"Digital Transformation" is now an important factor for businesses to stay competitive. To achieve this level of competitiveness, Digital Transformation consists of deploying a new or updated ERP and CRM system as well as removing barriers (Silo) between departments operating from different ERP and CRM platforms, which will provide the ability for the organization to use real-time information for informed decision-making. This drive toward efficiency has created a paradox. The same technology that can be used to modernize and create a more efficient business is also a potential threat to the security of the business.

Most businesses assume their network security and other technical infrastructure will be safe when partnering with a Consulting Firm to implement an ERP or CRM system. The Blytheco Company data breach serves as a reminder to organizations that the companies helping them implement ERP and CRM systems have the same vulnerability to unauthorized access as the companies they are helping. In this incident, an unknown third party was able to access an environment containing confidential records of employees and clients, proving that the Software Supply Chain is only as good or as secure as the weakest trusted link.

The Vulnerability of Centralized Intelligence

Transformation projects are centered on centralizing all company data into a single source of truth (aka the System is the Brain). In addition to containing a multitude of proprietary financial calculations and formulas, they generally contain sensitive information such as Social Security numbers and driver's license numbers.

For cybercriminals, these systems are "aggregated benefits", meaning rather than having to take down a dozen small businesses, they can take down just one software consulting company or a MSP (Managed Service Provider) and get access to several networks of high value at once. Techniques such as this are becoming more prevalent as attackers are using an attack strategy called "indirect exposure" to exploit the elevated trust afforded to third-party consultants such as ourselves.

The Insufficient Integration of Security

An example of a typical pitfall in digital transformation efforts is the tendency for security to be more of a ‘final phase of development’ as opposed to being viewed as a foundational requirement throughout the entire digital transformation process. When migrating to a new system from an older one, data is often passed through several phases before it is put into the new system, with each phase being more vulnerable than the previous phase. When data is extracted from a legacy system, transferred to a temporary staging location and then mapped to two fields in the new system, if those temporary locations are not secured properly using good security measures, then it creates a vulnerability for a ‘back door’ for intruders to use at those locations.

Many digital transformation efforts also focus on making it easier for employees to access their company’s data from any device; this has a positive effect on productivity, but it also makes your company’s data more susceptible to breaches, as it greatly increases the ‘attack surface’ of your company’s data. Without implementing a Zero Trust model, where requests for access to data are authenticated and verified every time they occur, having access to data from multiple locations will make it easier for intruders to exploit your company’s data.

Redefining Vendor Due Diligence

The evolution of vendor due diligence due to various security threats, has necessitated a change in the definition of vendor due diligence.

To protect against these risks, the standard for vendor due diligence must expand beyond the assurance that a software vendor has the technological ability to implement a CRM solution. Now more than ever, organisations must request transparency from their consultant regarding their internal security posture.

Some of the new considerations which vendor participants will require from their due diligence include:

• Minimisation of Data Requests – Is the vendor asking for access to more sensitive data than necessary to complete the implementation?
• Isolation of Client Data – Are client-specific data sets maintained in a separate/tested facility? Or, are they contained within a single testing environment or sandbox?
• Incident Response Procedures – Does the vendor have documented processes to notify their clients immediately in the event that their networks are compromised?

The lessons learned from the past security incidents are that data integrity is not a static goal but an ongoing process. As businesses outsource their digital transformation to expert consultants, they must ensure that security processes and procedures are not lost in the process of outsourcing. An effective transformation is one that moves a business forward with the protection of their most sensitive data from being left in an insecure environment.