This article was originally published April 14, 2020 in the MIT Sloan Management Review.
This period in digital services is exhilarating — and also terrifying. Connecting extensive and varied data sources, networks, and machine-learning models enables intimately interlinked service offerings, allowing people to pay bills, access health care, and even cross borders using the technology of their choice.
Seamless connectivity dramatically increases convenience. Yet it also increases the number of potential attack entry points — such as application programming interfaces and third-party services — significantly raising the threat of cyberattacks that put personal data at risk. In turn, the exploding volume and concentration of personal data stemming from greater automation and personalization of products and services magnifies the consequences of an attack.
Hackers in the past might have been limited to dimming the lights in someone else’s house through a smart-home device, but today’s cyberintruders can crank up the heat, play music, even speak to residents through devices’ security cameras. By simply pointing a laser through a window, hackers can commandeer virtual assistants, potentially accessing personal digital accounts, credit cards, and even connected medical devices, researchers recently found.
Future digital exposure is expected to expand even further. Automated voice assistants will arrange date nights, business appointments, purchases, and vacations. Once these services collect enough information about a consumer’s preferences, they’ll offer suggestions and anticipate users’ needs. Voice assistants have already come under attack, but they’ll be even more dangerous where they hold sensitive financial, medical, or biometric data, enabling potentially devastating damage from breaches.
Digital services providers will need to assess whether the additional convenience provided by ever-smarter devices is worth the cybersecurity damage risk. Here’s how to improve the cyber resilience of the increasingly popular, increasingly broad range of seamless digital services.
Employ A Data Liability Lens
Unshared data cannot be bought, sold, shared, or hacked, but any data shared is a liability for its owner and the provider holding it. Consumers should limit the amount of personal data they share with services or on social media accounts, where they can choose to post full names, birth dates, and addresses. When social media is linked with other online services, information can spread fast — and malicious actors can use such basic information to find further data to access bank accounts, credit cards, loans, investment products, and even pensions.
As any customer-acquired data is potentially vulnerable, the most effective risk reduction strategy is simple: Collect less data. Capture only the information from customers that is critical to delivering a service. Service providers should contain their data requests and protect whatever information they’re given.
Companies should weigh the potential gains of collecting more customer data against the potential risks and costs of protecting it. Significant gains can include the ability to provide highly personalized shopping recommendations, tailored reward offerings, customized risk-based pricing of financial products and services, and specially made user experiences for applications. But the costs of poorly securing data can be significant as well: Laws such as the European General Data Protection Regulation (GDPR) can impose fines of hundreds of millions of dollars and force companies to pay affected individuals as much as $18,000 each in compensation. Additionally, companies may potentially suffer an average of $3.9 million in direct costs from data breach consequences — everything from downtime to lost business — according to a survey conducted by IBM Security and Ponemon Institute.
Embed Cybersecurity Into Products and Services
Greater interconnectivity has challenged the traditional perimeter-defense model for cybersecurity. Historically, cybersecurity has often been treated as an afterthought — or worse, as an additional expense. When vulnerabilities are exposed, companies may try to create a secure outer shell or give up. One retailer shut down its mobile-payments app on the day of launch, after hackers started draining money from customer bank accounts.
A smarter approach is to insulate each stage of every service and application — the internal systems, processes, and databases — securely segmenting access through the various steps of a customer journey, rather than just at the beginning. In the same way bulkheads create watertight compartments in a ship, preventing a single breach from flooding the whole vessel, segmented access limits cyberintruders to long hallways of locked internal doors. Security by design, based on multiple hardened shells, should be a core operating principle. While it may be more expensive to build, it is potentially much more effective and can actually reduce the cyber risk exposure of a given enterprise.
Beyond segmentation, data assets that represent especially attractive hacking targets can be bolstered behind additional layers of network protection, identity verification, and encryption. Some particularly sensitive banking apps, for example, require biometric authentication — facial or fingerprint recognition — even when a smartphone is already unlocked. This combination of security and convenience will become a key competitive advantage as digital services spread and become more interconnected, in the same way that certain types of automobiles have become popular thanks to their safety credentials.
Know Your Partners
As companies race to connect services, they collaborate with numerous partners on any one project, many of which may be new relationships in unfamiliar industries. If any of these third parties provide easier entry points for cybercriminals, then even the best cybersecurity systems will be undermined.
Buying a plane ticket, for example, involves an airline, payment-processing firms, third-party web providers, and mobile-ticketing apps — all potential entry points. Recently, a major global airline was hacked, exposing hundreds of thousands of online and mobile-payment records and leading to a fine for the airline of nearly $200 million. Experts believe the hackers entered the airline’s database using embedded third-party code.
Before rushing into partnerships, companies should closely scrutinize the potential cyberdangers and determine how to contain them. While there are some particularly strong examples of third-party cyber risk-management practices such as those from the National Institute of Standards and Technology, there are no common industrywide frameworks for managing such third-party risks. Companies, therefore, need to define and adapt their own policies, rules, and standards. Cybersecurity leaders use supply-chain cyber dashboards and tools to monitor and quantify third-party threats and defensive effectiveness. They carefully monitor data flows and permissions given to outsiders, especially for access to critical or valuable infrastructure such as safety and finance.
Adopting the principle that companies should own the risk for hacked card numbers and financial damages, customers have demanded ever-more digital convenience — which many companies have been happy to provide, providing mutual benefits from increasingly seamless digital services.
While consumers are beginning to realize that interconnected digital services can raise the danger of intrusions, companies too are starting to recognize growing potential liabilities. When hackers recently broke into a major social network’s systems, they tapped into personal account data of 100 million people, including email addresses, passwords, and network activity. The damage was compounded as cybercriminals were also able to access personal data from other social networks, which users had imported by linking their accounts. This kind of incident compromises both the individuals whose data is stolen and the companies concerned, which may lose business, suffer reputation damage, and be held liable for compensation.
Companies with perceived cybersecurity risks are facing pressure from boards of directors and stock analysts, with consequences for their valuations. But beyond risk mitigation, there’s also an opportunity for providers of digital services to stand out by adding value through better protection of data. Those businesses that develop the ability to mitigate the cybersecurity risks that accompany seamless digital services — by treating data as a liability and addressing risks in both their own and their third parties’ operations — will emerge as leaders in digital convenience because they will be more popular with customers in the long term.