p>Digital transformation for chiefs and owners. Volume 3. Cybersecurity
Dzhimsher Chelidze
Cover designer Alexander Peremyshlin
Illustrator Alexander Peremyshlin
Editor Alexander Peremyshlin
© Dzhimsher Chelidze, 2024
© Alexander Peremyshlin, cover design, 2024
© Alexander Peremyshlin, illustrations, 2024
ISBN 978-5-0064-4211-5 (т. 3)
ISBN 978-5-0064-2489-0
Created with Ridero smart publishing system
Foreword
Hello, dear reader. This is the final book on digitalization and digital transformation. In the first book, we looked at what digitalization and digital transformation are, why they are needed, what is the difference, what are the pitfalls. In the second they were introduced to the system approach, which is applicable not only for digital transformation, but also in general for any business. The system approach combines proven tools and digitalization, is accessible to anyone and aims to increase the impact of digital technologies, as well as to minimize the risks associated with the organization of work. At the same time, in the first part we talked that in the role model for digital transformation a specialist in information security is needed. Additionally, this is the direction I decided to devote a separate book.
It would seem that digitalization and cyber-free are incompatible, but it is impossible to continue digitalizing without befriending them. Recently at Denis Batrankov I have met a good definition of why it is necessary to deal with information security now: Previously, security was built on the story of the shark: you do not need to be ahead of everyone floating from it – enough to be ahead of the latter. However, now, when you are the target of the shark – it is more difficult to defend”. Additionally, this definition very accurately describes the current situation, as every year hackers’ attacks become more targeted. Additionally, 2022 in general became a landmark.
This book would not have been without the research of Positive Technology (hereinafter – PT), which became my first guides to the world of cybersecurity. Additionally, if you like to immerse yourself thoroughly in the primary sources, details, I recommend you study these studies. QR codes and links to them will be at the end of the book.
The book consists of three parts. The first is devoted to the review and analysis of the current situation. There will be many numbers, statistics, analysts, money. The task of the first part – to form your awareness of the problem and the understanding that information security (hereinafter – IS) – is a direction as strategic as all digitalization, and it is worthy of your attention. The main thesis is at once – a bottleneck in security, as in all digitalization – processes and people, not only yours, but also in the team of software developers (further – software).
The second part deals with the integration of information security from a systems perspective.
Well, the third part is devoted to practical recommendations on what to do here and now, how to choose IT solutions for information security, what people need to know and what competencies are needed.
If you’ve read previous books, you already know my approach – to control someone and delegate tasks, to trust your team, you need at least a basic understanding of its work. And the key task of the whole book is to give you the basic knowledge to build effective work with your team and the IS Director (hereinafter – CISO) with the least labor and risk for you.
Additionally, to avoid any misunderstanding, let’s look at the difference between information security and cybersecurity?
Information security is an activity that involves the prevention of unauthorized access, use, disclosure, distortion, modification, research, recording or destruction of information.
Cyber security is all the same, only related to IT systems and computers.
Part 1. Why deal with information and cybersecurity?
Chapter 1. Immersion and About Money
In 2023, it is already obvious that without the use of digital technologies it is impossible to conduct business, live comfortably, and manage the state.
If we talk about public services, public services in the form of online services are developing around the world. Russia is among the world’s leaders. I, for example, I use the state’s digital services to record a child to a doctor, and to view his vaccinations with test results, and to pay fines, taxes, tax returns.
If we talk about the commercial sector, it can no longer without online: payment for goods, booking tickets, receiving services, consultations, the appearance of digital advisers.
In general, digitalization and automation everywhere. Additionally, if you ignore them, you will be simply uncompetitive. Additionally, if you want to understand what is waiting for us in about 5—10 years, I recommend reading the observations of Yevgeny Bazhov about what is happening in China, in his book Made in China. How to conduct online business in Chinese”.
Let us also, for example, touch on the work with personnel. Without cloud technology and hybrid / remote operation, it will be much more difficult for you to attract talented employees and/or you will significantly overpay for them. Yes, the labor market is changing, of course, and now again the employer is starting to dictate its terms to the average worker. However, this is about the average worker. Additionally, if you want to attract talent, removing is a powerful advantage. According to my personal observations the removal/hybrid saves up to 30—40% on the wage fund. Young, flexible, hungry to the success of the company are actively using it. Additionally, one of the tendencies I see in job openings is that people who want to pay less just give you the opportunity to work remotely. Of course, I do not keep detailed statistics on the closing dates of these vacancies, but they close quickly. It seems even faster than companies with higher salaries, but the requirement to be present at the office daily.
It would seem that this is happiness – digitalization. However, where there are opportunities, there are risks. For example, the development of removals in the year 2020 led to an increase in hacking messengers and collective conference systems. Okay, well, if we could just plug in and crash the online meetings, but the hackers have a different tactic – they copy confidential meeting and chat records to go after extortion. Another modern trend is the encryption of internal files for ransom.
It is also necessary to look at the small developers of IT products: they themselves may not be of interest to anyone, but they may be attacked in order to build into their product malware, and through it attack a large company. Additionally, you can realize such a scenario without even attacking the IT infrastructure – you just need to recruit a remote employee who will make the necessary changes to the code. This approach, when large companies are attacked through contractors and suppliers, is called “supply chain attack”. This is another of the main trends since 2021. In 2022, up to 30% of targeted attacks were on this tactic.
The risks are added by the increase in the complexity of IT solutions, and the decrease in the qualification of the average developer, because the cheaper the developer, the more profitable everything from the point of view of economics. Competition and the market want complex solutions at a minimum price, which obliges to look for ways to reduce the cost of the product. However, all of this leads to an increase in the number of holes in IT solutions. Additionally, you’re not only facing direct financial and legal risks associated with penalties from suppliers and government and criminal liability, but also reputational damage. And if you go public, it’s also the downside risks of capitalization.
The most striking example of this is the attack on SolarWinds. Their clients were US government agencies and over 400 major American companies. Hackers embedded the virus in their solution and attacked their clients. The result is a 40% drop in the value of the shares in a few weeks.
If