.
“The pandemic has opened the door to opportunistic threats, creating social engineering opportunities such as new phishing campaigns, which only enhances our requirements for increased spending on cyber defences.”
Post-COVID-19, the security landscape businesses and organisations face will continue to evolve. Consumers have continued to expand their use of all digital touchpoints. In this scenario, businesses need a multifaceted approach to security that ensures these channels are safe.
