Cybercrime is still a major business risk in 2020

It is already 2020. Many organisations set ambitious IT goals two or three years ago with this year in mind. Marnix Pilon, Kevin Hermes and Dennis Wustefeld, consultants at Improven, evaluate what has come of those ambitions and what will be high on the agendas of CIOs and IT managers in the coming period.

Which topics have been high on IT decision-makers' action lists in recent years?

"The majority of Dutch organisations have long viewed cybercrime and the protection of critical business information as key business risks," says Wustefeld. "This is followed by risks related to changing laws and regulations and growing economic uncertainty. Information security will continue to be the number one concern in 2020."

Why is it that efforts in recent years have failed to reduce digital risks?

Pilon: "This is partly due to the speed at which working via the Cloud has grown in recent years. Nobody could have foreseen that it would go so fast. Young employees reinforce this trend. They are so used to location-independent working, also in their private lives. The new digital way of working is often implemented under great time pressure in order not to fall behind. While many organisations have not yet updated their IT strategy and IT policy to this development."

Do you have an example of this growing imbalance between innovation and IT strategy and policy?

Hermes: "The flight that Google Drive, Dropbox and Gmail have taken is a good example. It is easy to link business accounts to these apps and use them to access your documents and emails anytime, anywhere. That this information then mostly falls under US law and outside European legislation (AVG) is still insufficiently realised by organisations. A second example is the bring-your-own-device principle, which is gaining popularity within more and more organisations. There is a proliferation of formally unapproved IT resources, or 'Shadow-IT'. For instance, non-business Whatsapp is regularly used for work-related activities. While this app does not have the desired security level of the business environment. Unfortunately, with rapid innovation, the following often applies: Greater ease of use, but also greater security risk."

But why are these kinds of vulnerabilities so risky?

"For many organisations, it has long since ceased to be about a set of customer data accidentally left at a printer or a memory stick someone left in the car or train," says Wustefeld. "Information can be exchanged so easily and so quickly these days, that incidents are also becoming increasingly extensive and damaging to the organisation itself. Extorting organisations with their own stolen information has become a business model for criminals. Major data leaks are unfortunately the order of the day and often big news. It can even lead to the downfall of an organisation."

What does this mean for businesses?

Hermes: "Avoiding this adequately really requires changes at the core of organisations. Organisations often have an overall business strategy, but they fail to subsequently formulate a derived IT strategy and appropriate IT policy. While innovation is happening faster than ever and IT decisions are increasingly made decentrally. Without IT strategy no direction and without IT policy no ground rules to stick to. How can we use IT as smartly and efficiently as possible to realise our strategy? And what do we actually think about the most important IT aspects? Most organisations are not sufficiently aware of this."

Why are these risks higher in medium-sized organisations than in corporate organisations and smaller SMEs?

Pilon: "Small companies simply do not have large volumes of vulnerable information. While the really big corporate organisations often employ, or hire, professionals to prevent unwanted situations. Larger SMEs fall a bit between two stools and are relatively at greatest risk. Because while they have larger volumes of vulnerable information, they often lack the expertise and capacity to mitigate the risks."

What can SMEs do to better protect themselves from the growing imbalance between continuous innovation and information vulnerability?

"Companies that really innovate at high speed and continuously also immediately identify new security risks with every innovation. Innovation, risk and security then go hand in hand," Wustefeld underlines. "But there is actually another important step before that. Above all, we advise organisations to also formulate a strong IT strategy and clear IT policies, as a derivative of the overall business strategy. Many SMEs do not yet have this properly in place. What we often see is that people innovate without asking themselves, what the IT consequences and risks might be."

So how can organisations address this concretely?

Pilon: "By also formulating the derived IT strategy and corresponding IT policy immediately when defining the overall strategy. Organisations have become so dependent on IT, you really can't have one without the other. Every larger innovation step should also directly consider the risks and security implications of that step. In fact, at least one security expert should also participate in every innovation project."

For more information on this topic, please contact our partners Masha Hennequin at masha.hennequin@improven.nl (06 20 60 43 25) or Louis de Koning via louis.de.koning@improven.nl (06 20 60 43 25)