Protecting your Business through Technological Change

Author: Marc Martinez Marce
Head of Tech Risk and Cybersecurity, KPMG in Spain

The speed of technological change in recent years is helping to deliver enormous benefits. ERP systems, cloud solutions, AI, data analytics and automation are helping to increase innovation, efficiency and productivity, improving customer and employee experiences, and enabling businesses to launch products and enter new markets faster.

Platforms, hosted on the cloud by hyper-scalers, and increasingly powered by AI, are processing almost unimaginable volumes of data to give insights on customers, competitors, and partners, and enabling real-time digital interactions.

But this digital revolution also creates new attack surfaces for hackers, criminals and bad actors to infiltrate organisations, steal data and disrupt operations. Cyber threats are constantly evolving, with AI offering creative ways to masquerade as authorised users via phishing and other tactics. In an always-online world, your employees provide common entry opportunities for unwelcome parties, and should be seen as ‘human firewalls’ on the frontline of cybersecurity.

To maintain cybersecurity, businesses should be seeking to transfer controls from legacy systems to the new technology environment, combining technical controls with embedded security behavior – something discussed in detail in a recent KPMG paper A new age of cybersecurity culture.

Security measures help prevent unauthorised access, data breaches, and cyber-attacks, while privacy protocols help ensure that customer information is handled in compliance with regulations and ethical standards. By embedding security and privacy into every stage of the transformation process, organisations can build customer trust, avoid regulatory penalties, and protect their brand reputation.

Crucially, it’s often easier and more effective to embed cybersecurity into new systems during the transformation process – rather than reacting to problems as they occur. Security should be an integral part of any transformation plan, helping to build appropriate governance, identify risks, and design controls, as part of a security-by-design methodology that begins in the strategy and planning phases. Ideally, this should all be in place before choosing any vendors.

In a 2024 KPMG survey of cybersecurity professionals, most respondents self-rated their organisation’s cybersecurity culture as just ‘three out of five’, where five is ‘dynamic’ and ‘highly responsive’ to the changing threat landscape.

To move up this scale, businesses should adopt good practices, such as encrypting all sensitive data both in transit and at rest to prevent unauthorised access. Strict access controls can ensure that only authorised personnel can access sensitive information, while regular security audits and continuous monitoring help detect and respond to potential threats in real-time. Regular ‘hackathons’ have become an essential part of cybersecurity, particularly following systems updates that can increase vulnerabilities.

Compliance is another ‘must’, to meet data protection and privacy regulations such as GDPR (General Data Protection Regulation), and DORA (Digital Operational Resilience Act); the latter obliges EU financial services organisations to prove they can stay resilient in the event of a severe operational disruption.

And, by formulating robust incident response plans, organisations should be positioned to quickly address and mitigate the impact of any security breaches.

Given the exponential growth in AI, cyber leaders should pay close attention to its use and consider the risks of employing different AI tools and technologies. Although controls can instill greater trust in AI, cyber leaders should also be aware of and monitor risks such as information bias, hallucination, and ethical and regulatory compliance.

According to KPMG’s 2024 cybersecurity survey, the top two culture challenges both relate to human behavior, with “resistance to change” as the number one concern, and “managing human risk factors and creating a strong cybersecurity culture” as number two.

Which only emphasises the importance of encouraging good habits as second nature, as part of a holistic cybersecurity culture encompassing leadership, workers, suppliers and partners. Indeed, 74 percent of the survey respondents feel that building a cybersecurity-focused culture is central to successful integration of AI across the enterprise.

Whether it’s using hard-to-guess passwords, avoiding open public broadband networks, or being highly aware of – and reporting – suspicious phishing emails, a vigilant workforce can significantly reduce the chance of a cyber breach.

Measuring performance is a vital task, to drive boardroom discussions and bridge any communication gaps. Useful metrics include unauthorised downloads, secure password management, timely installation of software patches, data loss prevention rule violations, and potential or real security incidents reported.

The speed of technological change is only likely to get faster, so cybersecurity leaders should be closely attuned to the future direction of the business and seek to anticipate the associated cyber security challenges. Close collaboration on strategic and transformation plans can help organisations benefit from technology without increasing their risk exposure. By doing this, they can make cybersecurity a strategic enabler rather than a barrier. 

Whether you’re entering a new market, launching products and services, or interacting with customers in a new way, KPMG firms can help you anticipate tomorrow, and gain more awareness of technology that is secure and trusted. That’s because we can bring an uncommon combination of technological experience, deep business knowledge, and creative professionals who are passionate about helping you protect and build your business.