AI is already transforming procurement, but meaningful value depends on more than just tools. At Beroe, that starts with aligning AI to real business problems
SHARE THIS STORY
As AI continues to dominate conference stages and boardroom discussions, the pressure to use it is everywhere. As this technology becomes further embedded in enterprise strategy, many organisations are still grappling with how to apply it in a way that delivers real, measurable value.
Rather than focusing on AI for the sake of innovation, the question now is how to align new tools with real business problems. That means looking beyond dashboards and pilots to deploy AI where it can simplify decision-making and improve processes.
At Beroe, this principle is central to how AI solutions are developed, deployed, and scaled. As the company behind the world’s leading procurement intelligence platform, Beroe provides real-time market data, cost analysis, and supplier risk assessments, empowering thousands of organisations globally to streamline operations and mitigate risks. Its latest advances in autonomous negotiation, supplier discovery, and predictive analytics show what it means to align AI with business objectives.
Speaking with Prerna Dhawan, Chief Product Officer at Beroe, during this year’s DPW New York conference, the discussion explored how procurement leaders can move beyond hype and start unlocking the full potential of AI.
Misalignment with business needs
There are plenty of real-world examples of how AI can improve efficiency within a business, from automating manual tasks like invoice processing to identifying new suppliers based on complex sourcing criteria. Accessing this technology is easier than ever with a wide range of tools available to procurement professionals. It can be tempting to jump on the bandwagon and integrate AI across every area of an organisation, but success requires a more nuanced approach.
The key is to ask the right questions, Dhawan explains: “We talk about all the latest and greatest technology out there, but what does it mean in practical terms? We need to ask, ‘How can I apply it today in the work I am doing as a head of product or as a procurement professional?’”
The allure of generative AI is especially strong, but business leaders should ask whether that’s the right solution for their needs. As with any decision, it’s important to consider the business problem. “It starts with a little bit of knowledge about what you’re looking for,” says Dhawan. “What are some of your biggest challenges, and which of those challenges could AI technology solve?”
Matching the right tool to the job
Once an organisation has identified a specific problem, it’s possible to find the AI solution that fits. While generative AI gets a lot of attention, other AI technologies and machine learning based systems might be more appropriate.
In some cases, prescriptive, rule-based, or predictive AI could be a better choice to solve a problem without the need for a large language model. For example, forecasting commodity prices doesn’t require generative AI, just strong, contextual machine learning.
“We are looking at AI across two dimensions,” says Dhawan. “Firstly, what is our offering to customers, in terms of procurement intelligence and autonomous negotiation technology. Second, we are looking at AI internally. Let’s say in product development, how do we use the latest AI solutions to accelerate our product development cycles so we can release new modules and capabilities more quickly.”
Regardless of the type of tool chosen, it should cover a high-impact use case. Integrating AI to solve a problem that only surfaces for a small group of people a couple of times a year won’t have a great return on investment. Instead, look for regularly occurring problems that, if fixed, could have a huge impact on productivity or quality.
Reducing the cognitive load
We’re already bombarded by information, and the use of AI to add to this doesn’t make sense. “I don’t need another dashboard in my life,” says Dhawan.
When implemented correctly, AI can make data more accessible while reducing cognitive load for users. The result is increased productivity and faster decision-making.
“I think the power of AI is to simplify access to data. This is why ChatGPT has been a success: it democratises access to information. That’s what our B2B technology world is waiting for. It gives me something simple that allows me to talk to my data. Then I can focus on what insights I need to make a decision or take action.”
For most B2B users, the key is intelligent simplification. Look for ways to simplify access to data through agent AI tools and conversational interfaces. This brings the focus back to action rather than dashboards.
Inside Beroe
While many procurement teams are still exploring AI’s potential, Beroe has already embedded it across both its platform and internal operations. The company, founded in 2006, provides procurement intelligence to thousands of organisations worldwide. Its platform delivers the critical data that professionals need to make informed sourcing decisions, from commodity prices and risk indicators to ESG scores and supplier intelligence.
“We provide all data that procurement needs for decision making, whether it’s cost data, risk data, ESG data or price data,” says Dhawan. “Our reimagination of the future is not just giving access to more data but creating that layer of recommendations that help you make decisions at speed and scale.”
One of the clearest examples of this in action is Beroe’s new ‘autonomous negotiations’ platform resulting from its recent acquisition of negotiation technology business, nnamu. Delivering a significant evolution in the procurement technology landscape the platform enhances the foundational elements of AI and game theory with Beroe’s industry-leading market intelligence and, according to Dhawan, it’s being deployed successfully in live sourcing scenarios.
“This is a technology that is being used for multilateral negotiations,” Dhawan explained. “It’s no longer just a POC or prototype, it’s live and being used at scale.” These new tools reflect Beroe’s core mission: to help procurement professionals minimise surprises and maximise margins.
Crucially, Beroe isn’t waiting for perfect data to apply these technologies. Instead, the company is using AI to work with what’s available — cleansing, interpreting, and extracting value from both structured and unstructured sources.
“You can use AI for cleansing data – even paper contracts,” Dhawan says. “Historically, we thought data had to be structured. But now, with vision models and image analytics, that’s no longer the case.”
Rather than striving for 100% accuracy before taking action, Beroe embraces a more agile mindset that balances speed and precision.
Is mindset holding procurement back?
The technology is ready. The use cases are proven. So why do so many procurement teams still hesitate to embrace AI? “There’s this subconscious fear that I think is a barrier to adoption,” she said. “And to some extent, it’s to do with our friends in Hollywood.”
There’s the myth that AI is a job-threatening black box, especially in industries where trust and experience are the backbone of good decision-making. For procurement, where professional judgement and business context are critical, the idea of handing over tasks to AI can feel risky.
But Dhawan believes this fear is misplaced. At Beroe, AI isn’t replacing procurement professionals, it’s augmenting them. Whether it’s surfacing new suppliers, automating elements of negotiation, or flagging risks earlier in the sourcing cycle, the aim is to enhance human decision-making. She says: “I think with the new kinds of AI technology that’s available to us, it is an opportunity for us in B2B tech to embrace more human-centred design with higher focus on UX.”
Looking ahead
Looking ahead to 2026 and beyond, Dhawan sees procurement evolving into a more personalised and responsive function – one where AI plays a critical role in both strategy and execution.
“We see hyper-personalisation coming, both in supplier relationships and internal stakeholder engagement,” she explains. “AI will be at the centre of that.”
Rather than one-size-fits-all sourcing strategies, AI will enable procurement teams to tailor their approaches to specific business units, categories, or even individual suppliers. This means smarter segmentation, more relevant insights, and stronger commercial outcomes.
Another key shift is the growing ability to connect macro events, such as geopolitical shocks or regulatory changes, with micro actions inside the business. AI can help procurement teams identify these signals earlier, respond faster, and still align with long-term goals such as cost efficiency or sustainability.
“It’s about balancing your fire-fighting reactions to market events with your long term goals and strategy,” says Dhawan. “Procurement needs visibility and flexibility at the same time.”
Beroe is already moving in this direction. Alongside its growing AI capabilities, the company is refining how it delivers intelligence, building agents and recommendation layers that not only inform decisions, but also help teams take action on them. Whether that means automating routine negotiations or proactively flagging supply risks, Beroe is evolving to meet the needs of a procurement function that’s more dynamic than ever.
As Dhawan points out, the goal isn’t to overwhelm teams with more tools, it’s to make their lives easier. “It’s about reducing complexity and giving procurement professionals confidence in what to do next,” she concludes.
For many procurement leaders, AI still feels like a long-term ambition. But the solutions are already here, and through companies like Beroe, they’re already in use. The challenge now is not whether AI can deliver value. It’s whether teams are ready to adopt the mindset and cultural shift that will allow them to unlock that value.
Without trust, AI cannot deliver on its full potential, leaving manufacturers hesitant to go beyond pilot projects, says Darren Falconer.
SHARE THIS STORY
It’s no secret that trust is the foundation for successful AI adoption. By addressing scepticism, prioritising data quality, and ensuring algorithms are explainable and auditable, AI can become a powerful force-multiplier in manufacturing operations.
Manufacturers are increasingly looking to AI to boost efficiency, streamline operations and automate routine tasks. 75% are planning to step up their AI spending in 2025. However, much of this attention is focused on Generative AI – something that we believe is poorly suited to factory settings.
Part of this misalignment stems from a lack of understanding of AI’s practical applications in industry. With only 7% of manufacturing leaders feeling “very knowledgeable” about AI applications, scepticism and trust issues loom large.
Feedback from vendors and end-users consistently points to trust as a leading barrier to adoption. Without trust, AI cannot deliver on its full potential. This leaves many manufacturers hesitant to go beyond pilot projects, XpertRule’s Technical Director, Darren Falconer explores this further.
Overcoming the AI ‘fear factor’
The portrayal of AI in the media has long been dominated by dystopian headlines and Hollywood blockbusters, with fears of mass unemployment and doomsday narratives. For manufacturers, this continuous, subliminal bombardment creates a trust deficit before any AI project even begins.
Business leaders are having to overcome not only technical hurdles but also the deep-seated scepticism that AI solutions are uncontrollable or inherently risky. To counter this, companies must approach AI with transparency and explainability at every stage, showing that AI is a tool to amplify human capability not replace it.
For a simple comparison, think about cruise control in a car. [within cars today,] Traditional cruise control maintains a set speed but that’s all. Compare that to adaptive cruise control, which considers real-time conditions, adapts to your driving preferences and responds intelligently. Similarly, AI in manufacturing must adapt to the unique needs and complexities of each operation.
For those implementing these systems, understanding the ‘mechanics’ – how algorithms interact with data inputs and external influences – is a vital part of building trust. Explainable AI bridges the gap between automation and operator oversight, providing a clear view of how the system reacts and adapts. This clarity increases confidence among users, fostering trust in AI’s outputs.
But of course, building trust also requires a mindset shift – from a data-centric focus to a decision-centric approach.
Trust starts with decisions, not data
A common misstep in AI adoption is starting with the data instead of focusing on the desired outcomes. Many manufacturers think, We have all this data – what can we do with it? However, this approach often leads to complex systems that lack focus, transparency, fail to deliver meaningful outcomes and reinforce doubt over AI’s value.
A decision-centric approach begins by asking, What do we want to achieve, and what decisions need to be made to deliver those outcomes? Only then should businesses ask, What data supports those decisions and what are the models linking these decisions to this data?
From there, manufacturers must focus on ensuring data quality – calibrating sensors, cleaning data streams, validating inputs and standardising formats. Remember, the vast majority of AI success lies in data preparation and only a small percentage in the modelling itself.
Imagine a manufacturer aiming to improve quality control. They might gather extensive data from every step of the production process to find possible defects, leading to an overwhelming volume of disjointed data with no clear path to action.
Using a decision-centric approach, they would:
Define the goal: Improve product quality and aim to reduce defects by 10% over the next quarter.
Identify key decisions: What factors directly impact product quality? What parameters should trigger quality checks? How can inspection processes be optimised to catch defects earlier? What actions should be taken when deviations are detected?
Use AI to model the outcomes: Build AI models that analyse historical production data , to discover explainable patterns relating outcomes to metrics like machine settings, material consistency or environmental conditions. The system can then use these models in real time to flag anomalies that indicate potential defects and recommend adjustments to maintain product quality.
This clarity in purpose makes AI implementations transparent, explainable and, ultimately, more trustworthy. It also provides a clear framework for measuring success, helping to build greater confidence from engineers, users and management alike.
Decision intelligence – the missing link
A key factor in building trust is recognising that AI doesn’t replace human insights and experience – quite the opposite. Human operators and engineers bring a level of expertise, contextual knowledge and intuition that machines cannot replicate. Having a ‘human in the loop’ is therefore critical to an AI system’s effectiveness.
Decision Intelligence connects Explainable AI principles with operational trustworthiness by embedding human oversight at its core. For example, experienced technicians possess knowledge built up over years of practice. While they can’t be everywhere at once, their expertise can be integrated into AI systems to automate routine decisions while reserving complex or ambiguous scenarios for human intervention.
This balance between human and machine intelligence ensures AI systems remain transparent, reliable and dynamic. It also enables manufacturers to scale the knowledge of their experts, reducing variability across shifts and locations while maintaining trust and accountability.
From pilots to trusted partner
For AI adoption to move from pilot projects to the heart of manufacturing operations, trust must come first. A decision-centric approach offers a practical pathway to achieve this, ensuring AI systems are transparent, aligned with business goals and designed to augment human expertise.
When manufacturers trust their AI systems, they can harness the technology’s full potential, creating new opportunities for efficiency, resilience and competitive advantage. Decision Intelligence becomes the connector between Explainable AI and operational trust, moving AI from being perceived as a risk to becoming a trusted partner.
Eelco van der Zande, Managing Director of ReBound Returns, helps navigate the issues caused by tariffs.
SHARE THIS STORY
Rapid changes in global trade policy are creating serious challenges for businesses operating across borders. With tariffs soaring one day and easing the next, retailers are being forced to rethink how they handle international returns in real time.
Fluctuating import duties imposed by the US have at times exceeded 145%, and retaliatory measures from key trade partners have thrown global supply chains off balance. Even with the most recent truce reducing US tariffs on China to 30%, there’s no guarantee these figures will hold. As of June, 2025, US trade policy remains fluid, with ongoing negotiations reshaping tariff structures across multiple regions, including Europe and Asia. President Trump has noted that some levies have been suspended- not cancelled – and may rise again within months.
Adding to the uncertainty, twelve US states have filed a lawsuit in the Court of International Trade, seeking to halt to the “Liberation Day” tariffs. A US appeals court has allowed the tariffs to remain in effect while it reviews their legality.
The new risks of cross-border returns
Amongst the ambiguity, international returns are now under intense scrutiny. With each item crossing a border potentially attracting new tariffs, returning products for restocking has become costly. When an item crosses a border twice- first for sale, then for return- and possibly a third time for resale, retailers face multiple layers of duties and fees. A t-shirt sold internationally could now incur fees exceeding its original retail value. This makes it more important than ever to evaluate every return for cost-efficiency and logistical feasibility.
Volatility also makes forward planning difficult. Retailers can’t afford to be reactive; returns systems must be agile, localised, and data-driven to navigate the shifting conditions. Strategic returns management is key to future-proofing reverse logistics against unpredictable tariffs.
Localising and consolidating returns to minimise costs
One of the most effective ways to reduce tariffs exposure is to localise returns processing. Keeping returns in the country where they were purchased allows retailers to avoid costly re-importation. Processing and storing products at local returns centres and re-fulfilling them to new customers in the same region can save on shipping and duties. Repurposing items through alternative channels can also reduce costs.
