In an era of ever-present digital threats that can undermine and erode stakeholder trust, organizations should invest to earn “digital trust,” that is, protect their data and information from fraud and bad actors to safeguard their relationships, reputation, and revenue. This task could be more difficult than ever before as technology and the threats to digital trust it enables continue to evolve. For example, deepfakes – fake digital images, videos, or audio that can be generated using artificial intelligence (AI) at the click of a button – can already be used to impersonate individuals. Such an impersonation caused a CEO of an energy company to approve a US$243,000 wire transfer to a fictional supplier in 2019. While deepfake scams are still a relatively new threat, they grew more than 900% annually between 2017 and 2019, and were estimated to have cost businesses more than US$250 million in 2020.
The stakes are high, and any misstep can impact customer loyalty, financial performance, brand equity, and ultimately undermine an organization’s ability to build and maintain trust. Surveys suggest that 81% of consumers lose trust in a brand after a breach, while 25% completely stop interacting with it. The stakes became even higher as the pandemic accelerated digital work infrastructures and drove spending on emerging tech security strategies and solutions.
While many leaders understand the threats to digital trust, they may find it difficult to augment traditional cybersecurity measures with more advanced solutions. What will best address today’s digital trust needs? When preparing for tomorrow, what investments in digital trust solutions are the most effective bets? There are certainly many options – our analysis found at least 2,000 patents related to digital trust filed annually between 2015 and 2020 – illustrating why it can be hard to choose the right tools.
As leaders consider where to place their investments to improve digital trust, it’s important to note that addressing digital trust should include an end-to-end interdisciplinary approach across people, process, governance, and regulation, with technology being a key enabler. In this study, we focus on advanced technology enablers that organizations can explore, over and beyond existing cyber measures, to enhance digital trust. Our interviews with 15 global subject matter specialists and leaders found four promising technology solutions – AI-based data monitoring, cloud-enabled data trusts, blockchain, and quantum technologies. We further validated these findings by analyzing the trends in digital trust–related patents granted over the last five to six years to gauge the maturity of these emerging technologies vis-à-vis digital trust. While there are many innovations in commercially available solutions that are unpatented, for this study, we look at patents as they help provide a window into broad innovation areas and maturity. And we exclusively analyze granted patents, rather than including the patent applications, as they are better indicators of truly differentiated, credible innovation to watch (see appendix, “Digital trust innovation research”). Based on the maturity of these solutions, two of them seem able to meet today’s needs. The other two are future bets for the near and long term, which may help organizations stay ahead of evolving threats for the foreseeable future.
What Do We Mean By Digital Trust?
Building on Deloitte’s definition of trust, we define digital trust as the confidence among customers, employees, partners, and other stakeholders in an organization’s ability to create and maintain the integrity of all digital assets (including data/information, architectures, applications, and infrastructure) across stakeholder experiences, strategic insights, organizational platforms, and network connectivity. This digital trust ensures transparency and accessibility, security and reliability, privacy and control, and ethics and responsibility.
Solutions That Enhance Digital Trust Today
Organizations looking to enhance digital trust today can already invest in relatively mature, common solutions; however, advanced solutions that may currently be limited to select industries or use cases have the potential to offer new capabilities. These advanced solutions should not replace existing cyber measures; rather, they can provide complementary and additive digital trust advantages. Our research revealed two advanced solutions that organizations can consider adopting today: AI-based data monitoring and data trusts.
AI-Based Monitoring Of Data, Its Access And Use
Of the many applications where AI could be applied to improve digital trust, our research uncovered some business cases where AI monitoring can help, especially when validating contextual data accuracy and governing data access and usage by participants across an ecosystem.
