Analysis
Deloitte Cyber Industry Insights: Read the latest
In this series, Deloitte Cyber leaders explore the hot topics and most pressing cyber challenges facing organizations and governments today – from an industry perspective. Come back often for the latest recommendations on what your organization can do to empower your people for the future through understanding, connection and trust.
The SolarWinds wake-up call: Why it’s time to tackle concentration risks
In late 2020, SolarWinds, a software company with over 300,000 customers issued a notification that potentially 18,000 customers downloaded a flagship product that may have been infected with a malicious code that gives threat actors backdoor access into their systems. This led to a slew of high-level government agencies and major corporations across North America, Europe, Asia, and the Middle East to check if their networks may have been exposed by suspected nation-state threat actors.
During Covid times, the high volume of ransomware attacks, highly public data thefts, or the concerns of remote system breaches have become more prominent. Cybercriminals and advanced persistent threat (APT) groups consistently target even the most secure environments. Despite the higher threshold to hack these environments, the payoff is considerable: rather than gaining access to one or several backend systems, this approach can give them entry to an entire industry or geography. This has led CISOs and their teams to prioritize their resources.
As many organizations identify these potential cyber risks, there is a need for the right approach to minimize overall impact and design an industrious crisis response system for a more secured future.
Want to retain customer loyalty in an Open Banking world? Start by building trusted digital relationships.
The financial services sector is experiencing rapid change as Open Banking becomes more prevalent. The world’s banks are finding themselves ceding market share to a growing number of non-traditional banking institutions, captive finance companies, and fintech firms. Consumers have increased access to financial services and are becoming more vocal in their demands that businesses and governments adhere to the highest standards of integrity. In an attempt by banks to maintain their market share, there is a definitive focus on creating an unparalleled customer experience through understanding the customer journey and providing customized solutions. This also makes it vital for banks to build trust with their customers by protecting customer data and identity.
Cybersecurity provides a systemic promise to create an environment that makes it safe for people to bank. Identity management plays a large role in enabling banks to effectively verify and authenticate consumers, safeguard consumer data when gathering marketing intelligence, and even create new revenue streams.
The pointlessness of pointing fingers: Can business, IT, and OT stakeholders play nice?
Things are changing radically in the energy, resources, and industrial (ER&I) space. Industry 4.0 and the emergence of autonomous systems powered by data, analytics, and AI have led to an unprecedented wave of transformation. A growing number of mergers, acquisitions, and divestitures, a rising number of cyber incidents, and a greater board focus on cyber maturity are all impacting this industry.
There is an imperative to find innovative solutions to address rampant challenges—ranging from improved environmental performance to more collaborative community relationships— that are altering operational realities. And the spread of COVID-19 has only accelerated this trend, forcing organizations to transition to remote work at breakneck speeds.
There is also a conflict between the digital teams championing these new initiatives and the operational technology (OT) teams expected to operationalize them. Although cultural clashes between IT (Information Technology) and OT have been ubiquitous, the fallouts threaten to affect more just productivity challenges. They also open enterprises up to higher levels of cyber risk. It is imperative that along with IT/OT integration, organizations develop a security governance framework that permeates the enterprise—from the boardroom to the shop floor.
Solving the public sector identity crisis: It’s time for governments to get serious about digital identities
Even though we have come a long way from physically standing in a queue in government offices for transactional services, there is considerable work to be done before governments can deliver fully digital citizen services experiences. The pandemic has arguably led to condense the digital innovation journey from ten years to six months, and this move towards e-government transition has been haphazard at best. Despite the technology available to shift to digital channels, most governments lack the resources, capacity, and knowledge to validate and protect their citizen’s digital identities.
As countless agencies launched isolated initiatives, citizens were presented with a mishmash of access points that required them to set up unique user accounts and tolerate multiple layers of credential checks. A lack of robust security postures has made it difficult for the governments to protect their citizen’s identities and personal information and provide a seamless digital transformation experience. Chief Information Security Officers (CISOs) across government sectors implicitly understand that passwords alone are insufficient protection against cybercriminals.
Rather than simply developing solutions that give users easier access to online services that are sensitive and have inadequately protected private data in the process, industries need to adapt strategies to simplify authentication and enable the digital exchange of verifiable identity-linked information of any kind. This requires governments to more carefully think through how they can reduce the need to store citizen data by empowering citizens to directly own and control that data.
Are vaccine credentials the next vector for cyber risks?
Following the formulation by the pharmaceutical industry of several viable vaccines to combat COVID-19, the prospect for a return to some semblance of normality is on the horizon. By stemming the spread of the virus, the hope is that vaccines will enable people to return to work, head back to restaurants and retail stores, attend public events, and recommence travel. Implicit in these assumptions is the idea that people will be issued some kind of vaccine certificate they can use to establish proof of vaccination. It seems simple in theory. In practice, however, vaccine credentials are fraught with a wide range of complexities, many of which link back to cybersecurity concerns.
The two main challenges? The imperative to create digital versions of these certificates in addition to a secure paper-based solution, and the requirement to make the credential both interoperable and capable of being shared with third parties globally. In essence, this means a digital proof-of-vaccination issued to a traveler in the UK must have the ability to be accepted and trusted by government authorities and private businesses in Singapore or Australia if it is to drive the benefits required to reopen the global economy.
To bridge the gap between the need for a vaccine certificate and the protection of an individual’s digital identity (not to mention their privacy), governments, consortia, healthcare organizations, and the private sector are rapidly coming together to vault several hurdles in the current race against the clock. Here we set out just some of the issues that will need to be addressed in relatively short order—with the caveat that this is only the start of the conversation.