Consolidating returns into fewer, larger shipments rather than handling them individually can significantly cut logistics expenses. Using regional return hubs to group items before further processing or redistribution reduces transportation spend and carbon footprint. This local-first approach not only limits fuel consumption and emissions, but also supports a circular economy by keeping goods in-region. As ESG expectations rise, aligning reverse logistics with sustainability goals becomes a competitive differentiator. This optimised, local approach enhances efficiency and makes cross-border returns more sustainable and financially viable at scale.
Faster returns to reduce inventory lag
With tariffs driving up inventory costs, time has become a critical cost factor in returns management. Every day a returned item sits idle or in transit is a day of lost revenue and tied-up capital. Slow processing delays resale and undermines profitability in an already margin-sensitive environment.
Retailers must accelerate returns processing to reduce inventory lag. That means quickly assessing, sorting, and restocking products. Fast triaging, localised warehousing and agile reverse logistics can shave days or even weeks off the cycle, improving inventory turnover and unlocking working capital. In practice, faster processing can significantly increase recovered revenue from returned goods.
Smarter and fewer returns through better data
As tariffs raise the cost of goods, each return, especially the avoidable ones, become more expensive. Retailers that harness return data across their operations can turn unpredictability into strategic insight. This requires integrating data from multiple sources into a unified view, enabling more accurate demand forecasting, better inventory planning, and identification of products that are driving unnecessary returns.
Leading retailers are also using AI-powered platforms to anticipate which items are most likely to be returned and to automatically route them to the most efficient return locations. These systems integrate seamlessly with order and warehouse management tools, reducing cycle time and cost.
Data insights can also reveal deeper patterns, such as size discrepancies, product quality issues, or customer behaviour trends, that are contributing to high return rates. Addressing these issues through refined product descriptions, size guidance, and customer education expectations better can lead to measurable reductions in returns.
Even modest drops in return rates can yield significant savings when margins are tight. Smarter use of data enables faster, more informed decisions, and stronger profitability.
Seamless returns to build customer loyalty
The increasing complexity of cross-border returns hasn’t slowed rising customer expectations. Shoppers are less forgiving of a clunky or slow returns process, especially when tariffs mean they have paid more or waited longer for their purchase. A seamless experience with fast, easy, and transparent return options is crucial.
Retailers that offer convenient local drop-off points, clear communication, and flexible refund or exchange options are far more likely to retain customers and drive repeat purchases. Quick refunds help preserve brand loyalty, even amid pricing pressures and economic uncertainty.
Retailers that prioritise returns optimisation have seen measurable improvements in customer retention and the frequency of repeat purchases. A great returns experience doesn’t just mitigate risk, it builds trust, strengthens brand reputation, and turns a potential point of friction into a loyalty driver.
Adapting returns strategies for a shifting tariff landscape
When tariffs can rise or fall overnight, international returns must be treated as a strategic function, not just a back-end process. They directly impact margins, sustainability, and customer loyalty.
Retailers that embrace smarter returns management with localised, streamlined processing, better data insight, and seamless customer experiences will be best positioned to weather ongoing volatility. To get ahead, retailers should consider conducting a full audit of their current returns operations, identifying gaps in localisation, speed, and tech adoption. Investing in smart logistics infrastructure today can unlock major savings and build long-term resilience.
Jorge Aguilar and Andy Prinz, supply chain experts at PA Consulting, discuss shapers vs. stallers.
SHARE THIS STORY
Volatility isn’t a shock to the system anymore – it is the system. Supply chains are absorbing more disruption than at any point in modern history, yet still expected to deliver flawlessly. Logistics lanes are being re-routed by international conflicts, cyber incidents, climate shocks, and policy shifts. The US tariffs and UK retail cyber-attacks are just some of the latest stand-out examples.
WTW’s recent Global Supply Chain Risk Survey reports that fewer than 8% of leaders believe they have complete control over their supply chain risks, and nearly two thirds continue to experience higher-than-expected supply chain losses. But against this backdrop, customers expect greater performance – instant service, total transparency, and zero excuses.
In this respect, dependable delivery isn’t a nice-to-have. It’s not even a differentiator. It’s the baseline for trust and growth. And in a world where so much is outside of businesses’ control, building systems that can still deliver when nothing else is stable is the new definition of good leadership.
Shapers vs. stallers
PA Consulting’s 2025 Brand Impact Index supports this. It found that the most successful brands – those with stronger growth, loyalty, and pricing power – are actively building the muscle to deliver dependably in the face of new shocks.
The study of 7,000 consumers and 360 major brands revealed these brands are ‘shapers’. Rather than just investing in front-end experiences, they’re transforming their operational back-end systems, re-engineering networks, and re-thinking supply chain models. These brands prioritise dependable delivery as the top investment area for growth in volatile markets.
At the other end of spectrum are ‘stallers’: brands stuck in reactive cycles, making quick fixes, and clinging to old supply chain assumptions. Notably, stallers are 1.6x less likely to plan for disruption and minimise the impact on customers.
Ask the right questions
So, how do businesses know where they fall? There are a few key questions companies should ask, starting with: is your planning designed to adapt or just explain what already went wrong? Sales and operations planning (S&OP) that can’t respond in real-time is a delay, rather than a decision-making tool.
More broadly, are you solving for yesterday’s world? If your network is still built on historic cost curves and old demand centres, what risks are you carrying forward without realising it? Do your suppliers extend your resilience or expose your gaps? And finally, is your automation unlocking flexibility, or scaling the wrong process? Technology is only useful if it makes you faster, smarter, or more stable.
These questions aren’t just philosophical; they’re what separate the leaders from the laggards in today’s market. The good news is that those falling behind don’t need to blindly guess the way forward. Rather, shapers are following a proven playbook, leveraging five clear levers to hardwire resilience, agility, and reliability into their supply chains.
Network design
First, it’s important to engineer multi-location networks that balance cost, service, and risk. The focus needs to be on proximity to demand, redundancy in key nodes, and the flexibility to shift under pressure.
BMW illustrates this well. During COVID-19, BMW redesigned its production footprint to manufacture closer to customers, reducing its exposure and increasing control at a time of global disruption. Its strategy focused on lowering risk in the upstream supply chain while increasing manufacturing in the countries where it sells cars.
In 2022, Oliver Zipse, BMW’s Chairman, shared that the company was producing over 430,000 cars in the US, 60% of which stayed in the market, alongside retaining a footprint in Central Europe and building up its presence in China. He claimed that this proximity to key markets, as well as flexibly increasing or decreasing production according to customer needs, was key to the company’s production success. This approach highlights that it isn’t about a perfect footprint, but rather having one that adapts when the map changes.
Dynamic planning
The monthly S&OP cycle can’t keep up, with Gartner research indicating that it is becoming ‘obsolete.’ Instead, shapers are treating planning as a continuous discipline, integrating signals, data, and cross-functional coordination to respond in real time. This isn’t about perfect predictions. It’s about responsive, multi-layered planning that sees around corners.
For example, Unilever has advanced its planning capabilities through an ‘always-on’ AI-powered forecasting model. It integrates market intelligence, sustainability constraints, forecast and actual sales data between Unilever and the customer to improve forecasting accuracy. Notably, the initial pilot with Walmart in Mexico increased product availability at point of sale to 98%. This approach has ultimately enabled Unilever to dynamically reallocate supply, adjust demand forecasts, and make financial and environmental trade-offs with speed and precision.
Design-to-value
‘Shapers’ are also surgical with cost, investing where it creates value and cutting where it doesn’t. This may sound simple, but in practice, it means design-to-value models aligned with what customers actually care about.
Just look at Hershey, which unlocked $35 million in hidden capacity using automation. This breakthrough came from applying advanced analytics and AI to its KitKat production network, which consists of six lines. Hershey discovered that simple changes in production scheduling and product mix could dramatically increase throughput, without much investment.
This kind of design-to-value mindset requires deep operational data, cross-functional visibility, and the discipline to say no to unnecessary complexity.
Supplier collaboration
Beyond this, traditional procurement models are increasingly shown to break under stress. Shapers build supplier ecosystems that share risk, diversify sourcing, and enable upstream visibility.
Procter & Gamble is a good example, as it has focused on supply chain transparency and agility by creating a digital control tower across its vast network of suppliers and partners. This connected infrastructure enables real-time monitoring, rapid risk response, and collaborative problem-solving when disruptions hit. It’s not just about oversight – it’s about coordinated resilience being built into the ecosystem. This stands the business in good stead to assess and respond to new shocks, such as the impact of the US tariffs.
Digital technology and automation
Finally, digitisation must do more than display data. It needs to enable control, speed, and adaptation.
Zillow is a case in point, having built an ecosystem that weaves AI and automation into every step of a consumer’s housing journey. It brings together a huge range of products and services under one umbrella through its ‘super app’, which enables renters, buyers, sellers, and real estate professionals to search, tour, finance, negotiate, and close on their housing journeys.
While not a traditional supply chain, it shows how tech-enabled orchestration can help bring consistency, speed, and reliability out of complexity. For operations leaders, the lesson is that automation matters when it makes the system stronger – not just faster.
Adapt to disruption
Disruption isn’t slowing down. But too many supply chains are still built for a world that no longer exists – optimised for predictability, driven by cost, and dependent on fragile assumptions. For supply chain leaders, the takeaway is simple: in a high-risk environment, the most strategic move isn’t to stabilise, it’s to reshape guided by a clear playbook.
Dependable delivery isn’t just about the physical movement of goods, but rather building in network flexibility, digital visibility, supplier transparency, dynamic planning, and resilience at every layer of the operation. More than ever, delivering reliably – under pressure, across borders – is what keeps businesses trusted and in motion.
Sylvain Rottier, General Manager at Tennant Company, explores how supply chain professionals are shoring up against labour shortages.
SHARE THIS STORY
Europe is facing an ongoing workforce crisis that demands major solutions, meaning business leaders can’t really afford to wait. The numbers are disconcerting: labour shortages across the European Union have grown from 1.7% in 2014 to 2.6% in the first quarter of 2024—a 53% increase that shows no signs of slowing.
Indeed, Europe’s demographic crisis seems to be accelerating, with projections indicating the continent will lose 95 million working-age people by 2050 compared to 2015 levels. For supply chain executives, this threatens operational continuity and competitive positioning.
The impact may vary dramatically across sectors, but few industries will feel the pressure more acutely than essential services like cleaning and facilities management. Annual turnover rates in janitorial services have reached 200-400%, creating a revolving door that diminishes institutional knowledge and operational effectiveness.
The impact beyond empty positions
Twenty-five percent of EU businesses now report production problems directly attributable to labour shortages, transforming what was once a staffing inconvenience into an operational constraint.
The financial implications are potentially severe. Companies experiencing 200% annual turnovers —unfortunately common in labour-intensive sectors—spend six-figure sums annually just on replacement hiring. This figure encompasses recruitment costs, training expenses, and the hidden price of reduced productivity during onboarding periods. However, these costs represent a small part of the problem.
Quality degradation becomes inevitable when organisations rely heavily on inexperienced workers. Higher error rates, missed cleaning protocols, equipment damage, and inconsistent service delivery damage customer satisfaction and brand reputation. In supply chain environments where precision and reliability are paramount, these quality issues can trigger costly disruptions throughout the entire network.
Perhaps most concerning is the competitive disadvantage that emerges when labour shortages force companies to reject new business opportunities. Constrained order books and inflated production costs create a vicious cycle where struggling organisations become less attractive employers, further exacerbating their staffing challenges.
From automation to intelligence
Traditional automation offered limited relief because it required extensive programming for specific tasks and was often an awkward-at-best fit for changing conditions. Today’s AI-enabled robotic systems represent a huge leap forward, delivering true operational intelligence that can learn and adapt, and also optimise performance in real-time.
Modern robotic platforms (such as BrainOS, which power Tennant AMR Machines) leverage machine learning algorithms to improve their performance based on environmental feedback and operational data. Unlike their predecessors, these systems can navigate complex, dynamic environments while avoiding obstacles, adjusting cleaning patterns based on usage data, and even predicting maintenance needs before equipment failures occur.
Integration capabilities have also come a long way. Contemporary AI-powered robots connect with existing warehouse management systems, inventory tracking platforms, and facility management software. This connectivity enables centralised monitoring, performance optimisation, and data-driven decision-making that extends far beyond the robots’ immediate task purpose.
The technology’s greatest advantage lies in its ability to maintain consistent performance standards. While human workers may struggle with fatigue, illness, or high turnover, AI-enabled robots deliver consistent results that enable accurate capacity planning and service level guarantees.
Implementation strategy
Successful AI-robotics deployment requires a shift in thinking from replacement to augmentation. The most effective implementations complement human capabilities rather than eliminate human roles entirely. This approach not only addresses practical concerns about workforce displacement but also maximises return on investment by leveraging the unique strengths of both human intelligence and artificial intelligence.
Smart organisations begin with pilot programmes that target specific, well-defined tasks within controlled environments. This approach allows teams to understand integration challenges, optimise workflows, and build internal expertise before scaling to full deployment. Critical success factors include ensuring compatibility with existing systems, establishing clear performance metrics, and maintaining open communication with affected workers throughout the transition.
The skills landscape is evolving rapidly, creating new job categories in real time. Rather than eliminating careers, thoughtful implementation transforms traditional roles into technology-empowered positions that offer greater career advancement potential and higher compensation. For sectors like cleaning services, which have long struggled with “dead-end job” perceptions, this transformation can meet turnover rates with higher-calibre talent.
Training programmes should prepare workers for collaborative environments where human judgment combines with robotic precision. These hybrid roles often prove more engaging and rewarding than traditional positions, creating career pathways that retain institutional knowledge while embracing technological advancement.
Building tomorrow’s competitive advantage
The demographic trends driving current labour shortages will intensify over the coming decades. Organisations that delay AI-robotics adoption risk falling behind competitors who embrace these technologies early and develop operational expertise while the market is still developing.
However, successful transformation requires more than technology acquisition. Companies must strike a balance between technological capabilities and the human touches that drive innovation, customer relationships, and adaptive problem-solving. The goal isn’t to create fully automated facilities but to build resilient, flexible operations that can weather demographic headwinds.
Leadership teams must think beyond immediate cost savings to consider long-term strategic positioning. AI-enabled robotics offers the foundation for sustained growth in an environment where traditional staffing models look increasingly untenable. Early adopters will develop competitive advantages that compound over time, while late movers may find themselves perpetually disadvantaged in both talent acquisition and operational efficiency.
