In 2020, the COVID-19 pandemic altered not only our understanding of health and medicine, education and the economy but also cybersecurity and cyberthreats. For the first time ever, remote working became the norm for people and companies in the UK, with the number of remote workers having increased from 5.7% in February 2020 to 46.6% a few months later in April.
Today, a study shows that 98% of workers want to work remotely at least some of the time and 57% of workers would look for new employment if their current company didn’t offer remote working. This highlights the changing perceptions and desires of the workforce, pointing increasingly to a flexible and improved work-life balance that working from home promises. With the proliferation of digital nomads and hybrid workers, the pandemic showed the world that many jobs simply can be done ‘online’.
What does this mean for a company’s cybersecurity?
Since the advent of COVID-19, cyberattacks have increased by 238%, reflecting cyber criminals’ strategy to attack where companies are most vulnerable: remote or home working environments where the boundaries of traditional perimeter-based security are blurred. While perimeter-based security trusts that all users and devices within the corporate network are secure and safe and can have access to files and data because they have already been authenticated, remote environments challenge this assumption. When employees work from home, a café or abroad, they may connect to unsecured networks lacking any firewalls and personal devices that haven’t been verified by the company, presenting a new and expanded attack surface for cybercriminals. Cybercriminals are easily able to break into such environments where an employee’s virtual private network (VPN) connection is not highly secured.
Equally, if certain employees had certain established access rights and they then switch to a remote, unsecured and unverified network, these privileges may not always be re-verified, leading to expanded access to sensitive materials and a lack of visibility into who has access to what. Remote and hybrid work meant that employees were accessing company data outside of the traditional perimeter-based defences that the company had designed, such as firewalls and intrusion detection mechanisms, therefore giving cybercriminals more endpoints to target. Data breaches have affected a variety of industries, notably the healthcare sector which faces a huge average cost of $9.23 million per incident, followed by $5.27 million for the finance sector. In fact, a study showed that 73% of VP and C-suite IT leaders perceive remote workers as posing a higher security risk than in-person and onsite employees.
Where does Zero Trust Security come in?
Remote working wasn’t the first challenger to traditional perimeter-based security. The world of wireless technology, the Internet of Things (IoT) and the cloud have made security leaders realise that it’s not only about where workers are trying to access data in a complex and connected environment, but who is trying to access what and when. The Zero Trust Security (ZTS) model has been the answer for many companies who are trying to tackle a range of cyberattacks and insider threat. The emphasis on ‘never trust, always verify’ has shone a light on the importance of securing a company’s every asset and resource. ZTS is comprised of three key principles:
- Always verify: Never assume people or their devices are trustworthy
- Always monitor: What people are doing or trying to access through any device should be monitored for suspicious or unusual behaviour
- Give minimal privileges: Only provide the access that people need and for a specific length of time.
The Zero Trust Security model considers a range of factors such as identity, device health, location and user behaviour in the decision-making process for defining access rights and trustworthiness. The benefits of this include enhanced visibility on user behaviour, access requests and a company’s IT estate, protecting sensitive data and thereby reducing the possibility of cyberattacks and complying with regulatory standards and auditing. Challenges to implementing ZTS architecture include having knowledge and visibility of all business resources and data, ensuring consistent monitoring and appropriate incident response, devising strong policies and procedures – and ensuring any third party or vendor management aligns with this – and promoting safety and security through employee training and cybersecurity awareness.
From theory to strategy: Implementing Zero Trust Security as a strategic security imperative
A recent study by Zscaler highlighted that over 90% of senior IT executives interviewed such as CIOs, CISOs and CTOs that had started migrating their business data and services to the Cloud had also implemented or were going to implement a ZTS strategy.
A range of factors drive ZTS but ultimately, regulatory procedures and requirements (both relating to auditing and the control of storing and sharing data such as the GDPR and HIPAA) and the ever-present risk of cyberthreats that change in nature and scope as technology develops are key in necessitating a cultural security shift.
Most Zero Trust Security models will have the following characteristics:
- Identity-based management access control, provisioned by strong Identity and Access Management (IAM) policies and standards, and underpinned by the logic of least privilege
- Software-defined perimeters that ensure identities are verified at each ‘boundary’, for example the use of two-factor or multi-factor authentication (MFA)
- Micro-segmentation of networks into smaller access zones that control a smaller surface of data, identities and resources
What is the state of Zero Trust Security in 2024?
An analysis of the 2023 ZTS reports of leading cybersecurity companies paints a hopeful yet skewed picture: whilst smaller organisations with between 500 and 999 employees are less likely to have implemented ZTS models, 75% of larger companies with 5,000 – 9,999 employees will have defined ZTS models. Security Executives’ investments in access management tools signify a shifting focus on identity as the bridge between security and business value, with the former driving the latter. In the same Okta report referenced above, it is highlighted that whilst 27% of respondents indicated ‘identity’ was extremely important in 2022, this number has risen to 51% in 2023. The positive state of ZTS in 2023 seems to be geographically skewed towards North America, albeit the EMEA and Asia Pacific regions closely following behind with adoption. In a similar study conducted by Zscaler, companies across the UK appear to be the least enthusiastic in adopting ZTS strategies – despite the new remote working landscape – with 20% indicating a preference to keep traditional access management, compared to 37% of companies in India and 36% in Singapore who placed a high priority for a ZTS-based hybrid strategy.
At the same time, 54% of IT leaders surveyed in the Zscaler report perceived VPNs or traditional perimeter-based firewalls to be ineffective cybersecurity measures. Unsurprisingly then, over 40% of the US-based respondents in the Zscaler study indicated the improvement of advanced threat detection as their top reason for implementing and investing in ZTS. Generally, companies tend to be investing in ZTS network access, cloud firewalls and data loss prevention and many companies are investing in ZTS models for hybrid working because their employees are met with inconsistent access management for on-premise and cloud-based data.
The results above emphasise that whilst ZTS is becoming an important ‘boardroom’ topic for Security Executives, challenges remain. As mentioned, ZTS requires organisations to have visibility of their entire IT state and data, which can impose large costs and may lead to rushed decision-making and implementation of inadequate ZTS models that lend a ‘false sense of security’. Naturally, with the advent of hybrid working companies are faced with additional challenges of implementing security controls and architecture for remote employees and ensuring robust monitoring continues whilst also providing a smooth and seamless user experience.
The Path to Zero Trust Security
With the growing importance of ‘identity’ and the increasing awareness of the sophistication of cyberattacks, security leaders should begin by asking themselves certain questions on identity and access to better gage where their organisation is in their ZTS journey. For example:
- Is there complete visibility of the IT estate, including accounts and devices?
- Is there complete visibility of where data is stored and can be shared?
- Are employee accesses managed following a decentralised approach and per department, or are they managed centrally and automatically?
- Are employees’ accesses and behaviours monitored?
- How are different privileges assigned and managed? Do these privileges have an expiry date?
- How aware or trained are employees on cyberthreats, especially in a remote working environment?
Final Thoughts
With insider threats on the rise, companies should look to secure their data and assets via tools such as MFA and single sign-on services (SSO) that are underpinned by a set of rules and factors permitting authentication and authorisation. Role-based access whereby employees are assigned different privileges and access rights based on their role in an organisation is another mechanism to secure perimeters. Ultimately, a ZTS strategy will require change management for employees, emphasising the bridge between security policies and business value that leads to business growth, safety and longevity. ZTS is a strategy and philosophy rather than a product or service that can be quickly implemented to mitigate security concerns – and it is increasingly important in a remote working environment where traditional boundaries are blurred and the gaps in an organisation’s cybersecurity policies and processes are exposed.