Digital transformation can undermine Cyber Resilience

Learning from recent cyberattacks highlight the risks of digital transformation programmes

In recent years significant cyber-attacks, particularly in the retail and consumer sectors, raise important questions for leaders in the C-suite and Boardroom. Could technological transformation programs - particularly those involving enterprise-wide finance and ERP (Enterprise Resource Planning) system overhauls – be weakening cyber resilience?

At the heart of the problem is a structural imbalance between functional and non-functional priorities in large-scale digital transformation programmes. Our learning from recent cyberattacks is that cybersecurity is too often a 2^nd tier priority.

While organisations often pursue changes to core operational systems like ERP and finance systems to modernise operations, streamline supply chains, and improve user experience (UX), cybersecurity and resilience are too frequently relegated to secondary considerations. The strategic risk senior leaders must manage is that change programmes can fundamentally increase the attack surface for most organisations.

The rise and risk of digital transformation

ERP and finance transformations are complex undertakings, often involving large financial investments, global consultancy firms, and the re-architecting of critical business systems. In a highly competitive landscape, many retailers and manufacturers have adopted ‘just-in-time’ (JIT) supply chain models, which rely on precise, uninterrupted digital systems to function efficiently and meet customers’ needs.

These same systems also become central points of failure when targeted by threat actors. When platforms are implemented without comprehensive attention to cybersecurity as a core design requirement, organisations unknowingly increase their attack surface with highly privileged users and complex internal and external interconnections. These often lack the governance and control that you might assume at a time when threat actors are becoming more sophisticated and persistent.

In several recent cyber incidents affecting UK retailers, there is speculation that transformation initiatives may have inadvertently introduced vulnerabilities. This can happen through a combination of misconfigured cloud environments, weak authorisation and authentication standards and management, overlooked third-party dependencies, or poor segmentation of production and test systems. The root cause is often not a failure of the ERP technology itself but rather the way these programmes were designed and executed by people.

Cybersecurity can be an afterthought in digital change

One of the most concerning patterns is the tendency to treat security and resilience as Non-Functional Requirements (NFRs) - important, but often secondary to the transformation programme’s core goals of efficiency, integration, and UX improvement.

Functional requirements such as rapid order processing, real-time inventory updates, and seamless customer interfaces dominate transformation briefs. In contrast, cyber resilience measures - such as zero trust architectures, continuous monitoring, threat modelling, and role-based access controls - are sometimes deferred to “phase two,” retrofitted after go-live (if at all), or inadequately funded as budgets become stretched.

This marginalisation of cybersecurity is compounded by a delivery model that often incentivises speed over stability. Technology transformation consultancies, eager to win competitive tenders and demonstrate ROI, may deprioritise Security by Design (SbD) in favour of meeting aggressive timelines, cost and profit targets. 

This creates a systemic and unspoken conflict of interest: the same advisors leading the transformation might be disincentivised to raise cyber concerns that could slow down delivery or increase costs.

Just-in-Time supply chains are efficient until they are disrupted

JIT supply chains, while operationally efficient, are especially vulnerable to cyber disruption. With minimal inventory buffers and highly digitised logistics, even a short outage can cascade through an organisation’s operations. Cyber disruption can halt production, delay deliveries, and erode customer trust. In the fallout of the Scattered Spider attacks well-known retailers in the UK are in the middle of a public relations and social media driven storm of speculation, anger and damaged reputations. 

When ERP systems underpinning JIT models are not built with resilience in mind, any disruption - whether from ransomware, data corruption, or insider threats - can bring entire operations to a standstill. For example, lack of secure data backups, inadequate segmentation of supply chain applications, or insufficient incident response and recovery planning can turn an otherwise manageable breach into a full-blown crisis.

Building Resilience into Transformation Programmes;

To prevent future incidents and ensure digital transformations enhance rather than erode cyber resilience, organisations must reframe how they approach programme design and delivery. C-suite decision makers and Boards should consider:

1. Adopt Security by Design (SbD) Principles  

Security should not be bolted on after implementation but embedded into every stage of the transformation lifecycle. From discovery and procurement through design, build, test, and deployment SbD practices such as threat modelling, secure code development, penetration testing, and zero trust principles should be mandated from the start.  

2. Separate Technology and Cyber Advisory Functions  

To avoid the conflict of interest that can arise when one consultancy advises on both transformation and security, organisations should consider retaining independent cyber security advisors with a mandate to challenge design choices that might jeopardise resilience. This "red team" perspective ensures that security voices are not drowned out by the urgency to deliver functional outcomes. This may seem like a potential pain point but such challenge will be worth minor disruption in order to avoid major impacts to operations and reputation. 

3. Incorporate Cyber Risk Quantification (CRQ)  

CRQ methodologies allow organisations to measure cyber risks in financial terms, translating technical vulnerabilities into tangible business impacts that can inform risk based decision making that balances opportunity with risk. This helps executive decision-makers weigh trade-offs between speed, cost, and security more intelligently and from a fully informed perspective. CRQ can also be used to assess ROI on resilience investments within the transformation programme itself. 

4. Rebalance Functional and Non-Functional Requirements  

Consider programme success metrics that go beyond performance and UX to include cyber resilience KPIs. Examples include time to detect and respond to incidents, system recovery times, and compliance with cyber frameworks like ISO 27001 or NIST CSF. This may seem off the ‘critical path’ for delivery for technology transformation programmes but with increasing regulation looming in all major commercial markets the opportunity to get ahead of good governance is there to be taken.  

5. Stress-Test Supply Chain Resilience  

Cyber threats in the supply chain continue to increase. Transformation planning must account for supply chain cyber risks, including third-party vendor security postures and data sharing practices. Tabletop exercises, business continuity simulations, and attack path mapping can help identify hidden weaknesses in JIT models before attackers do. They also provide visibility of critical third-party dependencies that can be proactively safe-guarded, increasing an organisation’s cyber resilience. 

Managing the cyber risks in digital transformations 

Enterprise-wide ERP and finance system transformations promise immense operational benefits, but if cybersecurity is not a foundational element of programme design, they can also introduce existential risks.

Recent cyber-attacks on major UK and European retailers may be early warnings of a broader trend: one where digital ambition outpaces digital resilience. By elevating security to a first-class design priority, adopting independent cyber governance, and leveraging CRQ, organisations can ensure that transformation drives not just efficiency—but also enduring trust, continuity, and resilience.