The question isn’t whether AI-enabled robots will reshape supply chain operations—that transformation is already underway. The critical decision facing business leaders is whether they’ll proactively shape this evolution or reactively respond to competitive pressures once their options become more limited and expensive.
Europe’s demographic winter demands timely action. For forward-thinking supply chain executives, AI-enabled robotics represents not just a solution to current staffing challenges, but a strategic foundation for long-term competitive success in a potentially shaky marketplace.
Tony Hasek, CEO and Co-Founder of Goldilock, explores the future of cybersecurity across the supply chain.
SHARE THIS STORY
As global supply chains are restructured in response to economic uncertainty, rising tariffs, and geopolitical pressure, a new cybersecurity dilemma is coming to the foreground. The number of cyberattacks exploiting supply chain vulnerabilities is surging. 45% of businesses are expected to face software supply chain attacks this year. With three major UK retailers falling victim to cyberattacks within just 10 days of each other, the need for rapid action is clearly emphasised.
To manage cost pressures, procurement complexity, and disruption risk, many businesses have spent the last few years consolidating suppliers. This means relying more heavily on a select few. But while this strategy may offer operational simplicity, it also introduces unforeseen cybersecurity risks.
When companies buy in bulk through a few key suppliers, it becomes harder to trace where individual components or services actually come from. The benefits of scale can quickly be outweighed by a lack of transparency. This creates openings for cyber threats – compromised hardware might be introduced without detection, unverified software and firmware can slip through, and oversight often breaks down across multiple layers of third-party subcontractor and vendor networks.
Recent geopolitical shifts in global trade have added a new layer of complexity, forcing companies to quickly move to new suppliers in different regions – often building entire supply chains from scratch. In this fast-changing environment, organisations must ask: are software-only cyber defences still enough?
Supply chain fragmentation is redefining risk
Over the past decade, cybersecurity strategy has largely focused on digital defences: intrusion detection systems, firewalls, endpoint protection, and role-based identity management. These are all essential, but they rest on the assumption that all components of an end-to-end system can be trusted or at least detected if they pose a threat.
As companies pivot to new vendors, particularly in critical infrastructure, telecommunications, and manufacturing, they inherit new digital dependencies often with little time or visibility to assess risk. A growing number of cyberattacks now originate, not from obvious threat actors, but from compromised supply chain components.
In a recent survey, it was found that 55% of global supply chain professionals use a mix of local and global IT solutions, resulting in fragmented systems that create multiple weak points for cybercriminals. These threats include routers shipped with hidden backdoors, firmware with embedded vulnerabilities, or software libraries poisoned long before deployment.
The infamous SolarWinds breach is a prime example where attackers injected malware into the company’s software build system for months before being detected. Because the malware was delivered through trusted channels, it didn’t appear as a breach to downstream customers – reinforcing the dangerous assumption that a well-known software supply chain couldn’t be compromised.
This is the challenge now facing every CIO and security lead. With the global supply web constantly shifting, the threat vector has moved upstream, and it’s becoming increasingly difficult to tell which components are compromised until it’s too late.
The blind spots in modern cybersecurity
Geopolitical pressures and economic instability have accelerated supplier diversification. As a result, organisations are often forced to onboard new hardware and software partners on compressed timelines. This leaves less room for thorough due diligence. The bigger challenge, however, is ensuring that pre-compromised components don’t make it through the door in the first place.
Modern cybersecurity tools excel at monitoring and responding to suspicious behaviour, but most still work reactively. If malicious code runs inside a network or access credentials are stolen, it’s up to the software to identify, isolate, and shut down the threat. This approach assumes detection happens quickly, before the attacker has had time to move deeper into the system.
Unfortunately, lateral movement – when attackers quietly expand their access across a network – is one of the most damaging and least understood stages of a cyberattack. Even a foothold in a non-critical system can lead to privilege escalation, data theft, and the compromise of sensitive environments. While software defences can slow this process, they often struggle to stop it entirely.
This is especially true in the case of state-sponsored attackers and advanced persistent threats (APTs), which use highly sophisticated methods and zero-day exploits that are designed to bypass detection or lie dormant until the right opportunity arises. If the initial breach comes from a trusted supply chain partner, it can slip under the radar for months hidden behind software that appears safe and behaves normally, until it’s too late.
Why physical isolation matters now
This is where physical network isolation enters the conversation. Not as a throwback to air-gapped systems of the past, but as a modern, strategic layer of defence. For years, organisations have used software-based methods like network segmentation and logical separation to compartmentalise systems. While valuable, these approaches are still vulnerable and can’t guarantee complete control. Physical connection control takes isolation further, enforcing a dynamic, hardware-based barrier – essentially a modern air-gap – that offers true separation and resilience against advanced threats and supply chain compromises.
At its core, physical network isolation does what software alone cannot. It completely severs the potential for any unauthorised communication. Systems can be placed entirely offline or connected only via out-of-band controls that are not susceptible to remote compromise. In other words, even if an attacker manages to breach a system or sneak in through a compromised component, they cannot pivot elsewhere because there’s simply nowhere to go.
In high-value environments, such as critical infrastructure, government networks, and financial systems, this approach is increasingly being revisited. The logic is simple: certain systems are too important to risk. They must be ringfenced, not just monitored.
Advances in control technologies now allow for dynamic physical disconnection. This enables systems to be securely reconnected for updates or access without maintaining constant exposure. It’s a modern interpretation of air-gapping, dynamic and perfectly adapted to today’s operational demands.
Resilient by design
A system that is physically unreachable provides a level of assurance that software-based defences alone cannot match. This makes physical isolation particularly valuable when built into supply chain security protocols. Systems receiving data or code from third-party vendors can remain physically segregated until fully verified, while backup infrastructure can stay completely offline until needed. Even control systems can be made unreachable from external networks, removing the risk of remote hijacking.
To be clear, physical isolation isn’t a silver bullet. But when it can be configured on demand, it becomes a critical layer in both threat mitigation and business continuity. It serves as a proactive first line of defence, a reactive last line of defence, and a practical way to limit the scope and timing of any potential attack.
In cybersecurity, layered defence is essential. Firewalls protect the perimeter, detection tools monitor activity, and identity systems control access. But if those are compromised, what’s left to protect the core?
Time to rethink what “secure” really means
As the digital and physical worlds become more intertwined, organisations must evolve their definition of cybersecurity. Only 30% of businesses report prioritising a secure, connected system for their supply chain. This indicates that more needs to be done. Software tools will always play a critical role, but they should not be the only line of defence. This is particularly true in an era where a single compromised component can trigger a cascade of consequences, all the way up to a network-wide breach.
Physical network isolation doesn’t replace modern cybersecurity, it reinforces it. In a future defined by volatility and hyperconnectivity, businesses must ask not just “can we detect threats?”. They also have to ask “can we better control them and contain them when detection fails?”
For those willing to embrace a multi-layered strategy that includes both virtual and physical controls, the answer will be yes.
Our cover story this month focuses on the work of Arianne Gallagher-Welcher. As the Executive Director for the USDA Digital…
SHARE THIS STORY
Our cover story this month focuses on the work of Arianne Gallagher-Welcher. As the Executive Director for the USDA Digital Service, in the Office of the OCIO, her team’s mission is to drive a tech transformation at the USDA. The goal is to better serve the American people across all of its 50 states.
Welcome to the latest issue of Interface magazine!
Welcome to a new year of possibility where technology meets business at the interface of change…
“We knew that in order for us to deliver what we needed for our stakeholders, we needed to be flexible – and that has trickled down from our senior leaders.” Arianne Gallagher-Welcher, Executive Director for the USDA Digital Service reveals the strategic plan’s first goal. Above all, the aim is to deliver customer-centric IT so farmers, producers, and families can find dealing with USDA as easy as using an ATM.
BCX: Delivering insights & intelligence across the Data & AI value chain
We also sat down with Stefan Steffen,Executive Leader for Data Insights & Intelligence at BCX. He revealed how BCX is leveraging AI to strategically transform businesses and drive their growth. “Our commitment to leveraging data and AI to drive innovation harnesses the power of technology to unlock new opportunities, drive efficiency, and enhance competitiveness for our clients.”
Momentum Multiply: A culture-driven digital transformation for wellness
Multiply Inspire & Engage is a new offering from leading South African insurance provider Momentum Health Solutions. Furthermore, it is the first digital wellness rewards program in South Africa to balance mental health and physical health in pursuing holistic wellness. CIO, Ndibulele Mqoboli, discusses re-platforming, cloud migrations, and building a culture of ownership, responsibility, and continuous improvement.
Clark County: Creating collaboration for the benefit of residents
Navigating the world of local government can be a minefield of red tape, both for citizens and those working within it. Al Pitts, Deputy CIO of Clark County, talks to us about the organisation’s IT transformation. He explains why collaboration is key to support residents. “We have found our new Clark County – ‘Together for Better’ – is a great way to collaborate on new solutions.”
Also in this issue, we hear from Alibaba’s European GM Jijay Shen on why digitalisation can be a driving force for SMEs. We learn how businesses can get cybersecurity right with KnowBe4 and analyse the rise of ‘The Mobility Society’.
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent,…
SHARE THIS STORY
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent, Martyn Atkinson, to learn how an ambitious growth agenda, combined with a people-centred culture, is driving change for customers and colleagues across the Group.
Welcome to the latest issue of Interface magazine!
Welcome to a new year of possibility where technology meets business at the interface of change…
Lloyds Banking Group: A technology & business strategy
“We’ve made significant strides in transforming our business for the future,” explains Martyn Atkinson, CIO for Consumer Relationships & Mass Affluent at Lloyds Banking Group. “I’m really proud of what the team have achieved. There’s loads more to go after. It’s a really exciting time as we become a modern, progressive, tech-enabled business. We’ve aimed to maintain pace and an agile mindset. We want to get products and services out to our customers and colleagues. We’ll test and learn to see if what we’re doing is actually making a meaningful difference.”
AFRICOM: Organisational resilience through cybersecurity
We also speak with U.S. Africa Command’s (AFRICOM) CISO Ryan Larsen on developing the right culture to build cyber awareness. He is committed to driving secure and continued success for the Department of Defence. “I often think of every day working in cyberspace a lot like counterinsurgency warfare and my time in Afghanistan. You had to be on top of your game every minute of every day. The adversary only needs to get lucky one time to find you with that IED.”
OLYMPUS DIGITAL CAMERA
ALIC: Creating synergy to scale at speed with Lolli
Since 2009 the Australian Lending & Investment Centre (ALIC) has been matching Australians with loans that help build their wealth. It has delivered over $8.3bn in loans to more than 22,000 leading Australian investors and businesses. Managing Director Damian Brander talks ethical lending and the challenges of a shifting financial landscape. ALIC has also built Lolli – a broker enhancement platform built by brokers, for brokers.
Sime Darby Motors: Driving digital, cultural, and business transformation together
Sime Darby Berhad is one of the oldest and most successful multinational companies in Malaysia. It has a twin focus on the Industrial and Motors sectors. The company employs more than 24,000 people, operating across 17 countries and territories. Sime Darby Motors’ Chief Digital & Information Officer Tuan Jean Tee shares how he makes sure digital, cultural, and process transformation go hand in hand throughout one of APAC’s largest automotive multinationals.
Also in this issue, we hear from Microsoft on the art of sustainable supply chain transformation, Tecnotree map the key trends set to impact the telecoms industry in 2024 and our panel of experts chart the big Fintech predictions for the year ahead.
Cybersecurity leader Shinesa Cambric on Microsoft’s innovation journey to identify, detect, protect, and respond to emerging threats against identity and access
SHARE THIS STORY
This month’s cover story highlights a cybersecurity program protecting billions of users.
Welcome to the latest issueof Interface magazine!
Interface showcases leaders at the forefront of innovation with digital technologies transforming myriad industries.
Shinesa Cambric is on a mission to drive innovation for cybersecurity at Microsoft. Moreover, by embracing diversity and opening all channels towards collaboration her team tackles anti-abuse and delivers fraud-defence. Continuous Improvement doesn’t just play into her role, it defines it…
“In the fraud and abuse space, attackers are constantly trying to identify ways to look like a legitimate user,” warns Shinesa. “And this means my team, and our partners, have to continuously adapt. We identify new patterns and behaviours to detect fraudsters. At the same time, we must do it in such a way we don’t impact our truly ‘good’ and legitimate users. Microsoft is a global consumer business and any time you add friction or an unpleasant experience for a consumer, you risk losing them, their business and potentially their trust. My team’s work sits on the very edge of the account sign up and sign in process. We are essentially the first touch within the customer funnel for Microsoft – a multi-billion dollar company.”
ABB: Digital Technolgies contributing towards Net Zero
Nigel Greatorex, Global Industry Manager for Carbon Capture and Storage (CCS) at ABB Energy Industries, explains how digital technologies can play a critical role in the transition to a low carbon world. He highlights the role of CCS in enabling global emissions reductions and how challenges can be overcome through digitalisation…
“It is widely recognised decarbonisation is essential to achieving net zero emissions by 2050. Therefore, it’s not surprising that emerging decarbonisation technology is becoming an increasingly important, and rapidly growing market.”
CSI: How can your IT estate improve its sustainability?
Andy Dunn, Chief Revenue Officer at IT solutions specialist CSI, reveals how digital technologies can contribute to ESG obligations: “Sustainability is a now seen as a strategic business imperative, so much so that 74% of companies consider Environmental, Social and Governance (ESG) factors to be very important to the value of their company. Additionally, we know almost three in four organisations have set a net zero goal. With an average target date of 2044, 50% of organisations are seeking more energy efficient products and services.”
https://www.youtube.com/watch?v=tsDaZiSO1ho
“Optimising energy use and consolidating servers and storage infrastructure form a strong basis for shaping a more environmentally friendly and efficient IT estate. It no longer needs to be the Achilles Heel of an ESG policy. “
Mia Platform: Sustainable Cloud Computing
Davide Bianchi, Senior Technical Lead at Mia Platform, explores the silver lining of sustainable cloud computing. He reveals how it can help us reduce our digital carbon thumbprint with collaboration, efficient use of applications, containerisation of apps, microservices and green partnerships.
“We’re already on an important technological path toward ubiquitous cloud computing. Correspondingly, this brings incredible long-term benefits too. These include greater scalability, improved data storage, and quicker application deployment, to name a few.”
