Managing business risk in the digital economy

By Paul Taylor, Partner and UK Head of Cyber Security at KPMG, says current business risk models fail to take account of the digital industrial revolution

The next industrial revolution, often called Industry 4.0, promises to be as transformative of the business landscape, in the same way as previous industrial revolutions transformed society. This transformation, driven by industrial digitisation, is set to radically reshape business models, disrupt market monopolies, merge previously separate industry sectors and dramatically speed up the pace of innovation.

Paul Taylor
Paul Taylor

Old boundaries between industries, products, and services will be obliterated. There will be convergence within an integrated digital industrial ecosystem.

One example is the recent convergence of the automotive and software industries around the ‘connected car’. Industrial digitisation will also create a shift in production similar to the invention of the moving assembly line, opening up a future digital industrial supply chain where products are digitally developed, manufactured, and monitored in real-time from factory floor to shop floor, and beyond through a single, holistic, integrated process.

Connected supply chains with smart sensors will allow the real-time monitoring and measurement of vast automated assembly lines. The merging of the physical and virtual worlds in manufacturing will enable product developers or customers to convert virtual 3D visualisations of future products into digital files to be autonomously custom-made by 3D printers and other machines.

The unrelenting pursuit of better, faster and more efficient ways of deploying and creating technology has driven innovation in our businesses and across our economy. The pressure is on to reap the benefits of connecting every system, from high-profile innovations, such as connected cars and medical devices, to the tasks that allow product fulfilment and inventory management across a vast and distributed network of retailers.

Why business risk strategies are out-of-date

In Industry 4.0 cyber security will be as important as physical security. Business risk strategies have not caught up with the implications of the transformation from a traditional to a digital economy. Whilst every business department and industry sector is increasingly going digital, information and cyber security risks remain poorly understood in the boardroom.

A recent paper by (ISC), an international non-profit membership association of professionals working in information and cybersecurity entitled ‘What Every Business Leader Should Know About Cyber Risk’, points out that, whilst everything from business IP to business-critical assets is now vulnerable to cyber-attack, many boards do not treat cyber risk as comparable to legal and financial risk. As a result, businesses don’t invest the same time and resources in developing a cyber risk management strategy as they invest in mitigating against other risks.

Lloyd’s of London now estimate that a serious cyber-attack that takes down major cloud providers could cost the global economy up to £92 billion. This would be similar to the fallout from a catastrophic natural disaster. There is growing evidence of the financial risk to business from a cyber-attack. Cyber security vulnerabilities have triggered mass recalls of 1.4 million cars and 500,000 connected pacemakers. Cyber-crime has resulted in multi-million pound thefts, tumbling share prices, major customer losses and multiple CEO resignations. A DDoS attack recently affected a significant proportion  of the USA’s internet. Upcoming data-privacy laws, such as GDPR, will expose businesses to fines and class action lawsuits, with the result that information and cyber risk is now closely intertwined with legal risk.

The lack of understanding of cyber risk extends to other organisations responsible for creating and maintaining our digital economy. Many of those responsible for developing the software, applications, sensors, devices, systems and networks that underpin modern businesses have little or no training in cyber security. This is producing a digital economy with a hidden plethora of vulnerabilities, the equivalent of a physical economy composed of millions of goods that are riddled with latent safety defects. The largest ever survey of cyber security professionals, published this year, found that hidden vulnerabilities – from security misconfiguration to broken authentication systems – is one of the threats of most concern to businesses worldwide.

Risk management for a digital economy

There are some steps that can be taken to turn the situation around. Businesses must start by accepting that cyber risk is a business risk like any other, not merely a technology problem, and align their spending priorities accordingly. This starts from the realisation that cyber risks are intertwined with other business risks especially as cyber-attacks often spill over into the physical world; for example, (ISC)2s recent white paper points to a cyber-attack on the German steel industry that caused physical damage to a factory.

This means cyber security expertise can no longer be siloed in the IT department; all business units must be collectively held responsible for online security as part of a holistic risk-management strategy based on a comprehensive view of cyber risk across the company. This means cyber risks should be added to the company risk register, and a governance framework should be created to include cyber risk management. A board member should be included in all substantive cyber risk discussions. Crucially, companies need to audit and take control of the digital assets they hold, just as companies seek a full inventory of all their other assets.

Businesses must track and protect data in transit in the same way as they use systems such as GPS ‘track-and-touch’ to monitor and protect physical assets on the move. This is even more important with the introduction of GDPR, which will widen the definition of a privacy breach to include any unauthorised access to personal data, even by employers or other departments of the business.

Crucially, information, cyber security and data privacy must be built in to every product, business process, and service at design stage. Every digitised product and service; from smart meters, to connected cars, from automated manufacturing, to employee location-tracking must be designed with security and privacy as a central consideration.

The key to securing Industry 4.0 is for businesses to manage and mitigate risks to our digital economy just as they manage risks to our traditional economy, by recognising that the two are inextricably linked.