Unlike real-life, linking trusted individuals to their online counterparts is far trickier in a digital landscape. Zero Trust is an era-defining security framework; a digital environment cannot survive if accounts are simply assumed to be safe. Account takeover, brute-force and credential stuffing attacks all take advantage of an over-trusting security philosophy. IBM’s 2022 Data Breach report has shown that – now more than ever – the foundation of data protection security is zero-trust.
The Rise of Zero Trust
From the first wave of office-based MicroComputers in the 1970s, capable of only operating a single program, the focus was primarily placed on technical capability – not security. Office technology wouldn’t truly take off until the PC arms race between IBM and Apple. In the 90s, the final piece of the puzzle slid into place: the World Wide Web. Tim Berners-Lee developed the concept of digital “destinations” – nowadays called websites – where businesses can host information. Bolstering online connectivity, the email rose to meteoric success. Throughout this transformative period, the philosophy of cybersecurity remained largely stagnant: a perimeter-led view that defined ‘trusted insiders’ vs ‘untrusted outsiders’.
For nearly 20 years, this view of trust justified the applications and resources employees could access. The office working space mapped neatly onto its digital counterpart: anyone ‘in’ the office was trusted; anyone outside was not. Throughout this time, cybersecurity adhered to the philosophy that what’s inside the corporate firewall can be trusted. This concept of inside versus outside became a variable that was used to determine security policy: organizations operated under the adage “trust, but verify.” Note that, in the trust-but-verify model, trusted is the default state. Once an identity is verified, trust is assumed, and access is granted.
Then, in the 2010s, a massive shift made this security framework redundant. This change didn’t cause quite the same socio-cultural stir as the invention of the internet had; there was no ensuing dot com crash. Quiet but mighty, cloud computing broke up monolithic server stacks, splintered supply chains and resources, and gave employees the ability to work wherever, whenever. WFH didn’t just shatter your commute – it demanded a security revolution.
Cloud applications saw commercial networks move away from on-premise, as cloud environments were suddenly opening up the well-defined boundaries of the working office. Instead of the ‘trusted insider’ vs ‘untrusted outsider’, John Kindervag proposed a new form of security at the turn of the 2010s. This new model should not base security on where the user is, but should instead verify who they are. Zero Trust had been born.
Zero Trust was ground-breaking, in the sense that it removed the traditional idea of a network edge. Now, it didn’t matter whether the user was inside the organization’s network or not. Zero Trust demands that every user be authenticated, and then continuously validated before and during access to sensitive applications and data. Now, a lack of trust is the default. This applies for each type of user, too – in their day-to-day work life, a company secretary does not need access to the same level of confidential information as the VP does.
Zero Trust Reduces the Cost of Data Breaches
When a company’s identity and access management is even slightly off-kilter, the question of a serious data breach becomes ‘when’, rather than ‘if’. IBM’s 2022 report unveiled the gritty truth of the carnage caused by a data breach. The average cost of these attacks clocks in at $4.35 million; out of over 500 companies surveyed, over half of these breaches occurred from malicious activity. The reasoning behind this is often financial gain. The personally identifiable information (PII) involved in data breaches often form the foundation of further phishing and ransomware attacks, making illicit PII a multi-million underground economy.
Results from IBM’s recent data breach study showed that the most common cause of a data breach were lost and stolen credentials; each was responsible for 19% of malicious breaches. IBM also noted the vital role that zero trust plays in the outcome of each attack. The victims that do not employ zero trust architecture pay the cost, with traditional organizations paying an average of $1.17 million more per attack. Even worse, almost 80% of critical infrastructure organizations suffer from a lack of zero trust strategies, leaving the taxpayer to pay the price. Even more concerning: 19% of breaches in critical infrastructure were caused by an initial compromise within a business partner. Over-trusting environments pose security risks not just to singular organizations, but one breach can shatter the integrity of entire business networks and supply chains.
By prioritizing least access, organizations can increase their defense resiliency and manage the risks of collating multiple business environments. All while still allowing users to access the appropriate resources.
Other Ways to Reduce the Cost of a Data Breach
The focus of zero trust is simplicity. When every user, network interface, and data packet is untrusted, asset protection becomes simple. To promote cybersecurity simplicity, organizations can prioritize tools that streamline the zero-trust process. In automating repetitive and manual tasks; managing and integrating your toolbox of security systems, and autoremediating known vulnerabilities, actioning a journey toward zero-trust becomes possible. Zero trust covers the first of three major points of a data protection strategy. As it focuses on access control, the other two are equally important in reinforcing your data breach defenses: data security and data availability.
Data security focuses on protecting data from malicious or accidental damage. This entails close management of the data lifecycle. Following the Zero Trust philosophy, this understands the importance of contextually distributing data into online and offline storage, depending on its level of sensitivity.
Data availability, at first glance, may seem only relevant in the case of an attack. The focus here is to guarantee access to data. This is achieved via an up-to-date and easily accessible system of backups, able to rapidly be placed online should malware attempt to interfere. These backups should be appropriately protected, and secured externally to the main database. The goal here is to guarantee constant data accessibility – this may also be a major part of your compliance strategy.
With the threefold focus on data protection – access, security, and availability – your organization can not only reduce the chances of a severe data breach, but also dampen the effects of such an attack.