Also in this issue, we hear from Doug Laney, Innovation Fellow at West Monroe and author of Infonomics and Data Juice. Also, we learn how companies can measure, manage and monetise to realise the potential of their data. And, Deputy CIO Melvin Brown discusses the people-centric approach to IT supporting America’s civil service at The Office of Personnel Management (OPM).
Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and how companies can measure, manage and monetise to realise the potential of their data
SHARE THIS STORY
Our cover story explores the rise of data and information as an asset.
Welcome to the latest issueof Interface magazine!
Interface showcases leadersaiming to take advantage of data, particularly in a new world of AI technologies where it is the fuel…
How to monetise, manage and measure data as an asset
Our cover star is pretty big in the world of analytics… We meet the guy who defined Big Data. Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and learn how companies can measure, manage and monetise to realise the potential of their information. In his first book Laney advised companies to stop being fixated on hindsight-oriented analytics. “It doesn’t actually move the needle on the business. In the stories I’ve compiled over the last decade, 98% have more to do with organisations using data to diagnose, predict, prescribe or automate something. It’s not about asking questions about what happened in the past.”
Canvas Worldwide: A data-driven media business
Continuing this month’s data theme, we also spoke with Alisa Ben, SVP, Head of Analytics at full-service media agency Canvas Worldwide. Data has transformed the organisation, and what its clients do. “We look holistically at the client’s business and sometimes the tools we have might be right for them, sometimes not. It’s more about helping our clients achieve their business outcomes.”
TUI Musement: from digital transformation to digital pioneer
At travel giant TUI, handling data effectively is paramount when communicating consistently and meaningfully with up to 25 million customers annually. David Garcia, CIO for TUI Musement, talks about the tech evolution driving the travel giant’s provision of experiences, transfers and tours. It’s a big part of its operational shift from local to global. “As a CIO, I’ve always been interested in how the tech innovations we drive can support the business and add value.”
Hiscox: making cybersecurity more accessible
Liz Banbury, CISO at Hiscox and president of (ISC)² London Chapter, talks to us about how cybersecurity can become a more accessible, realistic career path for almost anybody. “When I was at school, topics like computer science didn’t even exist,” Banbury explains. “In one of my first jobs, over in Hong Kong, we were still using a typewriter! A lot has changed. My key point here is that there’s a lot of cybersecurity professionals who are really good at their job. They are inspiring, and have come from all walks of life. Crucially, they don’t have a maths, computer science, or technological background at all. But they still make great cybersecurity professionals.
Portland Community College: Risk vs Speed in Cybersecurity
Reet Kaur, former Chief Information Security Officer at Portland Community College, discusses the organisation’s transition to the cloud amid a digital transformation journey. “I don’t want to work with people who just say yes all the time. I want my ideas challenged to help forge the excellence in the security programmes I help build.”
DBHDS: Cybersecurity in healthcare
The Virginia Department of Behavioral Health and Developmental Services (DBHDS) exists to create ‘a life of possibilities for all Virginians’ and transform behavioural health. Its focus is on supporting people across the entire commonwealth. It helps them get the support they need in order to take wellness and recovery into their own hands. In an area like healthcare, sensitive information is all over the place, meaning cybersecurity is a priority – and this is where Glendon Schmitz, CISO at DBHDS, comes in. “The security team exists to help the wider organisation achieve its objectives with data. We’re there to protect the business, not the other way around.”
Also in this issue, we schedule the can’t miss tech events and get the lowdown on IoT security from the Mobile Ecosystem Forum.
Expert analysis of the tech trends set to make waves this year
SHARE THIS STORY
Digital transformation is a continuing journey of change with no set final destination. This makes predicting tomorrow a challenge when no one has a crystal ball to hand.
After a difficult few years for most businesses following a disruptive pandemic and now battling a cost-of-living crisis, many enterprises are increasingly leveraging new types of technology to gain an edge in a disruptive world.
With this in mind, here are what experts predict for the next 12 months…
1. Process Mining
Sam Attias, Director of Product Marketing at Celonis, expects to see a rise in the adoption of process mining as it evolves to incorporate automation capabilities. He says process mining has traditionally been “a data science done in isolation” which helps companies identify hidden inefficiencies by extracting data and visually representing it.
“It is now evolving to become more prescriptive than descriptive and will empower businesses to simulate new methods and processes in order to estimate success and error rates, as well as recommend actions before issues actually occur,” says Attias. “It will fix inefficiencies in real-time through automation and execution management.”
2. The evolution of social robots
Gabriel Aguiar Noury, Robotics Product Manager at Canonical, anticipates social robots to return this year. After companies such as Sony introduced robots like Poiq, Aguiar Noury believes it “sets the stage” for a new wave of social robots.
“Powered by natural language generation models like GPT-3, robots can create new dialogue systems,” he says. “This will improve the robot’s interactivity with humans, allowing robots to answer any question.
“Social robots will also build narratives and rich personalities, making interaction with users more meaningful. GPT-3 also powers Dall-E, an image generator. Combined, these types of technologies will enable robots not only to tell but show dynamic stories.”
3. The rebirth of new data-powered business applications
Christian Kleinerman, Senior Vice President of Product at Snowflake, says there is the beginning of a “renaissance” in software development. He believes developers will bring their applications to central combined sources of data instead of the “traditional approach” of copying data into applications.
“Every single application category, whether it’s horizontal or specific to an industry vertical, will be reinvented by the emergence of new data-powered applications,” affirms Kleinerman. “This rise of data-powered applications will represent massive opportunities for all different types of developers, whether they’re working on a brand-new idea for an application and a business based on that app, or they’re looking for how to expand their existing software operations.”
4. Application development will become a two-way conversation
Adrien Treuille, Head of Streamlit at Snowflake, believes application development will become a two-way conversation between producers and consumers. It is his belief that the advent of easy-to-use low-code or no-code platforms are already “simplifying the building” and sharing of interactive applications for tech-savvy and business users.
“Based on that foundation, the next emerging shift will be a blurring of the lines between two previously distinct roles — the application producer and the consumer of that software.”
He adds that application development will become a collaborative workflow where consumers can weigh in on the work producers are doing in real-time. “Taking this one step further, we’re heading towards a future where app development platforms have mechanisms to gather app requirements from consumers before the producer has even started creating that software.”
5. The Metaverse
Paul Hardy, EMEA Innovation Officer at ServiceNow, says he expects business leaders to adopt technologies such as the metaverse in 2023. The aim of this is to help cultivate and maintain employee engagement as businesses continue working in hybrid environments, in an increasingly challenging macro environment.
“Given the current economic climate, adoption of the metaverse may be slow, but in the future, a network of 3D virtual worlds will be used to foster meaningful social connections, creating new experiences for employees and reinforcing positive culture within organisations,” he says. “Hybrid work has made employee engagement more challenging, as it can be difficult to communicate when employees are not together in the same room.
“Leaders have begun to see the benefit of hosting traditional training and development sessions using VR and AI-enhanced coaching. In the next few years, we will see more workplaces go a step beyond this, for example, offering employees the chance to earn recognition in the form of tokens they can spend in the real or virtual world, gamifying the experience.”
6. The year of ESG?
Cathy Mauzaize, Vice President, EMEA South, at ServiceNow, believes 2023 could be the year that environmental, social and corporate governance (ESG) is vital to every company’s strategy.
“Failure to engage appropriate investment in ESG strategies could plunge any organisation into a crisis,” she says. “Legislation must be respected and so must the expectations of employees, investors and your ecosystem of partners and customers.
“ESG is not just a tick box, one and done, it’s a new way of business that will see us through 2023 and beyond.”
7. Macro Trends and Redeploying Budgets for Efficiency
Ulrik Nehammer, President, EMEA at ServiceNow, says organisations are facing an incredibly complex and volatile macro environment. Nehammer explains as the world is gripped by soaring inflation, intelligent digital investments can be a huge deflationary force.
“Business leaders are already shifting investment focus to technologies that will deliver outcomes faster,” he says. “Going into 2023, technology will become increasingly central to business success – in fact, 95% of CEOs are already pursuing a digital-first strategy according to IDC’s CEO survey, as digital companies deliver revenue growth far faster than non-digital ones.”
8. Organisations will have adopted a NaaS strategy
David Hughes, Aruba’s Chief Product and Technology Officer, believes that by the end of 2023, 20% of organisations will have adopted a network-as-a-service (NaaS) strategy.
“With tightening economic conditions, IT requires flexibility in how network infrastructure is acquired, deployed, and operated to enable network teams to deliver business outcomes rather than just managing devices,” he says. “Migration to a NaaS framework enables IT to accelerate network modernisation yet stay within budget, IT resource, and schedule constraints.
“In addition, adopting a NaaS strategy will help organisations meet sustainability objectives since leading NaaS suppliers have adopted carbon-neutral and recycling manufacturing strategies.”
9. Think like a seasonal business
According to Patrick Bossman, Product Manager at MariaDB corporation, he anticipates 2023 to be the year that the ability to “scale out on command” is going to be at the fore of companies’ thoughts.
“Organisations will need the infrastructure in place to grow on command and scale back once demand lowers,” he says. “The winners in 2023 will be those who understand that all business is seasonal, and all companies need to be ready for fluctuating demand.”
10. Digital platforms need to adapt to avoid falling victim to subscription fatigue
Demed L’Her, Chief Technology Officer at DigitalRoute, suggests what the subscription market is going to look like in 2023 and how businesses can avoid falling victim to ‘subscription fatigue’. L’Her says there has been a significant drop in demand since the pandemic.
“Insider’s latest research shows that as of August, nearly a third (30%) of people reported cancelling an online subscription service in the past six months,” he reveals. “This is largely due to the rising cost of living experienced globally that is leaving households with reduced budgets for luxuries like digital subscriptions. Despite this, the subscription market is far from dead, with most people retaining some despite tightened budgets.
“However, considering the ongoing economic challenges, businesses need to consider adapting if they are to be retained by customers in the long term. The key to this is ensuring that the product adds value to the life of the customer.”
11. Waking up to browser security
Jonathan Lee, Senior Product Manager at Menlo Security, points to the web browser being the biggest attack surface and suggests the industry is “waking up” to the fact of where people spend the most time.
“Vendors are now looking at ways to add security controls directly inside the browser,” explains Lee. “Traditionally, this was done either as a separate endpoint agent or at the network edge, using a firewall or secure web gateway. The big players, Google and Microsoft, are also in on the act, providing built-in controls inside Chrome and Edge to secure at a browser level rather than the network edge.
“But browser attacks are increasing, with attackers exploiting new and old vulnerabilities, and developing new attack methods like HTML Smuggling. Remote browser isolation is becoming one of the key principles of Zero Trust security where no device or user – not even the browser – can be trusted.”
12. The year of quantum-readiness
Tim Callan, Chief Experience Officer at Sectigo, predicts that 2023 will be the year of quantum-readiness. He believes that as a result of the standardisation of new quantum-safe algorithms expected to be in place by 2024, this year will be a year of action for government bodies, technology vendors, and enterprise IT leaders to prepare for the deployment.
“In 2022, the US National Institute of Standards and Technologies (NIST) selected a set of post-quantum algorithms for the industry to standardise on as we move toward our quantum-safe future,” says Callan.
“In 2023, standards bodies like the IETF and many others must work to incorporate these algorithms into their own guidelines to enable secure functional interoperability across broad sets of software, hardware, and digital services. Providers of these hardware, software, and service products must follow the relevant guidelines as they are developed and begin preparing their technology, manufacturing, delivery, and service models to accommodate updated standards and the new algorithms.”
13. AI: fewer keywords, greater understanding
AI expert Dr Pieter Buteneers, Director of AI and Machine Learning at Sinch, expects artificial intelligence to continue to transition away from keywords and move towards an increased level of understanding.
“Language-agnostic AI, already existent within certain AI and chatbot platforms, will understand hundreds of languages — and even interchange them within a single search or conversation — because it’s not learning language like you or I would,” he says. “This advanced AI instead focuses on meaning, and attaches code to words accordingly, so language is more of a finishing touch than the crux of a conversation or search query.
“Language-agnostic AI will power stronger search results — both from external (the internet) and internal (a company database) sources — and less robotic chatbot conversations, enabling companies to lean on automation to reduce resources and strain on staff and truly trust their AI.”
14. Rise in digital twin technology in the enterprise
John Hill, CEO and Founder of Silico, recognises the growing influence digital twin technology is having in the market. Hill predicts that in the next 20 years, there will be a digital twin of every complex enterprise in the world and anticipates the next generation of decision-makers will routinely use forward-looking simulations and scenario analytics to plan and optimise their business outcomes.
“Digital twin technology is one of the fastest-growing facets of industry 4.0 and while we’re still at the dawn of digital twin technology,” he explains. “Digital twins will have huge implications for unlocking our ability to plan and manage the complex organisations so crucial for our continued economic progress and underpin the next generation of Intelligent Enterprise Automation.”
15. Broader tech security
With an exponential amount of data at companies’ fingertips, Tricentis CEO, Kevin Thompson says the need for investment in secure solutions is paramount.
“The general public has become more aware of the access companies have to their personal data, leading to the impending end of third-party cookies, and other similar restrictions on data sharing,” he explains. “However, security issues still persist. The persisting influx of new data across channels and servers introduces greater risk of infiltration by bad actors, especially for enterprise software organisations that have applications in need of consistent testing and updates. The potential for damage increases as iterations are being made with the expanding attack surface.
“Now, the reality is a matter of when, not if, your organisation will be the target of an attack. To combat this rising security concern, organisations will need to integrate security within the development process from the very beginning. Integrating security and compliance testing at the upfront will greatly reduce risk and prevent disruptions.”
16. Increased cyber resilience
Michael Adams, CISO at Zoom, expects an increased focus on cyber resilience over the next 12 months. “While protecting organisations against cyber threats will always be a core focus area for security programs, we can expect an increased focus on cyber resilience, which expands beyond protection to include recovery and continuity in the event of a cyber incident,” explains Adams.
“It’s not only investing resources in protecting against cyber threats; it’s investing in the people, processes, and technology to mitigate impact and continue operations in the event of a cyber incident.”
17. Ransomware threats
As data leaks become increasingly common place in the industry, companies face a very real threat of ransomware. Michal Salat, Threat Intelligence Director at Avast, believes the time is now for businesses to protect themselves or face recovery fees costing millions of dollars.
“Ransomware attacks themselves are already an individual’s and businesses’ nightmare. This year, we saw cybergangs threatening to publicly publish their targets’ data if a ransom isn’t paid, and we expect this trend to only grow in 2023,” says Salat. “This puts people’s personal memories at risk and poses a double risk for businesses. Both the loss of sensitive files, plus a data breach, can have severe consequences for their business and reputation.”