AI can help make sure data is correct and isn’t tampered with and, therefore, can be trusted. Manually identifying and cleaning poor-quality data, including incorrect, stale, missing, or poorly labelled data, can be time-consuming and expensive. It costs organizations an average of US$13 million annually. Furthermore, if a bad data model is ingested, it can compromise outcomes and amplify the effects of bad information. AI can help validate information accuracy, authenticity, and reliability for data in context. Today, AI-based solutions can detect missing data, anomalies, or unexpected data in real time. Emerging AI solutions are able to identify fake or manipulated documents, images, deepfake videos, and more. Deepfake-detection algorithms can check for digital integrity such as the presence of grey scale pixels at the boundaries of manipulated sections. They can can also check for physical irregularities such as inaccurate shadows and reflections, and biometric irregularities like lip movement, blinking, and pupil shape. Facebook and Michigan State University’s model identifies deepfakes with reportedly 70% accuracy, by reverse-engineering aspects of the AI used to create it. Such solutions can help build trust in the data, related processes, and the insights generated from it.
AI can improve identity and access management. It can help flag and prevent unauthorized data access, detect abnormal user behavior, or other anomalies. Behavioral solutions can establish authorized user identities and block bot accounts based on users’ interaction patterns with devices. Spam filters based on machine learning (ML) reduce the risk of unauthorized access attempts via phishing or social engineering attacks – some of the most common ways to infect systems with malware or ransomware and gain access to data. A survey found that 75% of respondents agree that behavior-based analytics is the only way to catch complex ransomware attacks. Behavior analytics, when combined with unsupervised ML algorithms, can enable more proactive security measures. In fact, organizations with fully deployed AI solutions can have up to an 80% lower cost impact from data breach incidents, compared to those without.
AI can make sure that data is used as intended. For example, organizations can monitor public sites or platforms to identify intellectual property or copyright infringements on digital assets such as text, music, images, and more. YouTube’s AI-driven Content ID platform helps identify copyrighted content and facilitates payouts to rightful owners, to the tune of billions of dollars annually.
Organizations can consider emerging privacy-preserving techniques as they think about leveraging digital trust AI use cases. Homomorphic encryption allows AI solutions to directly analyze encrypted data to generate insight without having to decrypt and expose the underlying data. And federated learning-based solutions can analyze data and train algorithms, across decentralized devices and servers, without necessitating actual data access or exchange. For example, Secure AI Labs leverages federated learning for analyzing sensitive health data, and Google Ads shifted to a federated model to locally and anonymously analyze users’ interests. These approaches enable outcomes such as generating insights without data misuse, ensuring greater data privacy and security, and simplifying data access and usage management, thus making AI increasingly viable for highly regulated industries.
AI isn’t a digital trust cure-all, and it still has a lot of room to grow. Our research found some vulnerabilities related to AI’s applicability for certain use cases. For instance, it can perform poorly when policing text due to its inadequate understanding of context. In such instances, a more human-AI collaborative setup could prove helpful. Additionally, unethical and biased AI is a digital trust issue itself. Deloitte’s research has shown that AI biases can be either active (due to human action) or passive and may be more pervasive than organizations realize. Apart from education and a human-first approach, technology is one of the ways in which this challenge can be mitigated; some AI solutions are being developed that can uncover biases and ensure model fairness. Even then, despite these challenges, our analysis shows that AI innovations related to digital trust have been growing at a brisk pace over the years. With further advancements in AI algorithms and the availability of robust, extensive training datasets and correlations, more mature and automated solutions are expected across use cases.
Data Trusts As An Approach For Digital Information-Sharing
Data is the new currency. According to Alex “Sandy” Pentland, director of MIT’s Connection Science Lab, “We have banks for money, but we don’t have the same infrastructure for data.” He suggests that data trusts can fill that void.
