Infosecurity: The next differentiator in the Information Age
After nearly two years of dealing with the Pandemic, many businesses are now coming to the conclusion that the future of workplaces is surely a hybrid model of on-prem and remote employees. In this evolving workplace, the questions over how to secure applications and business data require a new approach.
In fact, according to research from PwC, the majority of business leaders are expecting threat levels to rise over the next 12 months and will be increasing their cyber security budgets in 2022. However, budget increases don’t directly correlate with improved security posture.
In the same research from PwC, published just weeks ago, 86% of business leaders said that complexity in their organisation was creating concerning levels of risk, with third-party cyber risks a glaring blind spot, and that 64% expect a jump in attacks on their cloud services over the next year.
We are getting to a point where something has to change in our approach to cybersecurity. Traditionally, security has been a world where there's a number of problems every time an attack surface expands. If you transition some of your processes to the cloud, suddenly the cloud becomes an area that is ripe with a diverse set of attacks. That means that CISOs are constantly playing Whack-a-Mole, fixing one area of vulnerability, just to ask if they are safe now; and the truth is no one can really tell whether they're safe or not.
This approach is not sustainable. As a whole, we have tried and largely failed to find a way to keep bad actors, phishers and hackers out. That’s why operating from a place of Zero Trust makes perfect sense.
Trust is a thing that thinks it’s fly, but is also known as a buster
Zero Trust takes a fundamentally different approach. Rather than define the network as an open entity that everybody can interact with, there is a circle of trust around core applications and users that need to access those applications. Effectively, that defines what you allow and what you don't allow.
It's like when you get a phone call, typically now I only answer a phone call when I can see that the caller is in my contacts list because I can trust the call is not spam. A Zero Trust framework takes the same approach, which says I will only allow things that I really trust, and the rest will be untrusted.
What CISOs can do from a place of no trust, is set up users as trusted people to interact with applications relevant to only their business role. The network isn’t completely without trust, as the volume of transactions that happen in a typical organisation would make it difficult to verify, but instead we can say that each employee is allowed to do a certain number of things, at a certain time, in a specific segment – exponentially shrinking the attack surface.
That’s a radically different way of looking at security than trying to attack the problem one step at a time and always being behind. It also stops attackers in their tracks, as they can’t move laterally through the network concealed by trusted processes and access.
Trust is a thing that can't get no love
The problem has come to a head over the past 12 months, with one of the founding fathers of the IT revolution having become embroiled in a breach. When that happens, businesses have to realise that cyber security is not just about their data but about the data of the people they work with.
Gartner has released predictions for cybersecurity that found that by 2025, 60% of organisations will use cybersecurity risk as a determinant in conducting third-party transactions and business engagements, effectively making security threat resistance a differentiator in the market.
Therefore, the time for businesses to get serious is now. Businesses need to start putting measures in place to prevent breaches, by identifying and allowing only trusted transactions so that bad actors can’t take advantage of an undefined circle of trust. That starts with a Zero Trust security architecture and defining where the circle of trust is. Keep in mind that Zero Trust is a journey, however you need to define your starting point now.
An exercise companies can start right away is knowing the context of what interactions are trusted for any new applications they are putting in, or applications being migrated to the cloud. By asking those questions upfront, companies can ensure the system is designed with a level of security that keeps them ahead of the attackers.