Digital Convenience

Digital Convenience Threatens Cybersecurity 13/08/20 00:29
DIGITAL RESILIENCE
Digital Convenience
Threatens
Cybersecurity
Companies should act now to boost the cyber resilience of
seamless digital services.
Paul Mee and Rico Brandenburg • April 14, 2020 READING TIME: 6 MIN
This period in digital services is exhilarating — and
https://sloanreview.mit.edu/article/digital-convenience-threatens-cybersecurity/ Page 1 of 10
also terrifying. Connecting extensive and varied data

sources, networks, and machine-learning models
enables intimately interlinked service oDerings,
allowing people to pay bills, access health care, and
even cross borders using the technology of their
choice.
Seamless connectivity dramatically increases

convenience. Yet it also increases the number of
potential attack entry points — such as application
programming interfaces and third-party services —
signiGcantly raising the threat of cyberattacks that
put personal data at risk. In turn, the exploding
volume and concentration of personal data
stemming from greater automation and
personalization of products and services magniGes
the consequences of an attack.
Hackers in the past might have been limited to

dimming the lights in someone else’s house through
a smart-home device, but today’s cyberintruders
can crank up the heat, play music, even speak to
residents through devices’ security cameras. By
simply pointing a laser through a window, hackers
can commandeer virtual assistants, potentially
accessing personal digital accounts, credit cards,
and even connected medical devices, researchers
recently found.
Future digital exposure is expected to expand even
further. Automated voice assistants will arrange

date nights, business appointments, purchases, and
vacations. Once these services collect enough
information about a consumer’s preferences, they’ll
oDer suggestions and anticipate users’ needs. Voice
assistants have already come under attack, but
they’ll be even more dangerous where they hold
sensitive Gnancial, medical, or biometric data,
enabling potentially devastating damage from
breaches.
Digital services providers will need to assess

whether the additional convenience provided by
ever-smarter devices is worth the cybersecurity
damage risk. Here’s how to improve the cyber
resilience of the increasingly popular, increasingly
broad range of seamless digital services.
Employ a Data Liability

Lens
Unshared data cannot be bought, sold, shared, or
hacked, but any data shared is a liability for its
owner and the provider holding it. Consumers
should limit the amount of personal data they share
with services or on social media accounts, where
they can choose to post full names, birth dates, and
addresses. When social media is linked with other
online services, information can spread fast — and

malicious actors can use such basic information to
Gnd further data to access bank accounts, credit
cards, loans, investment products, and even
pensions.
As any customer-acquired data is potentially

vulnerable, the most eDective risk reduction strategy
is simple: Collect less data. Capture only the
information from customers that is critical to
delivering a service. Service providers should
contain their data requests and protect whatever
information they’re given.
Companies should weigh the potential gains of

collecting more customer data against the potential
risks and costs of protecting it. SigniGcant gains can
include the ability to provide highly personalized
shopping recommendations, tailored reward
oDerings, customized risk-based pricing of Gnancial
products and services, and specially made user
experiences for applications. But the costs of poorly
securing data can be signiGcant as well: Laws such
as the European General Data Protection Regulation
(GDPR) can impose Gnes of hundreds of millions of
dollars and force companies to pay aDected
individuals as much as $18,000 each in
compensation. Additionally, companies may
potentially suDer an average of $3.9 million in direct
costs from data breach consequences — everything

from downtime to lost business — according to a
survey conducted by IBM Security and Ponemon
Institute.
Embed Cybersecurity
Into Products and
Services
Greater interconnectivity has challenged the
traditional perimeter-defense model for
cybersecurity. Historically, cybersecurity has often
been treated as an afterthought — or worse, as an
additional expense. When vulnerabilities are
exposed, companies may try to create a secure
outer shell or give up. One retailer shut down its
mobile-payments app on the day of launch, after
hackers started draining money from customer
bank accounts.
A smarter approach is to insulate each stage of

every service and application — the internal
systems, processes, and databases — securely
segmenting access through the various steps of a
customer journey, rather than just at the beginning.
In the same way bulkheads create watertight
compartments in a ship, preventing a single breach
from booding the whole vessel, segmented access

limits cyberintruders to long hallways of locked
internal doors. Security by design, based on multiple
hardened shells, should be a core operating
principle. While it may be more expensive to build, it
is potentially much more eDective and can actually
reduce the cyber risk exposure of a given enterprise.
Beyond segmentation, data assets that represent

especially attractive hacking targets can be
bolstered behind additional layers of network
protection, identity veriGcation, and encryption.
Some particularly sensitive banking apps, for
example, require biometric authentication — facial
or Gngerprint recognition — even when a
smartphone is already unlocked. This combination
of security and convenience will become a key
competitive advantage as digital services spread
and become more interconnected, in the same way
that certain types of automobiles have become
popular thanks to their safety credentials.
Know Your Partners