Much in the same way a bank holds and manages financial assets, data trusts or cooperatives manage data for others. They’re a business model in which independent third parties validate, control, secure, and share information, governing the data’s proper use and managing legal data rights on behalf of its beneficiaries. While there are various approaches to empowering customers with greater security and control for their data-sharing and usage, data trusts emerge as an interesting techno-legal approach. Data trusts can come in many forms, from a single entity storing data and only sharing collective insights to a group of trusted third parties working together for collective benefit. For example, MIDATA, a health data cooperative, allows members to control their own personal data flow to actively contribute to medical research globally. Construction Data Trust is set up in the United Kingdom to facilitate trusted information-sharing across the sector. While the benefits of data trusts from a data producer or customer perspective are clear, the third party’s role may not be transparent, or inherently trusted; therefore, organizations should think carefully about who their customers will accept to manage their data, how to communicate about it, and where and when to engage the customer in the process.
From a business perspective, data trusts can help unlock a range of benefits such as reduced data silos, greater control, and access to trusted and audited information, along with improved brand reputation from ethical and transparent data collection and use. Our interviews suggest that digital trust is enhanced by data trusts because organizations can gain greater confidence in that data and the insights generated from it.
From an IT perspective, data trusts can enhance digital trust by validating a single source of trusted information, making data management and sharing easier and more trusted. And organizations can avoid data bloat and gain access to only necessary data and insights through intermediaries, providing an added layer of privacy and protection, while minimizing the risks of data loss, breaches, mismanagement, or fraud. Data trusts are also emerging as a relevant solution for managing and sharing huge volumes of IoT (the Internet of Things) and sensor data. Open Data Institute is piloting data trusts for various smart city use cases in London. Cloud technology is making data trusts more effective at managing digital information that needs to be shared across networks with greater digital trust. For instance, Mastercard, with IBM, has established an independent data trust, Trūata, to manage customer financial information securely and anonymously; and cloud allows for the use of that data across other trusted digital solutions.
Although an important model to maintain digital trust, data trusts come with challenges. Distributed cloud systems enable easier data-sharing, but they can also lead to data sovereignty and compliance issues if not properly governed. For example, data stored in one country may get replicated to a data center located in another country for business continuity and disaster recovery purposes, creating issues with local data standards and privacy laws, that is, when proper governance and control measures are not set. Also, data trusts aggregate high-value data; so even if the data is physically distributed, it is still a target for cyberattacks. A federated cloud security model can be considered to help address this issue. Organizations can use a cloud-data fabric – data seamlessly stitched together across different sources and infrastructures – to create a tiered security model that helps abstract and better protect data as it is being consumed. With such measures in mind, data trusts are a viable model that organizations across industries can pursue to enhance digital trust.
Innovations That May Transform Digital Trust Tomorrow
Cloud-enabled data trusts and AI monitoring are rapidly maturing innovations that can help build digital trust for data and information beyond core cyber solutions. However, organizations also need to understand where technology is heading and be prepared for what’s next to disrupt or enhance digital trust – not just for today’s infrastructure, but also for tomorrow’s future-readiness. So based on our qualitative research, coupled with a patent analysis, we examine two such topics: blockchain and quantum technologies. Both should be on organizations’ radars now given their innovative and transformative potential for digital trust.
Blockchain And Data Provenance And Ownership
Often referred to as a trust-less solution, blockchain provides a mechanism to trust individuals, organizations, and contractual details through an independently verifiable, immutable, and trusted database or ledger. This can reduce the need for trusted third parties as organizations trust the technology instead. Uniform, continually auditable systems could eventually replace the current patchwork of separate systems – streamlining permissions, security, and privacy. Rapid innovation is happening around blockchain technology, and projects are gradually moving beyond early proofs-of-concept or pilots. Digital fingerprinting, digital identity, digital assets, and smart contracts are some of blockchain’s top use cases and are intertwined to provide a robust framework for trusted relationships. Blockchain can help maintain a trusted record of transactions. By tracking data and its fingerprint, stakeholders gain greater transparency and can easily establish data authenticity and integrity. There is a gradual increase in adoption of blockchain-based systems that can track products and corresponding information across complex global supply chains. Norwegian aluminum manufacturer Hydro and global certification body DNV piloted a blockchain solution to allow urban furniture users to simply scan a barcode and trace the sustainable aluminum used in a park bench or a litter bin and ascertain the CO2 emission from its raw material. The media industry is also exploring the use of blockchain to counter challenges such as misinformation and to establish digital trust in publicly available information. The Safe.press consortium adds a blockchain-linked digital seal of approval to member publications. Whenever these news sources are appended to stories or references, its key gets tracked, enabling consumers to track its origin and making it difficult to falsify news articles.