18. Intensified supply chain attacks
Dirk Schrader, VP of security research at Netwrix, believes supply chain attacks are set to increase in the coming year. “Modern organisations rely on complex supply chains, including small and medium businesses (SMBs) and managed service providers (MSPs),” he says.
“Adversaries will increasingly target these suppliers rather than the larger enterprises knowing that they provide a path into multiple partners and customers. To address this threat, organisations of all sizes, while conducting a risk assessment, need to take into account the vulnerabilities of all third-party software or firmware.”
19. A greater need to manage volatility
Paul Milloy, Business Consultant at Intradiem, stresses the importance of managing volatility in an ever-moving market. Milloy believes bosses can utilise data through automation to foresee potential problems before they become issues.
“No one likes surprises. Whilst Ben Franklin suggested nothing can be said to be certain, except death and taxes, businesses will want to automate as many of their processes as possible to help manage volatility in 2023,” he explains. “Data breeds intelligence, and intelligence breeds insight. Managers can use the data available from workforce automation tools to help them manage peaks and troughs better to avoid unexpected resource bottlenecks.”
20. A human AI co-pilot will still be needed
Artem Kroupenev, VP of Strategy at Augury, predicts that within the next few years, every profession will be enhanced with hybrid intelligence, and have an AI co-pilot which will operate alongside human workers to deliver more accurate and nuanced work at a much faster pace.
“These co-pilots are already being deployed with clear use cases in mind to support specific roles and operational needs, like AI-driven solutions that enable reliability engineers to ensure production uptime, safety and sustainability through predictive maintenance,” he says. “However, in 2023, we will see these co-pilots become more accurate, more trusted and more ingrained across the enterprise.
“Executives will better understand the value of AI co-pilots to make critical business decisions, and as a key competitive differentiator, and will drive faster implementation across their operations. The AI co-pilot technology will be more widespread next year, and trust and acceptance will increase as people see the benefits unfold.”
21. Building the right workplace culture
Harnessing a positive workplace culture is no easy task but in 2023 with remote and hybrid working now the norm, it brings with it new challenges. Tony McCandless, Chief Technology Officer at SS&C Blue Prism, is well aware of the role organisational culture can play in any digital transformation journey.
“Workers are the heart of an organisation, so without their buy in, no digital transformation initiative stands a chance of success,” explains McCandless. “Workers drive home business objectives, and when it comes to digital transformation, they are the ones using, implementing, and sometimes building automations. Curiosity, innovation, and the willingness to take risks are essential ingredients to transformative digitalisation.
“Businesses are increasingly recognising that their workers play an instrumental role in determining whether digitalisation initiatives are successful. Fostering the right work environment will be a key focus point for the year ahead – not only to cultivate buy-in but also to improve talent retention and acquisition, as labor supply issues are predicted to continue into 2023 and beyond.”
22. Cloud cover to soften recession concerns
Amid a cost-of-living crisis and concerns over any potential recession as a result, Daniel Thomasson, VP of Engineering and R&D at Keysight Technologies, says more companies will shift data intensive tasks to the cloud to reduce infrastructure and operational costs.
“Moving applications to the cloud will also help organisations deliver greater data-driven customer experiences,” he affirms. “For example, advanced simulation and test data management capabilities such as real-time feature extraction and encryption will enable use of a secure cloud-based data mesh that will accelerate and deepen customer insights through new algorithms operating on a richer data set. In the year ahead, expect the cloud to be a surprising boom for companies as they navigate economic uncertainty.”
23. IoT devices to scale globally
Dr Raullen Chai, CEO and Co-Founder of IoTeX, recognises a growing trend in the usage of IoT devices worldwide and believes connectivity will increase significantly.
“For decades, Big Tech has monopolised user data, but with the advent of Web3, we will see more and more businesses and smart device makers beginning to integrate blockchain for device connectivity as it enables people to also monetise their data in many different ways, including in marketing data pools, medical research pools and more,” he explains. “We will see a growth in decentralised applications that allow users to earn a modest additional revenue from everyday activities, such as walking, sleeping, riding a bike or taking the bus instead of driving, or driving safely in exchange for rewards.
“Living healthy lifestyles will also become more popular via decentralised applications for smart devices, especially smart watches and other health wearables.”
Todd Salmon, Executive Advisor for Strategic Services at GuidePoint Security, on the cybersecurity challenge of keeping up with the pace of the ever-changing digital world
SHARE THIS STORY
This month’s cover story explores how GuidePoint Security, an elite team of highly trained and certified experts, cut through cybersecurity chaos and confusion to put control back in customers’ hands.
Welcome to the latest issueof Interface magazine!
Interface welcomes in 2023 with a need-to-know list of what we can expect from technology this year and how it can allow enterprises to gain a competitive edge in a disruptive and increasingly digital world. Faced with everything from process mining and AI to quantum-readiness and the metaverse we cut through the hype to bring you the facts.
GuidePoint Security: digital transformation in cybersecurity
“Cybersecurity is in such a reactive mode because of the sheer volume of risks and vulnerabilities an organisation faces,” says Todd Salmon, Executive Advisor for Strategic Services at GuidePoint Security. “We see a lot of copycats and repeat attacks happen, but at the end of the day it’s all about creating solutions to help combat those problems.”
GuidePoint’s elite team of highly trained and certified experts, cut through cybersecurity chaos and confusion to put control back in customers’ hands. Helping them make the smartest, most informed cyber risk decisions, and choose and integrate the best-fit solutions to build the most effective cybersecurity program, Salmon discusses the challenge of keeping up with the pace of the ever-changing digital world.
bp: a strategic reinvention
“We are investing in digital to drive process efficiency and improve insights; but also to develop our people with the skills we need for now, and the future at bp. This means we are playing to win while caring for our people through investing in their personal development,” says Head of Strategic Transformation Nick Hales.
“After setting the right foundations through various remediation and compliance initiatives, we embarked on our digital transformation journey,” adds Strategy & Transformation Manager Emmanouela Vlachantoni. “There was a clear opportunity to standardise and streamline our controls environment to reduce complexity and increase insight.”
Fairfax County: winning the IT war with cybersecurity
Meanwhile, across the pond, we learn how Fairfax County in the State of Virginia is reaping the rewards of a cybersecurity program enabling government services and keeping citizens safe. “My role is to educate our leadership to ensure they understand the business value of cybersecurity as it relates to government services. Being accountable for the security of their systems and data is a key factor in developing a successful cyber program,” explains CISO Michael Dent.
Also in this issue, we round up the key tech events and conferences across the globe and, with the help of the experts at Fasthosts, take a deep dive into the metaverse… Can virtual reality become our reality? Read on to find out.
Nick Hales, Head of Strategic Transformation and Emmanouela Vlachantoni, Strategy & Transformation Senior Manager, on the journey to reinvent business processes that are reimagining bp
SHARE THIS STORY
This month’s cover story reveals how bp’s Strategic Transformation leaders are on a journey to reinvent business processes that are reimagining the energy giant.
Welcome to the latest issueof Interface magazine!
Our final issue of Interface for 2022 covers some of this year’s hot tech topics: digital transformation, cybersecurity, data & analytics, customer-centricity and more…
“We are investing in digital to drive process efficiency and improve insights; but also to develop our people with the skills we need for now, and the future. This means we are playing to win while caring for our people through investing in their personal development,” says Nick Hales.
“After setting the right foundations through various remediation and compliance initiatives, we embarked on our digital transformation journey,” adds Emmanouela Vlachantoni. “There was a clear opportunity to standardise and streamline our controls environment to reduce complexity and increase insight.”
Fairfax County: winning the IT war with cybersecurity
Meanwhile, across the pond, we learn how Fairfax County in the State of Virginia is reaping the rewards of a cybersecurity program enabling government services and keeping citizens safe. “My role is to educate our leadership to ensure they understand the business value of cybersecurity as it relates to government services. Being accountable for the security of their systems and data is a key factor in developing a successful cyber program,” explains CISO Michael Dent.
Piedmont Healthcare: data & analytics at the heart of growth
The power of data cannot be under-estimated… At Piedmont Healthcare Mark Jackson, Executive Director of Business Intelligence is building a data strategy driving speed to insight at scale. “Tool selection has played an important role in our ability to scale the BI program and deliver rapid insights in a dynamic environment.”
Also in this issue, CalArts CTO Allan Chen explains how an IT strategy based on coordination and collaboration is supporting six schools; Information Tech VP Fausto Sosa de la Fuente reveals the people-centric transformative IT process at construction industry giant CEMEX; and we take a look at the latest insights from McKinsey highlighting the lessons CEOs can learn from successful digital transformations.
John MClure, CISO at Sinclair Group – a diversified media company and America’s leading provider of local sports and news – talks about the evolution of cybersecurity and the cultural shift placing it at the forefront of business change
SHARE THIS STORY
This month’s cover story explores how Sinclair Broadcast Group is embracing the evolution of cybersecurity and placing the role of the CISO at the forefront of business transformation.
Welcome to the latest issueof Interface magazine!
Communication, secure and at speed, is a vital component of the transformation journey for both the modern enterprise and its relationship with stakeholders, be they customers or partners. Putting the right building blocks in place to deliver successful change management is at the heart of the inspiring stories in the latest issue of Interface.
Our cover star John McClure progressed from a career in the military and work as a consultant in the intelligence industry to fight a new kind of foe… As CISO for Sinclair Broadcast Group, a diversified media company and America’s leading provider of local sports and news, he talks about the evolution of cybersecurity, the battle to meet the rising velocity and sophistication of cyber-attacks and the cultural shift of the role of CISO placing it at the forefront of business change.
“Sinclair is unique in terms of its different business units and how it operates. It’s my job as CISO leading our cyber team not to be an obstacle for the business; we’re here to help it move faster to keep up with market forces, and to move safely. We’re here to engineer solutions that work for the enterprise but also help us maintain a positive security posture.”
State of Florida: digital government services
We also hear from CIO Jamie Grant who is leading the State of Florida’s Digital Service (FL[DS]) on its charge to transform and modernise the way government is accessed and consumed. He is building a team of talented, goal-oriented and customer-obsessed individuals to drive a digital transformation with innovation at its heart. “Leadership is really about developing the team and investing in the people. And it turns out that when you get their backs, they appreciate it and then you can achieve anything.”
ResultsCX: putting people first
Jamie Vernon, SVP for IT & Infrastructure at AI-powered customer experience solution specialist ResultsCX, discusses what drives customer care in the 21st century, and the part technology has to play.
“We are the custodians of our customers’ customers,” says Vernon. “In this increasingly tenuous relationship with their customers, they trust us. My leadership takes that responsibility very seriously, and charges each of us with doing everything we can to provide a perfect call, or email, or chat, every time, thousands of times a minute, around the clock and around the calendar.”
Jamie Vernon, SVP for IT & Infrastructure at AI-powered customer experience solution specialist ResultsCX, discusses what drives customer care in the 21st century, and the part technology has to play.
“We are the custodians of our customers’ customers,” says Vernon. “In this increasingly tenuous relationship with their customers, they trust us. My leadership takes that responsibility very seriously, and charges each of us with doing everything we can to provide a perfect call, or email, or chat, every time, thousands of times a minute, around the clock and around the calendar.”
Also this month, Sarita Singh, Regional Head & Managing Director for Stripe in Southeast Asia, talks about how the fast-growing payments platform is driving financial inclusion across Asia and supporting SMEs with end-to-end services putting users first, and we get expert advice for the modern CEO from the University of Oxford’s Saïd Business School.
Our cover story investigates how the latest cybersecurity technologies ensure the Commonwealth Bank and its customers are protected from cybercrime
SHARE THIS STORY
Our cover story this month charts how the Commonwealth Bank is strengthening its cybersecurity posture to protect 16 million customers
Welcome to the latest issue of Interface magazine!
Cybersecurity, and the need to share data safely and securely, goes beyond the day to day requirements of one organisation, it’s about enterprises at all levels collaborating to develop an ecosystem for the greater global good.
Our cover star Memo Hayek, General Manager Group Cyber Transformation & Delivery at CommBank, is leading a team on such a journey while executing the technology transformation required to fortify cybersecurity for CommBank. Leveraging the latest cutting-edge technologies from partners including AWS and Palo Alto Networks – in demand as the global attack surface grows – Hayek is flying the flag for women in STEM careers and delivering the strategies to ensure the bank, its Australian community and the wider global economy are protected from cybercrime.
https://www.youtube.com/watch?v=jQNXY2duLZs
Philip Morris International
Also in this issue, we learn how Philip Morris International (PMI) is instigating a digital revolution in the travel retail sector, merging the physical and online worlds by implementing a number of CX-driven initiatives framed around PMI’s IQOS brand which is helping smokers to non-smoke products.
Valtech
We hear again from global business transformation agency Valtech on its efforts to embrace diversity across the length and breadth of its organisation to make it better able to provide solutions that touch all of society. Una Verhoeven, VP Global Technology, gives her perspective on the diversity debate and how that’s further supported in the technological evolution with the rise of composable architecture.
Digital Transformation
Elsewhere, we discover how biotech firm Debiopharm’s digital transformation journey is ushering in a new era for drug development and clinical trials. We also reveal the innovative global IT transformation plans of market-leading tile manufacturer Terreal.
Our exclusive cover story this month takes a drive down the information superhighway with Auto Club Group and the Automobile…
SHARE THIS STORY
Our exclusive cover story this month takes a drive down the information superhighway with Auto Club Group and the Automobile Association of America.
Welcome to the latest issue of Interface magazine!
A customer centric approach to the creation and deployment of digital services is something that unites the business transformation journeys we explore in this issue of Interface.
Our cover story examines how one of the oldest organisations in the US – the Automobile Association of America (AAA) – and Auto Club Group, among its largest affiliates, are building trust in technology through cybersecurity to support more than 14 million members with a range of digital services. Chief Information Security Officer, Gopal Padinjaruveetil, explains: “Cybersecurity can be the brake in the information vehicle so a business doesn’t have to slow down, enabling it to accelerate change with confidence without putting the organisation, and its members, at risk.”
Elsewhere, we discover how insurance giant Generali is leveraging analytics and AI on a global scale for a structured approach to insurance services delivering long term security and peace of mind for its customers as a lifetime partner.
