Infosecurity: The next differentiator in the Information Age

Vats Srivatsan, President and COO of ColorTokens, discusses how infosecurity is the next differentiator in an age of information

After nearly two years of dealing with the Pandemic, many businesses are now coming to the conclusion that the future of workplaces is surely a hybrid model of on-prem and remote employees. In this evolving workplace, the questions over how to secure applications and business data require a new approach.

In fact, according to research from PwC, the majority of business leaders are expecting threat levels to rise over the next 12 months and will be increasing their cyber security budgets in 2022. However, budget increases don’t directly correlate with improved security posture.  

In the same research from PwC, published just weeks ago, 86% of business leaders said that complexity in their organisation was creating concerning levels of risk, with third-party cyber risks a glaring blind spot, and that 64% expect a jump in attacks on their cloud services over the next year.

We are getting to a point where something has to change in our approach to cybersecurity. Traditionally, security has been a world where there's a number of problems every time an attack surface expands. If you transition some of your processes to the cloud, suddenly the cloud becomes an area that is ripe with a diverse set of attacks. That means that CISOs are constantly playing Whack-a-Mole, fixing one area of vulnerability, just to ask if they are safe now; and the truth is no one can really tell whether they're safe or not.

This approach is not sustainable. As a whole, we have tried and largely failed to find a way to keep bad actors, phishers and hackers out. That’s why operating from a place of Zero Trust makes perfect sense.

Trust is a thing that thinks it’s fly, but is also known as a buster

Zero Trust takes a fundamentally different approach. Rather than define the network as an open entity that everybody can interact with, there is a circle of trust around core applications and users that need to access those applications. Effectively, that defines what you allow and what you don't allow.

It's like when you get a phone call, typically now I only answer a phone call when I can see that the caller is in my contacts list because I can trust the call is not spam. A Zero Trust framework takes the same approach, which says I will only allow things that I really trust, and the rest will be untrusted.

What CISOs can do from a place of no trust, is set up users as trusted people to interact with applications relevant to only their business role. The network isn’t completely without trust, as the volume of transactions that happen in a typical organisation would make it difficult to verify, but instead we can say that each employee is allowed to do a certain number of things, at a certain time, in a specific segment – exponentially shrinking the attack surface.

That’s a radically different way of looking at security than trying to attack the problem one step at a time and always being behind. It also stops attackers in their tracks, as they can’t move laterally through the network concealed by trusted processes and access. 

Trust is a thing that can't get no love

The problem has come to a head over the past 12 months, with one of the founding fathers of the IT revolution having become embroiled in a breach. When that happens, businesses have to realise that cyber security is not just about their data but about the data of the people they work with.

Gartner has released predictions for cybersecurity that found that by 2025, 60% of organisations will use cybersecurity risk as a determinant in conducting third-party transactions and business engagements, effectively making security threat resistance a differentiator in the market.

Therefore, the time for businesses to get serious is now. Businesses need to start putting measures in place to prevent breaches, by identifying and allowing only trusted transactions so that bad actors can’t take advantage of an undefined circle of trust. That starts with a Zero Trust security architecture and defining where the circle of trust is. Keep in mind that Zero Trust is a journey, however you need to define your starting point now. 

An exercise companies can start right away is knowing the context of what interactions are trusted for any new applications they are putting in, or applications being migrated to the cloud. By asking those questions upfront, companies can ensure the system is designed with a level of security that keeps them ahead of the attackers.



Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security