It Can Be Digital, Should It Be Digital?
This edition examines digital transformation pitfalls in light of the cybersecurity breach suffered by Medibank, Australia's largest private medical insurer
The recent data breach suffered by Medibank, one of Australia’s largest medical insurers, and the subsequent data dump of some of the company’s 9.8 million customers highlighted clear risks and vulnerabilities in a world where data and business processes are increasingly digitalised.
The Medibank’s data breach is certainly high profile but it’s not even the only one this month in Australia! Just a few weeks ago Microsoft and Woolworths (Australia’s largest supermarket chain) announced their own data breaches. In September, Optus, one of Australia’s largest telecom operators also revealed a data breach affecting close to 3 million customers. In light of these cybersecurity issues, the question that should be on everyone’s mind is: which aspects of life and business should we continue to digitally transform and how?
Why Digitalise in the First Place?
To answer these questions it’s important to understand what has sparked companies’ interest into digitalising data, services, and using cloud technology services. The key reason, as one would expect, is the promise of lowered costs and of unlocking new sources of revenue. Woolworth’s cloud transformation aimed to improve the organisation’s ability to respond to customer needs (read, lower costs). Medibank’s digital transformation looked at improving technology functionality and reducing the load on their call centres (read, lower costs). Toll’s AU$ 420 million digital transformation just prior to the pandemic aimed at a "reduction in duplication, the implementation of a standard set of IT offerings, and improvements in service provision" along with outsourcing IT operations to India (read, lower costs). The quest for improved cost structures and profits have pushed many organisations towards digital technology and digital transformation solutions that promise to position businesses at the leading edge of their industries. The same quest, however, may have blinded some businesses from the costs of digital technologies.
Digital transformation incurs direct and indirect costs. Direct costs are most visible for companies - the cost of the technology and the risk that the technology will fail to deliver the expected benefits - McKinsey estimate the risk that digital transformations fail at around 86%. Many of the indirect costs of digital technologies mainly come from cybersecurity risks. Digital transformation projects create a virtual door accessible from anywhere in the world - either directly, through customer or employee portals, either indirectly by accessing cloud-based services. When a door reachable from anywhere in the world is made, it won’t be long until someone tries to break in. Apart from the costs of ransoms which are often in the six digits, and the fines, also often six digits, the very real, yet invisible costs come from lost business. Maersk’s cybersecurity breach was estimated to have cost the company US$ 300 million in lost business in only 10 days. Toll haven’t specified how much the two cybersecurity breaches in 2020 cost, but considering it took the company six weeks to recover, it’s safe to say lost business costs were likely in the dozens of millions.
A Flawed Zero-Trust Model
Proponents for digitalisation and digital transformations argue that everything should be digitalised and kept safe through a zero-trust model. The model segments access to digital tools and data into micro-perimeters and is controlled through a suite of biometrics markers and artificial intelligence tools which detect real-time threats and abnormal behaviors by analysing patterns in user behaviors (credentials, location, timestamps or previous requests). The critique to the zero-trust model is rather obvious: you can’t fight fire with fire and certainly you can’t fight digital security threats by using more digital data. If the enormous quantity of digital systems and data got us into this mess it seems naive to expect that more data and digital systems will get us out of it. Rather, collecting more and more sensitive data and using increasingly sophisticated, interconnected digital systems is likely to increase the organisational vulnerability to cyberattacks.
The technology cost-benefit equation will also suffer. Imagine if organisations require sign-ins for every digital tool or every new database employees’ access. If one employee must spend 5 minutes a day verifying his or her identity, the company loses 3 days of work per year per employee just signing in. Generalise this to a 10,000-employee company, lost time accrues to 30,000 workdays per year.
Employees’ privacy suffers in the context of zero-trust digital operation models because on the use of pattern analysis and biometrics. What patterns should AI systems be allowed to use? Should it be audio to ensure that the background language matches the employees’ home-office location? Should location be tracked even when the employees are off work to ensure they’re not interacting with potential criminals? The more pre-emptive, cybersecurity-related surveillance companies instantiate, the less privacy their employees will have. Possibly the most important privacy question is what happens when employee biometrics databases are inevitably breached? One may change name, address or a phone number, but biometrics…not so much.
An Alternative Approach
An alternative approach to digitalising everything and building a constant surveillance digital ecosystem in the hopes that malicious actors can be identified can be summarised with the following piece of traditional wisdom:
“Don’t gamble what you can’t afford to loose”
This approach starts from the assumption that any digital tools or data exposed to the internet will eventually be breached and compromised and asks businesses and governments to consider whether the consequences of such a breach are acceptable to them and their customers. The idea is to expose selected digital tools to the internet linked to temporary data but disconnected from the entire database. Yes, an approach such as this one may entail some additional human processing in the mix. However, it would limit exposure as any data breaches would only compromise say this week’s data rather than all data and would also circumvent the need for more digital technology to secure digital tools already in use.
Unfortunately, a perverse set of incentives exists through which technology companies offering digital transformation tools and services benefit from selling solutions to cybersecurity problems often partially created or accentuated by digital transformation. So, it seems unlikely that an off-the-shelf solution supporting a more considerate approach to digital transformation will appear.
In the meantime, businesses and government agencies can find some guidance in a piece of wisdom more than 30 years old now:
“The problem is knowing when to change to using new capabilities and knowing when new capabilities should not be employed enven though they exist.“
(The corporation of the 1990s - ed M.S. Morton)
In Other News
The Emissions Footprint of Zero-Emissions Technologies
Sulphur hexafluoride (SF6), the most potent greenhouse gas in existence, used as an insulating gas in wind turbines’ switchgear machinery, escaped during works on a wind farm in Scotland. SF6 is with a global warming effect 24,000 times greater than carbon dioxide, and lasts in the atmosphere more than 3,000 years after it is released. Wind turbines might have low carbon emissions (~11g CO2/kwh) but carbon emissions aren’t the only ones that can harm the planet.
Not all Green for Hydrogen
Residents in the UK’s Whitby Hydrogen Village who are involved in a hydrogen trial have started raising a number of concerns about hydrogen for heating. Issues around the heating costs, cost of hydrogen (once it’s no longer subsidised) and current (relatively new) heating equipment replacement. Perhaps more interestingly, residents voiced concerns about the safety of the fuel, pointing out to a recent UK Government report which indicates hydrogen if 4 times more dangerous and prone to leaking that methane gas. It may be a good time to look to some lessons from the past to avoid Hindenburg 2.0.
Cooperate or Perish*
*Terms and Conditions Apply
Nothing screams “Cooperate or perish” in the face of climate change, as UN chief Antonio Guterres said, as world leaders taking 400 private jet trips to discuss about the URGENT need to tackle climate change. It’s okay though, I’m sure that for most trips the leaders bought carbon offsets.