Delivering innovation on a global scale, SAP’s customer-centric business technology platform currently serves 91% of the organisations making up the Forbes Global 2000, while a staggering 70% of all global transactions touch an SAP system. We find out more…
Also in this issue, we hear from Insider on why Apple’s iOS15 update will impact ecommerce and data gathering; we get the lowdown from EY on the four key steps organisation should take to accelerate their digital transformation and learn from Pulsant how to identify and achieve your business transformation goals.
Martin Riley, Bridewell Consulting’s Director of Managed Services, explains why a cyber security strategy can future proof your business and provide the platform for a successful digital transformation
SHARE THIS STORY
Regardless of sector, digital transformation has become a business necessity for organisations in 2021. Described as the most important trend in business today, 65% of the globe’s GDP is expected to be digitalised by the end of 2022. And with promised benefits including improved operational efficiency, agility and employee productivity, it’s no surprise that businesses are going digital.
However, while there’s no denying the importance of digital transformation, different levels of organisational maturity can lead to different approaches and this is particularly apparent when it comes to security. Many organisations often take a reactive approach, whereby business and technology transformation are the priority and security is only considered afterwards. However, the risks from putting security on the backburner can be numerous, including higher costs and extended timelines to retrofit crucial security fixes.
Martin Riley
More mature companies have a different approach – one that puts security transformation first, ahead of digital transformation, to ensure the best possible future-proofed outcome. Their success is now providing a valuable proven blueprint for other firms to follow. So, to reap the benefits of this approach where should you start?
Shift your mindset
Before embarking on any transformation, it’s imperative to get your strategy right. Move away from thinking purely about digital transformation and cyber security as separate strategies and instead develop a cyber security transformation strategy. This will ensure that you can reduce risk and improve your cyber resilience, even as your attack surface grows.
It may be that security transformation becomes the driver of your digital transformation. For example, if you have identified vulnerabilities within your legacy IT infrastructure that necessitates a need to move critical data to the cloud.
Take critical national infrastructure as an example… The convergence of IT and Operational Technology (OT) as well as increased legislative requirements, such as the Network and Information Systems (NIS) Regulation, is driving a clear need for cyber security transformation. Organisations need to adapt to gain a holistic view of cyber security across physical OT and cloud systems before transformation can take place.
Understand your risks
Digitalising your business ultimately introduces new risks. For example, new digital channels can broaden your attack service, while poorly configured cloud-based infrastructure can pose easy targets for cyber attackers. There’s also risks from the internet of Things (IoT) which increases sensitive data proliferation (and by association, vulnerabilities), as well as authentication and access risks posed by remote working and connected supply chains. Before embarking on a transformation plan, you need to understand the security implications of any changes.
Assume zero-trust
In order to ensure that security is front of mind in your transformation you need to adopt a philosophy of a zero trust, where no individual or device is trusted. This involves verification by authenticating and authorising based on all available data points, utilising just-in-time and just-enough-access to limit user access and using analytics to drive threat detection. Not only does this help businesses to be prepared for cyber threats, but also articulates the value of security transformation to other departments.
Embed security from the outset
It can be tempting to simply keep investing in a growing number of security technology tools as and when your transformation takes place. However, all too often there is little integration, overlap and there are gaps in the coverage these tools offer. And while a well-configured set of security tools can provide coverage, many drive threat alerts that are false positives or benign positives, leading to fatigue and alert blindness. Instead, ensuring security is a critical part of the initial design of your transformation strategy.
Use security intelligence to your advantage
Move away from a focus on prevention to response and make security intrinsic throughout the business by implementing proactive measures such as Managed Detection and Response (MDR). By combining human analysis, artificial intelligence and automation to rapidly detect, analyse, investigate and actively respond to threats, MDR can encourage alignment of security transformation with digital transformation.
Cyber Technology Security Protection Monitoring
An adaptive and customisable security model, MDR can be deployed rapidly and cost-effectively as a fully outsourced service or via a hybrid SOC. It helps develop a reference security architecture that enables you to safeguard on-premise and legacy systems, cloud-based infrastructure applications and SaaS solutions, whilst also protecting and responding to new security and user identity threats as well as reducing cyber risk and the dwell time of breaches.
Engage third party support
Finally, don’t neglect to seek help from outside your organisation. By engaging a security architect early on in your project lifecycle, you can benefit from robust and detailed analysis and expertise to ensure the correct decisions are made, tracked and traced from beginning to end. They can also help you understand the interdependencies across your IT estate, identify risks and suggest best practice, as well as legal and regulatory obligations to ensure you continue to be able to withstand a range of cyber attacks throughout your transformation.
Reaping the rewards of cyber security transformation
Every business is on a digital transformation journey, regardless of size or objectives. However, as organisations transform, so do technology and cyber threats. Those that fail to adopt a more proactive and efficient system for mitigating risks and handling, responding, detecting and learning from cyber security attacks will find themselves falling behind and the security function unable to keep up.
Ultimately, cyber and digital security should be thought of as inseparable – and those that can plan and integrate both into their transformation projects from the very beginning will be in the strongest position to succeed and future-proof their business.
By implementing a robust cyber security transformation process and proactive security measures, such as MDR that can support secure digital transformation, you can reap the benefits of a stronger, structured system for managing, isolating and reducing threats and continue to pivot, transition and serve in the new digital economy without leaving security on the side-lines.
Bridewell Consulting
Bridewell Consulting is a specialist cyber security and data privacy consultancy. NCSC Certified and CREST accredited, it provides reliable, high-quality security and risk consulting services; helping its customers protect not just their data, but their reputation, customer trust and bottom line. Providing four core service areas: cyber security, data privacy, penetration testing/red team assessments and managed security services, Bridewell’s expert team of professionals possess specialist industry experience and proven capabilities. They can deliver effective cyber security and data privacy services across financial services, pharmaceutical, manufacturing, technology, retail, media, government, aviation and 24×7 critical services. As a vendor agnostic business, Bridewell is able to effectively and honestly engage with business executives and provide advice, guidance and services in a way that is most appropriate for each organisation, ensuring that proposed solutions are aligned with its clients’ strategy, business objectives and the wider IT architecture.
Learn more about emerging trends across the tech panorama in the latest issue of Interface
Three in four senior corporate executives believe increasing financial investment is necessary to protect intangible trade secrets, according to new analysis commissioned by global law firm CMS and conducted by The Economist Intelligence Unit…
SHARE THIS STORY
A new report released today commissioned by global law firm CMS and conducted by The Economist Intelligence Unit reveals that trade secret protection is rapidly rising up the corporate agenda as firms widely recognise the commercial imperative to protect vulnerable assets in light of more business conducted online and across borders.
With more companies relying on an ever-greater proportion of intangible or ‘secretive’ assets, the findings show a marked shift in how executives are planning to tackle employee leaks, supply chain vulnerability, corporate espionage and cyber-attacks. According to a global survey of 314 senior executives across a range of industries, the three most valuable types of proprietary information held by organisations are customer databases (42%), product technology (40%), and R&D information (23%).
The report, ‘Open secrets? Guarding value in the intangible economy’, reveals that trade secret protection is no longer just a concern for the legal department, but a top priority at the board and C-suite level. The majority (75%) of respondents agree that increasing financial investment was necessary to protect their trade secrets. Measures must be taken to raise awareness of these assets more widely among employees, with 28% of respondents viewing a lack of in-house experience with trade secrets as a safeguarding challenge.
The most significant threats to the security of trade secrets are weaknesses in cybersecurity (49%) and employee leaks (48%). As firms increasingly store and share sensitive information across virtual and distributed workforces, companies face a range of unpredictable insider threats, including intentional leaks from disgruntled employees. This is the biggest concern for the UK, whilst the fear of cybercrime is front-of-mind for business leaders in France, China and the US, worsened by poor internal cybersecurity expertise.
Tom Scourfield, Co-Head of IP Group at CMS said: “Fifty years ago, a company’s value was derived solely from its physical capital. Today, the world’s most successful firms are built on intangible assets that are often secretive by nature – algorithms, customer data, product formulae. This report shows that firms must start taking a more holistic approach to protecting these intangible assets, from computer software to company valuesbalancing restrictions with incentives – and importantly engage every level of their workforce. Without this strategy, protecting trade secrets will remain an uphill battle for many.”
Significantly, four out of five of the top measures that companies are planning to implement over the next two years focus on minimising employee leaks. These range from harsher measures such as closer surveillance of employee’s electronic activity through to more collaborative approaches that centre on improving the company culture and introducing innovative staff incentives.
“Willingness to snoop” is highest in China, Singapore and the United States. It is also a top preferred measure for executives in Technology, Media and Telecommunications, with 36% of respondents planning to implement surveillance over the next two years, reflecting the growing tensions between employers and employees in the technology sector. Efforts to improve work culture are clearly felt more widely in other industries, with almost a third (31%) calling for corporate values to shift towards encouraging trade secret protection.
As companies become increasingly wary of cybercrime and ransomware attacks, the majority (82%) agree that leveraging cybersecurity software is key to protecting their organisation in the long-term. However, only half (53%) believe it is the most effective deterrent or have already restricted digital and physical access to confidential information (55%).
Hannah Netherton, Employment Partner at CMS adds: “It’s overwhelmingly clear that the threat of employee leaks is driving a need for new strategies to guard valuable assets. Companies must find the right balance between perfecting their cybersecurity protections and creating a healthy company culture that incentivises trade secret protection and encourages speaking up through appropriate channels – even the most rigorous of protocols won’t prevent every employee leak or a disgruntled whistleblower.
“The pandemic has opened doors to a digital workspace, where it’s easier for employees to accidentally or purposefully access and expose confidential information. It is impossible to protect trade secrets if employees are not aware of the sensitivities around these assets, so putting the right values and measures in place has never been more important to an organisation’s success.”
Aukje Haan, Co-Head of Commercial at CMS added: “With the introduction of the Directive on Trade Secrets, businesses will get a range of options to safeguard their most prized proprietary information. However, there are prerequisites to be able to invoke those options. Identifying and taking reasonable steps will be crucial, from NDAs, cybersecurity efforts through to employee regulation, as well as specific requirements depending on the nature of the business, e.g., online businesses will need to take more cybersecurity measures whereas manufacturing companies will need to take more physical measures on the factory floor.“
Governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years…
SHARE THIS STORY
Business ecosystems have expanded over the years owing to the many benefits of diverse, interconnected supply chains, prompting organizations to pursue close, collaborative relationships with their suppliers. However, this has led to increased cyber threats when organizations expose their networks to their supply chain and it only takes one supplier to have cybersecurity vulnerabilities to bring a business to its knees. To this point governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.
Looking beyond your own perimeter
Over the last few years, many organizations have worked hard to improve their cyber defenses and are increasingly “harder targets”. However, for these well-defended organizations, now the greatest weaknesses in their defenses are their suppliers, who are typically less well-defended but with whom they are highly interconnected.
At the same time, the cyber threat landscape has intensified, and events of the past year have meant that security professionals are not only having to manage security in a remote working set up and ensure employees have good accessibility, they are also having to handle a multitude of issues from a distance whilst defending a much broader attack surface. As a result, points of vulnerability have become even more numerous, providing an attractive space for bad actors to disrupt and extort enterprises. Threats have escalated, including phishing and new variants of known threats, such as ransomware and Denial of Service (DDoS) attacks, as well as increases in supply chain attacks.
But where supply chains are concerned, it is nearly impossible to effectively manage this risk unless you know the state of your suppliers’ defences and continually ensure that they are comparable to your own. Organizations must deeply understand the cyber risks associated with the relationship and try to mitigate those risks to the degree possible.
However, that’s easier said than done. With the sending and receiving of information essential for the supply chain to function, the only option is to better identify and manage the risks presented. This requires organizations to overhaul existing risk monitoring programs, technology investments and also to prioritize cyber and data security governance.
Ensuring the basics are in place
At the very least organizations should ensure that both they and their suppliers have the basic controls in place such as Cyber Essentials, NIST and ISO 27001, coupled with good data management controls. They should thoroughly vet and continuously monitor supply chain partners. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organization and the supplier should be established.
As well as effective processes, people play a key role in helping to minimize risk. Cybersecurity training should be given so that employees are aware of the dangers and know how to spot suspicious activity. They should be aware of data regulation requirements and understand what data can be shared with whom. And they should also know exactly what to do in the event of a breach, so a detailed incident response plan should be shared and regularly reviewed.
IT best practices should be applied to minimize these risks. IT used effectively can automatically protect sensitive data so that when employees inevitably make mistakes, technology is there to safeguard the organization.
Securely transferring information between suppliers
So how do organizations transfer information between suppliers securely and how do they ensure that only authorized suppliers receive sensitive data? Here data classification tools are critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organization. Through appropriate classification, using visual labelling and metadata application to emails and documents, this protects the organization from the risk of sensitive data being exposed to unauthorized organizations further down the line through the supply chain.
Likewise, data that isn’t properly encrypted in transit can be at risk of compromise, so using a secure and compliant mechanism for transferring data within the supply chain will significantly reduce risks. Managed File Transfer (MFT) software facilitates the automated sharing of data with suppliers. This secure channel provides a central platform for information exchanges and offers audit trails, user access controls, and other file transfer protections.
Layering security defenses
Organizations should also layer security defences to neutralize any threats coming from a supplier. Due to its ubiquity, email is a particularly vulnerable channel and one that’s often exploited by cybercriminals posing as a trusted partner. Therefore, it is essential that organizations are adequately protected from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business.
And finally, organizations need to ensure that documents uploaded and downloaded from the web are thoroughly analyzed, even if they are coming from a trusted source. To do this effectively, they need a solution that can remove risks from email, web and endpoints, yet still allows the transfer of information to occur.
Adaptive DLP allows the flow of information to continue while removing threats, protecting critical data, and ensuring compliance. It doesn’t become a barrier to business or impose a heavy management burden. This is important because traditional DLP ‘stop and block’ approaches have often resulted in too many delays to legitimate business communications and high management overheads associated with false positives.
Cyber criminal attacks set to rise
Many of the recent well publicized attacks have been nation state orchestrated. Going forward this is going to turn into criminal syndicate attacks. Cybercriminals already have the ransomware capabilities and now all they need to do is tie this up with targeting the supply chain. Therefore, making sure you have the right technologies, policies and training programs in place should be a top priority for organizations in 2021. If you are interested in finding out more about protecting your supply chain, why not download our eGuide: “Managing Cybersecurity Risk in the Supply Chain.”
With industrial organisations ramping connectivity to accelerate digital transformation and remote work, threat actors are weaponising the software supply chain and ransomware attacks are growing in number, sophistication and persistence.