Blockchain can help with trusted identities. This is a key component when it comes to any digital relationship or transaction. Blockchain can verify credentials without revealing details behind that identity and enables decentralized, tamper-proof self-sovereign identities, which can be used for various commercial and government services. For example, the government of Zug, Switzerland, created a digital, decentralized, sovereign identity for its citizens, enabling them to partake in activities like casting votes and accessing government services. Likewise, MIT piloted blockchain-based, verifiable, tamper-proof diplomas that graduates can securely and easily share externally.
Blockchain can establish asset ownership. Digital assets, especially cryptocurrencies, comprise a use case currently adopted at scale. According to Deloitte’s 2021 Global Blockchain survey, around 40% of respondents say digital assets will have a significantly positive impact on improving compliance and transparency, reducing risk, and enhancing trust. Non-fungible tokens (NFTs) – unique, non-interchangeable data units stored on a blockchain – are emerging as a viable solution to authenticate and certify ownership of digital assets. Even though NFTs can be copied, their creator and owner will still be publicly displayed. Currently, they’re gaining popularity in the art market and with sports memorabilia but have the potential for broader application across industries. For example, NFTs can mark health data belonging to a particular person as a form of identification and guarantee of ownership. This also enables patients to know how their data is being used and potentially monetize it.
Lastly, blockchain can enable faster legal agreements and automate trust. Blockchain-based smart contracts can help parties agree on terms and transact without any third-party intermediary or escrow, and trust that they will be executed automatically with reduced risk of error or manipulation. Partior, a joint venture between Temasek, DBS, and a leading US-based financial services company, is piloting a cross-border payment system based on blockchain and smart contracts in an effort to improve efficiency and trust. The company predicts a three-to-five-year time frame for the mass adoption of this platform. The technology can also be used for automatic validation of information and digital funds by ports to enable faster processing and releasing of ships.
Despite these wide-ranging use cases, blockchain for digital trust is still in its early days. Technological constraints such as limited transaction throughput, user obfuscation, platform interoperability, along with nontechnical constraints such as limiting incentive mechanisms in public blockchains and the lack of industry standards and regulatory harmony, among others, can limit the ability to construct a robust solution that enhances digital trust. However, ongoing rapid innovation and increasing maturity and understanding among stakeholders suggest that we can expect many of these limitations to be addressed in the coming years, resulting in a transformative change to digital trust. Hence, organizations should begin understanding this upcoming digital infrastructure now to incubate future solutions.
Quantum technologies will likely impact digital trust in three distinct ways. First, the immense computing power that quantum computers promise can be applied to perform vast analytics on cyber and privacy data to detect anomalous or suspicious behavior. Second, quantum technologies’ physical properties may offer enhanced components to cyber systems such as cryptographic key generation and distribution. Third, when fully mature, quantum computing may be able to implement Shor’s algorithm, which would render some common encryption techniques easy to crack, making data and transactions more vulnerable to attackers. Maintaining digital trust in a postquantum world will likely leverage a number of capabilities, most notably the use of encryption techniques that are “quantum-resistant,” also referred to as postquantum cryptography (PQC). PQC runs on classical computers and uses complex mathematical problems believed to be unsolvable by quantum computers. PQC is expected to be interoperable with current communication protocols and networks, making it more cost-effective and easier to maintain. The National Institute of Standards and Technology (NIST) aims to standardize quantum-resistant algorithms by 2024. Furthermore, as organizations review their underlying cryptographic processes in anticipation of PQC, it’s likely that they will move toward a more crypto-agile state with an improved level of overall cyber hygiene. This enhanced awareness of cryptographic reliance could contribute toward improved digital trust.
