Embrace of New Technology Adds Further Cyber Risk Complexity
Businesses are enthusiastically embracing technological innovation, and most say the benefits outweigh any risks. But assessment of cyber risk associated with new and transformative technologies is not as rigorous and continual as it should be, according to our 2019 Global Cyber Risk Perception Survey.
More than three-quarters of 2019 survey respondents are adopting or considering at least one innovative operational technology — including cloud computing, proprietary digital products, and connected devices/IoT.
Even traditional sectors such as manufacturing expect almost 50% of the products they develop to be “smart” or “connected” in some way by 2020, opening up new revenue streams in data-driven services.
Cybersecurity challenges can manifest whenever new technology is integrated into business infrastructure, bringing new and additional complexity to an organization’s technology footprint.
The security risks and exposures presented by new technologies must be weighed against the potential transformative business effects, and risk tolerance varies both by industry and by individual company.
New Technology: The Opportunity / Risk Spectrum
Asked where their own organization falls on the new technology risk/benefit spectrum, half of respondents stated that cyber risk is almost never a barrier to new technology adoption, and a quarter of respondents had no strong views on the issue.
The prevailing preference is to embrace digital transformation despite potential security issues.
Still, 23% of respondents said that most new technologies present risks that may outweigh the potential benefits and opportunities. This risk aversion was especially common among smaller business firms (annual revenues under $100 million), regardless of sector.
Despite the enthusiasm for new and emerging technologies, there was uncertainty about the degree of associated risks.
Cloud computing elicited the fewest “don’t know” responses regarding the degree of associated cyber risk (12%), while blockchain had the highest (37%).
The highest amount of uncertainty was expressed for the newest or most autonomous technology developments.
Need for Continual Risk Assessment
Assessment of cyber security risk is too often seen as an event that occurs at a single point in time — often, the initial exploration and testing stage — rather than a continuous evaluation at multiple stages of implementation.
Only 36% of organizations reported examining potential risks of new technology both before and after adoption, and just 5% said they evaluate cyber risk at every stage in the technology lifecycle.
Notably, the select group of organizations that evaluate cyber risks continuously throughout new technology implementation are also much more confident in their capabilities to manage or respond to cyber-attacks.
Armed with timely knowledge of potential security weaknesses or exposures, they are positioned to implement real-time improvements and develop contingency plans to manage risks involving these systems.
Trust in Technology Vendors
Assessment of new technology cyber risk is closely associated with the trust that organizations have — or lack — in the vendors that supply those technologies.
Innovative technologies do not necessarily add new cyber exposures to the organizations that adopt them.
Some innovative technologies may add new risks if they have not been built in accordance with optimal security standards, but in many cases, security is factored by design into the development of the technology or device.
One-third of organizations assume that technology vendors have already considered all relevant cyber risks and that further verification is unnecessary.
The converse view is not significantly greater: 40% of respondents said they “always perform their own due diligence” to verify security claims and built-in protections that vendors make regarding new technology.
Every company necessarily relies on a certain level of trust in its relationships with vendors and suppliers.
However, given the potential importance of technology platforms and services to core assets and operations, a rigorous, trust-but-verify stance can help ensure the validity and adequacy of protections pledged by third-party providers.
This heightened vigilance is especially important where new digital processes will be inherent to firms’ business models.
Read the full 2019 Cyber Survey Report produced in partnership with Microsoft.