SHARE THIS STORY
A new report from Nozomi Networks Labs finds cyber threats to industrial and critical infrastructure have reached new heights as threat actors double down on high value targets. With industrial organisations ramping connectivity to accelerate digital transformation and remote work, threat actors are weaponising the software supply chain and ransomware attacks are growing in number, sophistication and persistence.
“This report leaves no doubt that the time for action is now,” said Nozomi Networks Co-founder and CTO Moreno Carullo. “The recent Oldsmar, Florida, water system attack and the ongoing SolarWinds investigation are dramatic reminders that the critical infrastructure and other systems that we rely on are vulnerable and at constant risk of attack. Understanding the effectiveness of defenses against the emerging threat and vulnerability landscape is vital to success.”
Nozomi Networks’ latest “OT/IoT Security Report,” gives cybersecurity professionals an overview of the OT and IoT threats analysed by Nozomi Networks Labs security research team. The report found:
Ransomware activity continues to dominate the threat landscape, growing in sophistication and persistence. In addition to demanding financial payments, Ryuk, Netwalker, Egregor and other ransomware gangs are exfiltrating data and deeply compromising networks for future nefarious activities.
Supply chain threats and vulnerabilities show no signs of slowing. The unprecedented SolarWinds attack not only infected thousands of organisations including U.S. Government agencies and critical infrastructure, but it also demonstrates the massive potential for attack via supply chain weaknesses.
Threat actors are targeting healthcare. Nation states are using off-the-shelf red team tools to execute attacks and perform cyber espionage against facilities involved with COVID-19 research. Ransomware crews are targeting healthcare providers and hospitals, in some cases disrupting patient treatment.
Analysis of 151 ICS- CERTs published in the last six months found memory corruption errors are the dominant vulnerability type for industrial devices.
“Urgency has never been higher. As industrial organisations race toward digital transformation, threat actors are taking advantage of greater OT connectivity to create attacks that aim to disrupt operations and threaten the safety, profitability and reputation of enterprises around the globe,” said Nozomi Networks CEO Edgard Capdevielle. “While threats may be on the rise, the technologies and practices to defeat them are available today. We encourage organisation to act quickly to implement the recommendations in this report. It’s never been more important or more possible to take the necessary steps to detect and defend critical infrastructure and industrial operations.”
Nozomi Networks’ “OT/IoT Security Report” summarises the biggest threats and risks to OT and IoT environments. The report provides information on 18 specific threats that IT and OT security teams should study as they model threat vectors and evaluate risks across operational technology systems. It includes 10 key recommendations and actionable insights to improve defenses against the current threat landscape.
A global shift to remote working has accelerated digital transformation and prompted a higher degree of focus on cybersecurity, according to Kaspersky’s latest report.
SHARE THIS STORY
A global shift to remote working has accelerated digital transformation and prompted a higher degree of focus on cybersecurity, according to Kaspersky’s latest report.
Transitioning from a corporate office environment to working from home, coupled with financial restraints due to economic recession, has seen challenges presented to cybersecurity experts not many had seen before.
From February to March 2020, a 569% growth in malicious website registrations was detected and reported to INTERPOL, including malware and phishing. In April, there was a huge spike in ransomware attacks by multiple threat groups that had been previously dormant for months.
Cybercrime threats are expected to rise as more opportunities present themselves in the coming months. Fake vaccine registration websites will aim to steal data, whilst business email compromise schemes aim to take advantage of the economic downturn and shift in the business landscape.
Protecting the perimeter of a company is no longer enough: there is a desperate need now for home office assessment with tools to scan the level of security. Discouraging poor internet practices such as connecting to an unprotected Wi-Fi hotspot should be top of the list, with VPNs and multifactor authentification systems being offered as a solution.
With an increased reliance on cloud technology and services, dedicated management and protection measures are now a necessity for businesses. Around 90% of employees use non-corporate software and cloud services, such as messaging apps, and this is unlikely to change any time soon.
To ensure that any corporate data is kept under control, better visibility over cloud access will be necessary. IT security managers will need to align themselves with this cloud paradigm and develop skills for cloud management and protection.
This is why, according to Kaspersky, the quality of protection is “no longer up for discussion.”
“Quality protection is now a must have,” report Alexander Moiseev, Chief Business Officer at Kaspersky.
“Another major trend is that deep integration between various components of corporate security, ideally from a single vendor, now plays a bigger role. For instance, there was a long-held belief in the industry that various specialised solutions from various vendors can help create the best combination for protection.
“Now, organisations are looking for a more unified approach with maximum integration between different security technologies.”
You can read Ksapersky’s “Plugging the gaps: 2021 corporate IT security predictions” report in full HERE.
James Hall, Commercial Director, Striata UK, explores the threats customers face and how to combat them.
SHARE THIS STORY
With cybercrime escalating in volume and sophistication every year, consumer trust is a bigger challenge for organisations than it’s ever been. And while legislation such as the EU General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA) have made things simpler by setting minimum standards for organisations to adhere to, they need to do more to truly guarantee trust.
They should not, for instance, assume that their responsibility is over once a document has been delivered safely to the customer. If a customer’s personal devices are unsecured, there is still a risk that one gets hacked or stolen. This means that confidential information sent by the organisation could find its way into the public eye, or worse, get exploited for criminal purposes. Even if the organisation’s own security protocols are watertight, it could still end up shouldering the blame or have its reputation tarnished.
When considering why it’s so important for organisations to protect customer communication even once it’s on the end device, it’s worth remembering just how many threats customers face.
The millions of mobile phones stolen every year alone represent a massive danger of identity theft. That’s before even getting to the number of people every year who fall victim to phishing scams or who have their information compromised after inadvertently installing malware.
According to Kaspersky Labs, the number of unique malicious objects detected by its web antivirus solution reached 24,610,126 in 2019. Some 85% of web threats detected were malicious URLs making the risk of a customer unwittingly clicking on a URL an ever present threat to data protection.
In short, while organisations have never been more aware of the need to keep their customer data safe internally, the threat to that data once it’s on the customer’s device continues to increase.
Data protection by design
One solution to mitigate these threats is for organisations to bake data protection into the design of their customer communications. Data protection by design is about considering data protection and privacy issues upfront in everything the organisation does, especially when it comes to customer communication. This not only ensures compliance with relevant legislation, it can save the organisation reputational damage and, ultimately, revenue.
But what does data by design look like practically?
Well, encryption and password protection should be non-negotiable for starters. Encrypting and protecting important documents ensures that even when it resides on the customer’s smartphone or laptop, the information cannot be easily accessed if the device is stolen or hacked.
Encryption is a process that encodes a message or file so that it can only be read by the intended recipient. Encryption scrambles, or encrypts, data which the receiving party can only unscramble, or decrypt, using a key (a string of values or an application).
Password protection, meanwhile, means a document cannot be opened without entering a shared secret known only to the sender and recipient. Requiring a password to access a secured document not only adds another layer of protection, but has other benefits. In the unlikely event that a document is sent to the wrong person, the incorrect recipient cannot open the document (personal information remains private) thereby avoiding a data breach.
Customer education is key
While it’s obviously important that the organisation does everything in its power to protect and encrypt information, customer education remains the most powerful weapon in its arsenal. Cybercriminals can find their way around new technologies, but tech-savvy customers are much harder to crack.
If an organisation can help its customers avoid risky behaviour and protect their personal information, no matter where it sits, they’re much less likely to fall victim to cybercrime. That, in turn, means reduced reputational and financial risk.
As existing technologies reach maturity and innovations make the leap from consumer applications to business (and vice versa), it’s imperative…
SHARE THIS STORY
As existing technologies reach maturity and innovations make the leap from consumer applications to business (and vice versa), it’s imperative that we constantly seek to find those that have the potential to add value to our own business and those of our customers. As we look ahead to 2020, Johan Paulsson, CTO, Axis Communications has identified five trends that will have an impact on the physical security industry.
The world on the edge We are seeing a growing momentum towards computing at the ‘edge’ of the network[1]. More of the devices that are connected to the network require or would benefit from the ability to analyse received data, make a decision and take appropriate action. Autonomous vehicles are an obvious example. Whether in relation to communications with the external environment or through sensors detecting risks, decisions must be processed in a split second. It is the same with video surveillance. If we are to move towards the proactive rather than reactive, more processing of data and analysis needs to take place within the camera itself.
Processing power in dedicated devices Dedicated and optimised hardware and software, designed for the specific application, is essential with the move towards greater levels of edge computing. Connected devices will need increased computing power, and be designed for purpose from the ground up with a security first mindset. The concept of embedded AI in the form of machine and deep learning computation will also be more prevalent moving forwards.
Towards the trusted edge Issues around personal privacy will continue to be debated around the world. While technologies such as dynamic anonymization and masking[2] can be used on the edge to protect privacy, attitudes and regulation are inconsistent across regions and countries. The need to navigate the international legal framework will be ongoing for companies in the surveillance sector. Many organizations are still failing to undertake even the most basic firmware upgrades, yet with more processing and analysis of data taking place in the device itself, cybersecurity will become ever more critical.
Regulation: use cases vs technology Attitudes towards appropriate use technology cases and the regulations around them differ around the world. Facial recognition might be seen as harmless and even desirable. However, when used for monitoring citizens and social credit systems it is regarded as much more sinister and unwanted. The technology is exactly the same but the case is vastly different. Regulations are struggling to keep pace with advances in technology. It’s a dynamic landscape that the industry will need to navigate, and where business ethics[3] will continue to come under intense scrutiny.
Network diversity As a direct result of some of the regulatory complexities, privacy and cybersecurity concerns, we’re seeing a move away from the open internet of the past two decades. While public cloud services will remain part of how we transfer, analyse and store data, hybrid and private clouds are growing in use. Openness and data sharing was regarded as being essential for AI and machine learning, yet pre-trained network models can now be tailored for specific applications with a relatively small amount of data. For instance, we’ve been involved in a recent project where a traffic monitoring model trained with only 1,000 photo examples reduced false alarms in accident detection by 95%.
Critical guide published today calls for effective cyber security lifecycle management of IoT devices to improve the security of retail…
SHARE THIS STORY
Critical guide published today calls for effective cyber security lifecycle management of IoT devices to improve the security of retail systems and the protection of customer data in a stringent GDPR era.
Axis Communications, the market leader in network video technology, has published its latest whitepaper, Cyber security: the biggest threat to retail which highlights the increasing threat posed by cyber-attacks to today’s retail industry. The paper documents the measures that should be understood by data controllers, loss prevention & security personnel through to heads of operations to ensure the highest levels of security and provide the appropriate education and training for all key stakeholders to effectively mitigate the mounting cyber security threat.
The growth in and use of IoT devices and cloud technologies have opened up boundless possibilities for modern retail organisation across physical and digital platforms. However, customer data is at the heart of a frictionless shopping experience and presents an attractive commodity to cybercriminals, with attacks growing in number on those retailers whose systems are inadequately secured. It has been reported that in the last 12 months there have been 19 significant data breaches[1], which present a major risk for both retailers and customers.
In addition to the
immediate disruption and downtime a breach can cause, the damage to the
reputation of a business or brand can be lifelong. Furthermore, GDPR related
fines from the ICO can now be as much as €20m or 4% of global annual turnover,
whichever is higher, and demands that necessary steps be taken to guard against
attack and protect existing infrastructure. Axis’ whitepaper creates awareness
of the challenges being faced and looks at how effective cybersecurity
lifecycle management of IoT devices will help to better manage security and
ultimately maintain customer trust.
“Any organisation that
generates or manages personally identifiable information (PII), effectively any
data that could potentially identify a specific individual, must comply with
GDPR. Establishing a truly secure retail solution can only be accomplished if
security has been analysed at every stage. The key is to ensure that everyone involved
understands the security implications of a breach and how to prevent one.
Collaboration with system vendors, integrators and installers is also hugely
important, and conversations across the supply chain will ensure requirements
are met and security risks are adequately addressed,” Steven Kenny, Industry
Liaison Architecture and Engineering, Axis Communications.
Alongside greater awareness
of the need to comply with the GDPR, the Axis whitepaper stresses the
importance of looking to guard against system vulnerabilities by working with
trusted vendors who can install only those security technologies that are
deemed to be Secure
by Default. These technologies have been built from the ground up with
cybersecurity considerations at the forefront. Technologies that are cyber
secure offer peace of mind when connected to a network, and come with
assurances that stringent guidelines are followed during the design and
manufacturing process. Surveillance camera technology designed and manufactured
in this way assures retailers that these security solutions will not be used as
a backdoor into the network; such is the risk of introducing non-secured
hardware.
Key points covered
in the retail whitepaper include:
Review of cybersecurity challenges – Supply chain attacks, IoT vulnerabilities, the impact of operational downtime
GDPR, data protection and privacy – Examining the necessary actions to ensure full compliance with the GDPR and DPA 2018
Video surveillance insights – Understanding how data analysis can inform security and business decisions, and supply chain evaluation
Managing security effectively – Processes and tools to help the design, development and testing of systems in accordance with cybersecurity principles
Converged security – A collaborative approach to addressing cybersecurity risks
“The retail industry is
deemed the most at risk to cyber threats. It is crucial to find the balance
between enhancing the customer experience and maintaining GDPR compliance;
providing adequate security whilst not violating customer privacy,” says Graham
Swallow, Retail segment lead, Northern Europe, Axis Communications. “While
video surveillance systems are a necessity within the retail environment, many
organisations have re-evaluated their entire strategy in order to ensure full
GDPR compliance. Retailers must be able to rely on technologies that support
their operational requirements and address associated risks, while at the same
time, supporting IT security policies.”
This whitepaper provides
retailers with expert guidance, highlighting the appropriate policies and
procedures around the cybersecurity of IoT devices, and reinforces the
importance of selecting trusted vendors and partners. Axis is passionate about
using technology to help create a smarter and safer world. This is demonstrated
by a commitment to helping retailers understand the benefits of connected
physical security systems that deliver on the promise of better protection of
the business and customer.
Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A…
SHARE THIS STORY
Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there is still a discernible impact on the organisation’s stock valuation three years post-event.
By Josh Lefkowitz, CEO of Flashpoint
Business impacts at this
level affect the fundamental financial performance and sustainability of an
organisation, which means cybersecurity must no longer be considered an IT
issue; it’s a matter for the board in its role as custodian of shareholder
value. By managing cyber risk as part of the overall organisational risk
strategy, boards can put it into a commercial context and drive the cultural
awareness of risk that is essential to promote cyber resilience across the
business.
