Technology risks: What CIOs should know and steps they can take
Adopting new tech helps businesses thrive, but CIOs must be aware of accompanying risks. Experts sound off on how new tech continues to muddle the cybersecurity threat landscape.
The cloud, AI and IoT have become ubiquitous in the business setting, but the technology risks that come with adopting these innovations have ushered in a wave of unprecedented security concerns for businesses.
Organizations that use any technology or service model that connects to the public internet -- whether the cloud, AI or an IoT tool -- leave the door open for hackers to access their data and upload malware, OpenVPN CEO Francis Dinha and other experts said.
"It is not an exaggeration to say you're essentially putting your entire business at risk if you do not ensure these tools are completely secure," Dinha said. "If you start using one of these new tools assuming your technology is secure, you're starting out at a disadvantage."
Another problem is that many users assume that new technology is developed with security in mind, when the reality is most developers and designers do not have a security background. A general lack of awareness about technology risks and a lack of user education about their role in the process add to these risks, Dinha and other experts added.
For CIOs, it's important to look past the ways new technology can benefit the company and consider the associated, underlying risk that comes with it. To start, they should consider use cases that serve as prime examples of how certain technologies can be abused, TCE Strategy CEO Bryce Austin said.
"CIOs need to think like a potential criminal before they bring [any new] technology into their organization," Austin said.
Cloud data security concerns
Ed Featherston
The cloud certainly enables business scalability and flexibility, but it can also introduce a variety of new challenges and technology risks, said Ed Featherston, vice president and principal cloud architect at Cloud Technology Partners.
Organizations are often operating under the on-premises data center mindset -- where there is full control over all the assets, storage, compute and network -- when moving to a cloud environment. Cloud computing turns that concept on its head, Featherston said, and understanding the differences is critical to dealing with the threats and risks associated with cloud implementation.
A lack of appropriate compliance and control mechanisms can result in inadvertent security risks like the highly publicized AWS S3 bucket data breaches, he added.
CIOs don't want to prevent their organization from taking advantage of the flexibility that cloud offers, but they need to provide control processes and alerts to avoid intentional and unintentional violations that put their organizations' data at risk.
"It is a delicate balancing act between providing the benefits of a cloud environment to an organization in an easy to use fashion vs. protecting your data," Featherston said. "I liken it to walking a tightrope over a tank of hungry sharks: One misstep in either direction can be very dangerous."
AI and IoT technology risks
Although AI and IoT devices bring increased convenience and connectivity, this accessibility also creates a larger attack surface for cybercriminals to exploit, said Jessica Ortega, product marketing specialist and member of the SiteLock research team.
Artificial intelligence can automate mundane tasks and make complex tasks easier, she said, but when not properly secured it can easily expose sensitive data to cyberattacks.
"Automated systems are often created to fill a gap in processes out of necessity or in an emergency, but that means that security is an afterthought," Ortega said.
Avivah Litan
Another issue with machine learning algorithms is a lack of transparency: Most cybersecurity professionals don't know what's inside them, Gartner analyst Avivah Litan said. Security vulnerabilities can also arise from a third-party algorithm created with malicious intent, she added.
When it comes to technology risks stemming from IoT, Ortega pointed to the lack of proactive security in connected devices creates malware vulnerabilities that malicious actors use to access company's internal data.
What CIOs can do to ward off technology risks
Litan's advice for CIOs is to steer away from adopting any technology that they don't completely understand. CIOs also need to hire the right people on their team to implement and manage these complex technologies, she added.
For example, data scientists and AI specialists are in high demand as new tech is incorporated in enterprise processes.
"The bottom line is you can't manage anything that you don't understand. You need to make sure you understand what it's doing and need to have quality control processes [in place]," Litan said.
CIOs need to think like a potential criminal before they bring [in any new] technology into their organization.
Bryce AustinCEO, TCE Strategy
CIOs should ensure that any new technology is only accessible to those who absolutely need it for their job, OpenVPN's Dinha recommended. Any access point should utilize two-factor authentication to keep hackers from taking control with brute-force attacks, and CIOs should educate their teams to make sure they understand technology risks and their role in protecting the company's data and privacy, he said.
"Have a clear policy on how cybersecurity is managed with each individual piece of new technology and educate everyone on the best practices," Dinha said.
When developers are creating AI or task automation, CIOs should be wary of what shortcuts their teams take and what "Band-Aids" are being deployed, SiteLock's Ortega said. One major concern is to ensure that AI has access only to the data necessary to complete its assigned task, she explained.
"Taking a proactive approach and instilling a culture of security awareness stops convenience from becoming dangerous, keeping sensitive data safe at every level," Ortega said.
Bryce Austin
Given the evolving cybersecurity threat landscape, Austin said it's time for organizations to make the shift to behavior-based cybersecurity. Isaac Sacolick, president at StarCIO and author of Driving Digital: The Leader's Guide to Business Transformation Through Technology, agreed.
"It's a significant challenge to use traditional rule-based cybersecurity technologies that protect the perimeter, and enterprises need to consider technologies that study and respond to behavioral and pattern based security events," Sacolick said.
The classic network perimeter or on-premises security mentality is not enough in the current digital age, Cloud Technology Partners' Featherston said. While the perimeter is still a factor and important security consideration, CIOs must consider how business innovation creates unforeseen risks for the company.
And because these innovations evolve so rapidly, CIOs must make sure their company's security efforts follow suit.
"The barbarians are at the gates, leveraging every technology tool in the toolbox with one, and only one, business goal in mind: getting at your data," Featherston said. "Security in this new day and age is never a once and done. It is a constantly moving, changing and evolving process."
Ed Featherston
Avivah Litan
Bryce Austin
