Automation frees humans to do what they do best: ask questions, analyze complex situations, and develop strategies to optimize operations while collaborating with other humans and other businesses. Automating business processes and sharing all kinds of information with partners, from customer data to real-time logistical updates, increasingly is a business imperative.
Today, very few businesses, if any, can thrive as islands.
We find a clear indication of this in the 2020 TCS Chief Information Officer Study: More than half of the 1,010 CIOs and other senior IT executives surveyed say they have strategic partnerships to use other companies’ customer data to identify or convert prospects and support current customers with their purchases, and half of the survey respondents said they share their own customer data with strategic partners for similar reasons. In fact, only 8% of the CIOs surveyed said their company doesn’t share any customer data with any partners whatsoever, and a mere 2% don’t buy or use others’ customer data.
At the same time, a third or more of CIOs said that these technologies or IT developments were going to have the biggest impact on their industries in the years ahead: mobile devices, cloud computing, Internet of Things, and machine learning. And four out of five respondents cited artificial intelligence as having such an impact.
Data-sharing and technologies such as these are essential to enabling automated systems. Companies find they can create value by implementing technologies that enable automation to perform hundreds or thousands of manual tasks efficiently and accurately. But the same attributes that make automation so effective also open up enterprises to risks. That’s because while things like AI and shared data enable a company to remotely manage machines that interact with other machines, bad actors who interject themselves into the process can take control of the technology for bad aims.
This creates another imperative: protecting that critical digital data – especially as it is often shared automatically by intelligent systems outside human oversight – while still enabling the digitally transformed business.
Cybersecurity Must Grow Up
In an era marked by cyber intrusions and malware, CIOs are well aware of the need for robust security. According to a 2018 Gartner survey of 3,000 CIOs, 88% said cybersecurity was a top focus. However, traditional cybersecurity has focused on the people who manage and use machines, relying primarily on passwords to authenticate identities and validate data requests. Unfortunately, passwords used by machines to communicate with other machines can be hacked and manipulated, providing hackers with access to all the systems using those passwords and, potentially, creating havoc. For example, once a hacker gains access to an automated safety system (say, one that academic researchers showed could recognize road signs in a vehicle), the system inputs can be manipulated so that the AI algorithm reads the “Stop” sign as a “Go” sign.
This means CIOs and other IT leaders must rethink how they provide security clearance to access their growing number of automated systems. Even when a machine gets an automated request from another machine (rather than a person) to retrieve some data, the first machine must be able to rigorously authenticate the request. This is a new challenge for firms whose information systems are largely accessed by people and not by other computers. But if a primary goal of AI-driven automation is to eliminate unnecessary manual work within and across departments, many of these companies are less likely to have enough security built into their machines.
Accordingly, we need better ways for machines to detect and deny access to other compromised machines.
Three actions can help CIOs maintain secure machines:
Manage machine credentials. Machines must be able to verify that another machine has access rights to its data. Using specialized hardware to store and safeguard passwords would improve machine-to-machine security, as would cryptography, in which machines exchange digital signatures to authenticate interactions.
Isolate ports of entry. Traditionally, a systems administrator’s account (whether human or automated) has access to multiple devices on a network. Having separate accounts for each and every network asset would mitigate risk. This granular approach would prevent hackers from using a single, and perhaps overlooked access point – for example, a networked printer – to infiltrate an entire corporate network.
Make security “smart” through AI. Bad actors can use AI to hack into systems – personalizing phishing emails or, as noted above, subtly altering system inputs – but security experts also can use AI and machine learning to analyze threats and identify patterns of suspicious behavior. Indeed, a SANS Institute survey found that 57% of firms in various industries were using (or planning to use) AI to make their security solutions more robust.
While companies must always be alert to bad actors (both criminal and state-supported) intent upon accessing enterprise systems, machines – increasingly doing more work and communicating with each other both inside and outside the company – are a new threat vector. Businesses are well-advised to address this risk vigorously by embedding security in both their machines and all their automated business processes.
About the author(s)
Satish Thiagarajan is the Global Head, Cyber Security Practice at TCS. Satish has over 24 years of experience across industries and IT involving consulting, business analysis, process re-engineering, concurrent multi-project delivery management in Application support, Infrastructure management, Enterprise Security and Testing. At TCS he is the Head Enterprise Security and Risk Management, Head Technology Office and Head of Testing Centers of Excellence. Satish has handled multiple roles like Business Analyst, Application Support Manager, and Relationship Manager, IS Practice Director, Global Practice Head and worked across domains like Application development and Maintenance (ADM), Infrastructure services (IT IS) and Testing (Assurance Service).