Nearly 60 percent of cybersecurity leaders in New Zealand and Australia view their security approach as antiquated, a worrying statistic in an environment of increased breaches and cyber attacks. A Zero Trust Framework has been proposed as the answer – but what does it mean and how can it protect your organisation and your people? By Matthew Evetts.
A very small percentage of breaches are the equivalent of blasting open the bank vault – the average cyber-attack is more like cleaning out someone’s bank account by convincing the teller you’re someone else.
Or, to put it in a business context, like someone helping themself to a briefcase of sensitive documents left lying on a desk in an office that has inadequate security.
Which is why implementing a Zero Trust Framework is so effective at protecting an organisation.
At a practical level, Zero Trust is about only providing access to systems, networks and data if it is needed, only ever to an authorised person and within agreed parameters.
Ideally, all activity that touches your organisation should be questioned, every time, whether that’s a transaction between two servers or a user logging onto a device or an application.
The nature of Zero Trust also means that the verification process is repeated every time the context or the activity changes: just because a user or device was granted access to a data set at a point in time, doesn’t mean the default is to always grant access.
No user or device is granted universal, unfettered “access all areas” rights, and this approach creates significant layers of protection that become critical in the event a breach occurs.
In a cybersecurity breach, once an attacker finds a way in, they very quickly work to access other parts of your environment and your organisation. That average time for lateral movement is now under two minutes.
A Zero Trust model makes this movement within your network much harder, creating a protective layer between the attacker and the potential harm they can cause for your people, your customers and your reputation.
Implementing a Zero Trust approach is about much more than network security architecture: it’s about policies and incident response protocols, new approaches to device and service access control and making sure employees can spot phishing attacks and attempts at identity theft. It’s also about keeping people safe by offering multi-factor authentication and password-less access.
Although Zero Trust is rapidly becoming best practice around the world – including in the US where the Biden Administration has directed all government departments to adopt a Zero Trust approach as part of its national cybersecurity policy – many New Zealand and Australian organisations still have work to do to win the full support of key stakeholders and staff.
A recent Datacom-commissioned study conducted by Forrester Consulting has shown while 83 percent of decision-makers see Zero Trust as the future of their firms’ security, only 52 percent of security teams were seen as supporters of Zero Trust at the outset of implementation. Just 40 percent of operational business or technology teams were supporters.
Forrester Consulting carried out the custom survey of more than 200 decision-makers responsible for cybersecurity strategy in Australian and New Zealand organisations, ranging in size from 200+ to 20,000+ employees.
Forty-eight percent of the decision-makers surveyed said their “stakeholders struggled to understand the business value of adopting a Zero Trust approach”.
Communicating the business value and bringing stakeholders on board needs to be a key focus for any organisation looking to implement Zero Trust.
For Zero Trust to be effective, the drive for technical change needs to be balanced with a focus on cultural change.
Staff need to understand why Zero Trust matters and how it protects them, and they need to be clear they have a role in it.
Zero Trust requires people to work with it, not around it, in the same way physical security measures in an office need buy-in: electronic entry cards are rendered useless if staff choose to let other people enter without passes or leave doors propped open.
To download the full Zero Trust study and analysis, visit www.datacom.com/zerotrust.
Matthew Evetts is Datacom’s director connectivity and security. Datacom works collaboratively with a wide range of organisations providing best in breed technology, support and advice to help businesses improve their security posture.