As companies race to connect services, they
collaborate with numerous partners on any one
project, many of which may be new relationships in
unfamiliar industries. If any of these third parties
provide easier entry points for cybercriminals, then

even the best cybersecurity systems will be
undermined.
Buying a plane ticket, for example, involves an

airline, payment-processing Grms, third-party web
providers, and mobile-ticketing apps — all potential
entry points. Recently, a major global airline was
hacked, exposing hundreds of thousands of online
and mobile-payment records and leading to a Gne
for the airline of nearly $200 million. Experts believe
the hackers entered the airline’s database using
embedded third-party code.
Before rushing into partnerships, companies should

closely scrutinize the potential cyberdangers and
determine how to contain them. While there are
some particularly strong examples of third-party
cyber risk-management practices such as those
from the National Institute of Standards and
Technology, there are no common industrywide
frameworks for managing such third-party risks.
Companies, therefore, need to deGne and adapt
their own policies, rules, and standards.
Cybersecurity leaders use supply-chain cyber
dashboards and tools to monitor and quantify third-
party threats and defensive eDectiveness. They
carefully monitor data bows and permissions given
to outsiders, especially for access to critical or
valuable infrastructure such as safety and Gnance.
Cybersecurity
Innovation
Adopting the principle that companies should own
the risk for hacked card numbers and Gnancial
damages, customers have demanded ever-more
digital convenience — which many companies have
been happy to provide, providing mutual beneGts
from increasingly seamless digital services.
While consumers are beginning to realize that

interconnected digital services can raise the danger
of intrusions, companies too are starting to
recognize growing potential liabilities. When hackers
recently broke into a major social network’s
systems, they tapped into personal account data of
100 million people, including email addresses,
passwords, and network activity. The damage was
compounded as cybercriminals were also able to
access personal data from other social networks,
which users had imported by linking their accounts.
This kind of incident compromises both the
individuals whose data is stolen and the companies
concerned, which may lose business, suDer
reputation damage, and be held liable for
compensation.
Companies with perceived cybersecurity risks are

facing pressure from boards of directors and stock
analysts, with consequences for their valuations. But
beyond risk mitigation, there’s also an opportunity
for providers of digital services to stand out by
adding value through better protection of data.
Those businesses that develop the ability to mitigate
the cybersecurity risks that accompany seamless
digital services — by treating data as a liability and
addressing risks in both their own and their third
parties’ operations — will emerge as leaders in
digital convenience because they will be more
popular with customers in the long term.
Topics
Data & Analytics Digital Digital Business
Technology Implementation
Digital Resilience
Today, leaders across all business units must be able to answer a critical
question: How secure are we? This series examines how managers can build
digital resilience to compete in the new digital economy, where companies
need to protect against not only cyberattacks but also technical debt and
digital weak points within their infrastructure and teams.
See All Articles in This Series
ABOUT THE AUTHORS

Paul Mee (@pauldmee) and Rico Brandenburg
(@ricobrandenburg) lead the Oliver Wyman Forum’s
cybersecurity initiative and are both partners in Oliver
Wyman’s cybersecurity practice.
TAGS: Customer Data, Data Security, Digital Business, Risk
Management, Technology

Digital Convenience

Uploaded by

Copyright:

Available Formats

Digital Convenience

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Convenience

Uploaded by

Copyright:

Available Formats

Digital Convenience Threatens Cybersecurity 13/08/20 00:29

This period in digital services is exhilarating — and

also terrifying. Connecting extensive and varied data

Seamless connectivity dramatically increases

Hackers in the past might have been limited to

Future digital exposure is expected to expand even

further. Automated voice assistants will arrange

Digital services providers will need to assess

Employ a Data Liability

online services, information can spread fast — and

As any customer-acquired data is potentially

Companies should weigh the potential gains of

costs from data breach consequences — everything

A smarter approach is to insulate each stage of

from booding the whole vessel, segmented access

Beyond segmentation, data assets that represent

Know Your Partners

provide easier entry points for cybercriminals, then

Buying a plane ticket, for example, involves an

Before rushing into partnerships, companies should

valuable infrastructure such as safety and Gnance.

While consumers are beginning to realize that

Companies with perceived cybersecurity risks are

Data & Analytics Digital Digital Business

See All Articles in This Series

ABOUT THE AUTHORS

Wyman’s cybersecurity practice.

TAGS: Customer Data, Data Security, Digital Business, Risk

You might also like