Making the shift from technology-centric to business-centric risk
management
Elevating cyber risk
management to the board level is not without challenges, however. We are still
very much in the midst of a shift in mindset from a technology-centric to a
business-centric view of cyber threats. This can result in a disconnect: many
boards find it difficult to interpret the information they receive from the IT
team, while many IT functions struggle to understand what data the board really
needs to carry out effective oversight. This challenge was underlined by
EY interviews that found difficulties “obtaining relevant, objective and
reliable information, presented in business-centric terms…[and this] affects
board members’ ability to understand the risk facing their organisations and
evaluate management’s response to these risks.”
This area is where the
evolving role of the CISO—sitting between the business and the board—requires a
mix of skills. CISOs need both technical expertise in analysing and
interpreting threat metrics and technology performance, and the ability to
apply these skills in a broader business context for board directors so they
can deliver strategic cyber risk oversight and governance for the business.
Reporting to the board – from numbers to narrative
While increasingly boards
are factoring cyber skillsets into their succession planning when recruiting
new board members, most current board directors don’t have deep experience in
cybersecurity. This means that any metric-based reporting should be simple to
interpret, including auditable figures that provide an overview of the
organisation’s security posture.
Reports should also be
framed in terms of the impacts specific security incidents have on the
business. For example, a DdoS attack might cause reputational risk, operational
risk and strategic risk. And, of course, the flipside of risk is compliance, so
the board also needs to know how cybersecurity incidents could impact data
privacy and governance.
It’s the role of the board
to challenge senior management robustly in order to deliver effective
oversight, so CISOs should be ready to answer questions around the
organisation’s cybersecurity maturity and the frameworks established to manage
emerging threats.
However, while numbers and
frameworks are valuable in helping boards evaluate and audit cyber risk
posture, when it comes to setting a risk-aware culture, directors really need
deeper context around the types of threats specific to their organisation. If
board directors are given a window into the environment, tactics, and
motivational psychology of actors that target their sector and business, they
can better understand the risks themselves. Once that has been achieved, board
directors can become an asset to the CISO in promoting a cyber risk-aware
culture not just as a tick-box exercise, but because they have genuine
appreciation of the factors, and indeed actors, in play.
To achieve this board-level
buy-in, CISOs need to move from numbers to narrative to drive the message home.
This is where business risk intelligence provides the context that helps bring
risk to life.
It’s undoubtedly useful for
senior leaders to understand the frequency and type of the cyber-attacks the
business experiences, but it’s also valuable for them to know the extent to
which the organisation is the topic of conversation in the illicit online
communities that initiate those attacks.
Deep and dark web forums,
chat services, and other platforms are often where cybercriminals discuss
tactics to defraud or infiltrate the organisation. These types of venues are
also where company secrets, intellectual property, and stolen data may be
offered for sale. An overview of the company’s profile across the deep and dark
web, as well as other illicit online communities, and the kinds of tactics that
are being discussed, is a powerful way CISOs can help directors gain context to
understand what the business faces.
Illustrating third-party risk
Third-party risk, including
supply chain weaknesses, is a hot topic among board rooms as businesses realise
that keeping their own house in order is not enough. Intelligence gleaned from
illicit online communities can also be used to illustrate potential weaknesses
in, or threats to, partner organisations. This intelligence can help boards
meet objectives to manage supply chain risk.
Successful cyber risk
oversight by company boards relies on them receiving a combination of auditable
metrics, risk impact assessments and contextual information enabling them to
provide informed oversight of cyber risk. Greater understanding of the threat
actor environment also assists boards in leading a risk-aware culture across
the business, moving from a tick-box approach to a genuine cultural shift.
How digitalisation is bringing the fight to industrial security threats ~ It’s no longer a question of whether your business…
SHARE THIS STORY
How digitalisation is bringing the fight to industrial security threats ~
It’s no longer a question of
whether your business will be attacked, but rather when it will be attacked.
Cyber attacks, particularly those on public sector and utility businesses, are
now a regular, often daily occurrence. Here, Robin Whitehead, managing director
of systems integrator
Boulting Technology, explains how this is impacting the role of the chief
information security officer (CISO) and resulting in the need for end-to-end
digitalisation.
It’s a simple fact that data makes the modern economy turn.
Being the first business to take action, based on the insights gained from some
pivotal piece of information, gives businesses a distinct competitive
advantage. However, it’s also quickly becoming a fact of life that the same
data is being targeted by skilled cybercriminals intent on stealing this new
currency and even causing maximum damage to infrastructure.
We can see the potential scale of cyber crime if we look at
the number of data breaches made each month. For example, in December 2017,
security firm IT Governance reported that 33.8m records — including a mixture
of personal and business information — had been leaked around the world. In
November 2017, the number was 59m.
Sophisticated
cyber attacks
With the world facing the likes of WannaCry, Petya and NotPetya
in 2017, sophisticated cyber threats are the biggest technological fear in
2018. Although sectors such as financial services and the public sector are
most at risk, there have also been numerous high-profile attacks on utilities,
oil and gas and food manufacturing environments in recent years.
At 9:30am on 27 June, 2017, confectionary manufacturer
Cadbury was hit by a cyber attack, which halted production at its Hobart
factory in Australia. Computers at the facility were infected with the Petya
ransomware virus and displayed a message on the screen demanding payment in
cryptocurrency.
Later that same day, NotPetya — a variant of the Petya
virus — went on to do further damage to facilities across Europe. NotPetya exploits
a backdoor in the update system of a Ukrainian tax-preparation programme
running on Windows and used by around 80 per cent of all Ukrainian businesses.
It uses a vulnerability in the Windows operating system called
EternalBlue — originally believed to have been developed by the US National
Security Agency (NSA) — to encrypt the filesystem’s master file table (MFT),
preventing the system from locating its own files.
Launched on June 27, 2017 — on the eve of Ukraine’s
Constitution Day holiday — NotPetya quickly spread to networks in Russia,
France, Germany, Italy, Poland, the UK and the US and affected many sectors.
“It’s massive,” Christiaan Beek, a lead scientist and principal
engineer at McAfee, told WIRED about the situation in Ukraine. “Complete
energy companies, the power grid, bus stations, gas stations, the airport, and
banks are being targeted.”
The new CISO
It should come as no surprise then that the advice of IT
and security experts is now being sought at the highest levels of business. The
role of the chief information security officer (CISO) is also changing in
response. Acting as the head of IT security, the CISO has traditionally been
responsible for things like operational compliance and adherence to ISO
standards as well as performing IT security risk assessments and ensuring that
the business is using the latest technologies.
However, increasingly, the CISO must now also drive IT
security and strategy, guiding everyone from the shop-floor staff to the most
senior officials in the business on how best to protect them from cyberattacks.
The modern CISO now takes a seat at the boardroom table, ensuring business
continuity, come what may.
Modern CISOs need to be visionaries and good communicators
in their own right, exerting their influence at all levels of the business to
bring about long lasting technological and security change.
End-to-end digitalisation
For industrial businesses, this change cannot come soon
enough. The desire to integrate manufacturing networks with the outside world
and the increased use of smart data is driving efficiencies and cost savings in
sectors from food and beverage, pharmaceutical and automotive to utilities such
as gas, water and energy. At the same time, it’s also leaving them vulnerable
to attacks that can lead to business disruption and extended periods of downtime.
Part of the reason for this is that many businesses have
traditionally operated in silos, with information technology (IT) and
operational technology (OT) experts not historically well aligned to the same
objectives and outcomes. However, as we increasingly use more
internet-connected devices such as PLCs, HMIs, intelligent motor control
centres (MCCs), telemetry devices and smart meters — all relaying millions of
data points to centralised and often remote SCADA and ERP systems — it will
become crucial to take a joined-up approach to industrial operations. Cue
end-to-end digitalisation.
For many businesses, replacing hardware and software to
allow functionality such as standardised Fieldbus communications, real-time
cloud data, analytics and centralised control across every aspect of their operations
is neither a cheap undertaking nor one that is quick to enact.
After all, most engineering plant managers have built up a
complex system over many years, retrofitting new components and modules to
existing equipment. This is driving the need for end-to-end digitalisation,
moving away from fragmented system control, maintenance and upgrade towards a
holistic approach that encompasses system-wide transparency, alarms and notifications,
including analytics that can deliver actionable insights to improve process
efficiency.
At Boulting Technology we’re helping our customers
introduce cybersecurity measures to retrofitted equipment in existing
industrial setups. Our range of control systems, networking products,
intelligent motor control centres and more, form an integrated system that
gives engineers easy and secure access to their operation around the clock.
Ultimately, end-to-end digitalisation will help companies respond to attacks
and breaches in minutes rather than hours or days.
So, while we come
to the realisation that cyber attacks are simply a normal part of doing
business, take heed of your CISO’s advice and rethink your end-to-end
digitalisation strategy.
By Bernard Parsons, CEO of Becrypt The world of encryption is growing exponentially. Many smaller businesses, including those in the…
SHARE THIS STORY
By Bernard Parsons, CEO of Becrypt
The world of encryption is growing exponentially. Many smaller businesses, including those in the public sector supply chain, are looking at implementing encryption for the first time. This adoption has been driven by recent regulations such as GDPR, and the requirement to add encryption as a privacy-enforcing mechanism.
However, despite
the numerous security benefits that encryption offers, there are a number of
aspects for these businesses to consider. Based on the experience and feedback
that Becrypt has attained working closely with our customers, I have summarised
the top-five areas that small businesses should assess if they are looking at
adopting disk encryption in 2019, or if they’re looking at undertaking wider
rollouts of disk encryption.
Ease of use
Organisations
must look for products that are easy to use, easy and quick to install. These
are obvious requirements that are partly about reducing the time and expertise
required to install products in the first place. An important subsequent point
is also total cost of ownership. If a product is not easy to install, it is
usually a good indicator of a level of complexity that will remain as a
long-term business overhead.
The more
complex a product is, the more complexity there is to manage. This leads to
higher levels of required expertise. It also increases the potential for
support issues to occur over time. This drives up the product’s total cost of
ownership for the organisation.
Accessible support
Encryption
can be a business-critical asset, as well as a business-enabling technology.
It’s therefore important that you’re working with an organisation – whether that’s
a vendor or the vendor’s partner – that can offer good, and accessible technical
support.
Even if
you’re choosing a product that’s easy to use, i.e. that’s going to reduce the
amount of required technical support, you should still think about the
potential for requiring support over the total life of the product. In a couple
of years, you may be looking at doing something slightly differently, such as looking
at encrypting new devices that may be non-standard (such as RAID Servers).
Therefore, you will want to ensure that you can pick up a phone and talk to
someone with sufficient expertise.
The option
of phone-based support is important; being able to jump onto a call in a
reasonable amount of time and actually talk to an expert. Therefore, we’d
certainly recommend testing this process with a vendor or the partner before
you go ahead and procure.
Proof of encryption
It’s a good first
step to encrypt laptops, as organisations will always lose laptops. Encryption turns
what would potentially be an information-loss, into just the loss of a physical
asset. It protects the organisation’s information and addresses the organisation’s
liabilities.
However, under regulations such as the General Data Protection Regulation (GDPR), there is often a requirement to prove that devices actually were encrypted in the event of a loss. This addresses some of the reporting requirements within these regulations. Proving that a device loss is not an information loss and avoiding the need to undertake breach notification, is something you want to be able to think about in advance. If you’re deploying a product that includes centralised management, that functionality should already be there. But many small businesses will choose to deploy in a more stand-alone configuration. Deploying with a central management platform increases cost but also increases risk.
With standalone
installs, you should still ensure that that product has a reporting capability
of some kind, such as online. This allows the encryption status of your estate of
devices to be reported.
Extendibility
In the first
instance, you may be looking at deploying encryption within an estate of
Windows devices. As technology changes and refreshes, it could be the case
within a year or two that you have other requirements. You might need to manage
encryption on Mac devices, or on smartphones and mobile devices within that
same suite of products. Therefore, it’s a good idea to look for vendors that
have multi-platform offerings, helping to future-proof your technology choice.
This will ensure that you’re not tied to a vendor, but at least ensuring that
your existing vendor is an option as your requirements grow.
Using product certification and assurance schemes
It’s a good
step to encrypt devices and be able to prove that you’ve encrypted them.
However, there is an increasing regulatory requirement to demonstrate that
you’ve gone through some process of ensuring that the technology you’re
adopting represents best practice. For example, GDPR explicitly references ‘state-of-the-art’
technology.
To fully ensure
that you’re managing liabilities, you need to evidence that you’re not just
adopting technology, but that it’s appropriately ‘state-of-the-art’. Achieving
this level of confidence can only be done by looking at technology that has third-party
validation, normally through product assurance or certification. This provides
independent validation that the product is of an appropriate quality.
There are a
variety of common certification schemes relevant for encryption products. One of
these is the US standard, Federal Information Processing Standard (FIPS), which
ensures that algorithms have been correctly implemented. However, organisations
must be wary of adopting technology just because it has a FIPS certification. The
majority of products use the same algorithms, such as Advanced Encryption
Standard (AES). FIPS ensures that a third-party has validated that the vendor
has correctly implemented the algorithm. However, vendors can, and still do,
implement products inappropriately which leave vulnerabilities.
A good
example of such vulnerabilities in encryption products is within Solid State
Drives (SSDs). Recent research from Radboud University in The Netherlands has
highlighted vulnerabilities in not just one vendor, but a whole range of
vendors’ SSDs. Vendors can take shortcuts, which means that resulting vulnerabilities
can be discovered. In this case, researchers were able to bypass the encryption
within SSDs.
Organisations
are better off looking for certification schemes that are more comprehensive.
One example is the Commercial Product Assurance (CPA) scheme, run by the UK National
Cyber Security Centre (NCSC). CPA works alongside FIPS for validating algorithms,
but it says more about the overall product quality and implementation, looking
at the security architecture to make sure that it has been designed and
implemented in a sensible way.
It also looks
at the vendor coding and build standards, thereby reducing the risk of there
being a vulnerability in the product. The risk is never fully mitigated, but it
certainly goes down to a point that allows you to say that, as an organisation,
you are adopting best practice.
The importance of due diligence when adopting encryption
Organisations,
particularly SMEs, should consider these five key steps as they adopt encryption.
Alongside security and liabilities, they also need to be concerned about the
cost of being caught out by products with publicised vulnerabilities. Subsequently,
they also need to think about the cost of then changing to a different
solution.
Ultimately,
adopting encryption is not rocket science. During their studies, the
aforementioned researchers from Radboud University highlighted that
implementing encryption well is not easy, and it is easy to make mistakes. However, most good vendors, or their partners,
should be able to advise you on the above best practice steps to take.