As mentioned previously, quantum principles can also potentially enhance data-encryption systems, using methods such as quantum key distribution (QKD). QKD uses quantum mechanics to distribute encryption keys between two parties. Due to the inherent tamper-evident properties of quantum physics, any attempt to eavesdrop the keys would be detected.
But QKD technology has some limitations, including complex processes, oversized special equipment, and high costs. The fragile state of quantum particles involved can significantly limit its coverage and reach. Some small-scale, experimental implementations of QKD have been publicized – for example, the integrity and security of the election process in a Swiss canton was protected by incorporating QKD. QKD’s commercial approval or use for critical systems is challenged unless its limitations are overcome. The US National Security Agency, for example, has currently refrained from supporting the usage of QKD to protect communications in national security systems.
Because it will be hard to predict when today’s internet becomes vulnerable to tomorrow’s quantum hackers, and because that moment would be catastrophic for digital trust, it’s important that leaders gain awareness and begin to prepare as early as possible. Although the implementation of Shor’s algorithm is predicted to be on the order of 10 to 15 years away, the time required to gather a full cryptographic inventory, institute a governance process, and select and implement PQC algorithms is significant. Hence, organizations should keep a pulse on quantum technology and the related cryptography landscape and ensure timely technology and talent investment for developing the needed crypto-agility and infrastructure.
There’s No Silver Bullet
While there’s no single solution to solve the digital trust puzzle, AI-based monitoring, data trusts, blockchain, and quantum technologies are some of the solutions that can play a valuable role. How might these digital trust tech approaches protect you? Consider the danger that deepfakes pose to organizations. Let’s say you’ve been targeted by bad actors who pose as your company’s CEO and attempt a false transaction or data breach. An AI-based monitoring solution that’s integrated across your organization’s network and applications could alert you to a potential deepfake as a first line of defense and block further attempts. If missed, a robust blockchain-based solution could help easily verify the transaction details and establish fail-safe mechanisms within a smart contract. Additionally, through a data-trust setup, the amount of compromised data could be minimized. Lastly, if your organization someday implements quantum-resistant safeguards within network and communications channels, other organizations can have much stronger confidence in the integrity of your data and transactions.
Given the rising business impacts, digital trust is not merely a CIO or CISO issue anymore; it requires the CEO and other business leaders to be engaged in technology investments now and into the future. Leaders can’t afford to play the waiting game. Rapid technology innovation is enabling new digital threats too quickly. Leaders need to be proactive, sense innovation opportunities, and invest accordingly to weave them into their digital-trust fabric. This should be an ongoing activity – like a regular rhythm – to maintain and advance digital trust today and tomorrow.
Appendix: Digital Trust Innovation Research
Our patent analysis found a gradual rise (approximately 15% year over year) in the overall number of digital trust–related patents granted between 2015 and 2020. But, the data shows that certain emerging technology families are growing at a much faster rate, indicating their relative importance and popularity. Upon further analysis, the following trends emerge (figure 1):
Cloud technology has relatively matured in its innovation cycle. And given cloud’s ability to enable other technologies – and, in some instances, improve their security and effectiveness – it might be an essential technology for an organization’s digital trust strategy.
AI and ML patents are growing at a brisk pace (35%) and provide numerous avenues today for organizations to enhance digital trust across applications and use cases.
Blockchain, on the other hand, appears to be in its initial, rapid-growth phase. Blockchain patents have grown by almost 200% YoY over the last three years. This indicates that blockchain may have promising growth potential as an increasingly viable digital trust solution – but has not yet reached peak maturity. Blockchain projects are gradually moving from early proofs-of-concept or pilots to full-scale implementations; thus, in the near future, blockchain could play a truly foundational role in establishing digital trust across the enterprise and ecosystem.
