In today’s expanding threat landscape, a zero-trust architecture is critical to protecting the enterprise
“The best offense is a good defense” is a common adage in the sports world. After all, no championship has ever been won solely on the back of a stellar offense. Protecting your end zone must always be a top priority.
The same applies to cybersecurity. With the average cost of a data breach to U.S. organizations reaching over $8 million this year, enterprises cannot afford to ignore the risk of a cyberattack. The fallout from a cyberthreat increases for smaller firms, reaching $3,500 per employee for companies with 500 to 1,000 employees. An overwhelming number of these attacks—91%—begin with a spear-phishing email, making every employee potential vulnerable to a breach.
The preponderance of email as a point of attack overly demonstrates that spam filters cannot be the only or final solution and that threats can come from unexpected sources. Researchers have recently discovered a new tactic dubbed “warshipping,” wherein hackers use something as low-tech and seemingly innocuous as a package with a small wireless device hidden inside. Using basic wireless technology, the device is able to connect to the corporate network and provide access to hackers.
In another recent example, popular collaboration platform Slack reset the passwords for tens of thousands of users in an unfolding saga stemming from a hack that occurred in 2015. The platform found that its networks had been compromised and allowed hackers to gain access to databases containing passwords and other credentials. The users whose accounts were most likely to have been compromised hadn’t changed their password since at least 2015.
As diverse as these attack methods are, they all demonstrate how vulnerable an organization’s defenses can be against cyberthreats. Whether it’s a seemingly harmless email, an unchecked delivery or a stagnant password, hackers are becoming increasingly creative at leveraging every opportunity to create havoc in the enterprise. That’s why a zero-trust architecture is critical to protecting the enterprise. This framework assumes that anything inside or outside of a corporate network—including data, devices, systems and users—is a security risk and must be checked and verified before being granted access.
Zero Trust is Coming, Ready or Not
Zero trust may sound like borderline paranoia to some, but pressures inside and outside the tech industry are making it the most viable security strategy. Externally, political pressure is mounting against companies that have mishandled or mismanaged data. The Corporate Executive Accountability Act, proposed by Massachusetts senator and Democratic presidential candidate Elizabeth Warren, would make it easier to hold executives personally accountable for corporate wrongdoing. The bill specifically mentions events that compromise people’s data, equating privacy violations with physical endangerment or financial damages. Though unlikely to pass the current Congress, the bill is a reflection of growing frustration with how companies have handled personal data. Should Warren win her party’s nomination, executive accountability is very likely to feature heavily in the 2020 campaign, potentially spurring further state and federal action.
Internally, the rapid evolution of cyberattacks is pushing the enterprise to take increasingly advanced—and costly—countermeasures. A recent study of more than 500 IT practitioners found that enterprise-level firms spent an average of $18.4 million on cybersecurity, with 58% intending to increase spending in the next year. Despite that massive level of investment, 53% admitted that they had few methods of measuring how well the tools they were implementing were actually working. This approach of “pay and pray” is both wasting resources and failing to protect the enterprise adequately. A zero-trust approach provides a better, more comprehensive way to build cybersecurity defenses and limit risk, ensuring that any funds are put to good use.
The way people expect to work has also dramatically affected cyber risk. Remote working has blurred the line between work and personal devices, making it more difficult for IT departments to limit company system exposure to suspicious apps and public Wi-Fi networks. With 65% of consumers admitting that they reuse passwords, it’s easy to see how an untrained employee could accidentally compromise an enterprise network. A zero-trust mindset helps the enterprise accurately assess the human risks of cybersecurity and factors in how to mitigate them.
Starting at Zero
Establishing zero-trust policies first requires a thorough audit of current security practices: what defenses are in place, who’s managing them and, most importantly, are they effective? Once that baseline is established, ensure that everyone—not just IT—understands the threats and how they could be affected.
Zero trust is fundamentally people-centric. It acknowledges that anyone is capable of compromising network security and proactively works to manage that risk. With that in mind, regularly train the workforce to recognize suspicious emails or applications that could potentially infect their systems, as well as require regular password changes and updates.
Finally, understand the outside software used in the workplace. With the average company using 129 apps as of the end of 2018, the number of enterprise software applications is only expected to grow in coming years. Even if your own networks are secure, a poorly encrypted app could easily provide a vulnerability for hackers to exploit.
Assuming that every user, application and system is a threat may sound over the top, but increasing damage and costs of a hack mean that vigilance is a far better alternative than a successful attack. By adopting a zero-trust approach, the enterprise is better prepared and better protected against hostile actors.