Quantum technologies are much earlier in their innovation curve; but specialists suggest that they could become vital to ensuring the security of sensitive digital assets as core quantum-computing capabilities mature.
originally posted on deloitte.com by Deborah Golden, Jesse Goldhammer, Jay Parekh, Diana Kearns-Manolatos, Curt Aubley and Michael Morris.
Deborah Golden: Principal | Deloitte Risk & Financial Advisory
Deborah Golden, a principal at Deloitte & Touche LLP, is the US Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory. She has more than 25 years of cross-industry experience, focused predominantly within government, life sciences and health care, and financial services industries. Golden primarily helps commercial organizations and government agencies navigate multifaceted cyber problems and transform business or mission strategies and operations. Recognizing the ubiquitous, sophisticated nature of cyber, she uses a values-driven approach to help clients align cybersecurity imperatives with cyber risk and strategic business priorities to strengthen cyber resilience.
Jesse Goldhammer: Managing Director
Jesse Goldhammer is a managing director in Deloitte’s cyber security practice and leads the firm’s Trustworthy Institutions initiative. Jesse is deeply committed to the safeguarding of public and private sector data, networks, systems, and people from a wide range of cyber threats. He is equally passionate about designing solutions that help organizations to achieve prosperity and the public good by building trust with employees, stakeholders, customers, and citizens. Jesse specializes in helping clients build new cyber and trust capabilities using cutting-edge technologies. Jesse was previously Associate Dean of Business Development and Strategy at UC Berkeley’s School of Information. Prior to joining UC Berkeley, Jesse was a principal in Deloitte Consulting’s innovation business unit, Doblin, where he designed strategies and innovative programs for US government agency leaders who wanted to operationalize new technical and analytic capabilities. Jesse earned a BA in social science from UC Berkeley, an MA from New York University in politics, and a PhD from UC Berkeley in political science. An accomplished instructor, author, and speaker, Jesse has written articles and given presentations on a variety of cyber- and trust-related topics. He is also co-author of Deviant Globalization: Black Market Economy in the 21st Century (Continuum Publishing, 2011).
Jay Parekh: Senior Analyst
Jay Parekh is a senior analyst with the Deloitte Center for Integrated Research. He has over six years of experience in research and analysis focused on emerging technologies and digital innovations related to cloud computing, augmented & virtual reality, the Internet of Things (IoT), and other advanced technologies. He also focuses on developing Deloitte’s perspectives on cross-industry topics such as climate change and sustainability. He specializes in applying quantitative and qualitative research techniques to enable data-driven insights.
Diana Kearns-Manolatos: Senior Manager
Diana Kearns-Manolatos is a senior manager in the Deloitte Center for Integrated Research where she analyzes market shifts and emerging trends across industries. Her research focuses on cloud and the future of workforce. Additionally, Kearns-Manolatos draws on almost 15 years of award-winning marketing communications expertise to align insights with business strategy. She speaks on technology and women in leadership and holds a bachelor’s and master’s degrees from Fordham University.
Curt Aubley: Managing Director | Deloitte & Touche LLP
Curt Aubley is Deloitte’s Cyber and Strategic Risk Groups Managing Director & General Manager for the Threat Detection & Response practice that combines current teams and new acquisitions into one unified high growth team. Curt leads the development of the vision, strategy, solution development, roadmap, go to market, sales, ecosystem, alliances, and overall execution in alignment with Deloitte’s strategy. Curt is an experienced cyber security executive, CTO, and general manager with over 25 years of experience.
Michael Morris: Managing Director
Michael Morris is a managing director in Deloitte’s Cyber and Strategic Risk practice where he leads Engineering for Detect and Respond. He is responsible for the technical vision, technological development, operations engineering, and was the chief architect behind the Adversary Pursuit platform and methodology. He has more than 19 years of experience in intelligence operations, advanced offensive and defensive cyber operations, and tactics and tool development.