Is a zero trust approach to security really necessary? -TEISS® : Cracking Cyber Security
Andy Heather, Managing Director – EMEA for Centrify, says that the old adage, “trust but verify” doesn’t cut it in a modern threatscape where identity is the new security perimeter.
In an increasingly digital age we have come to rely on consumer technology, software and IT systems more than ever. As a result, cybercrime has emerged as the most contemporary, ruthless, and successful form of crime across the globe.
Breaches and attacks occur every minute of every day and hackers do not discriminate; be it SMEs or global enterprises, public sector services or charities, a CEO or a typical social media user, every individual or organisation is a potential target, and nobody is safe.
The scale of the damage caused by a cyber-attack can be huge, and often, victims are completely unaware an attack has even taken place until days, weeks, sometimes even months later. One of the most prolific examples of this is the attack that occurred on popular Fitness app ‘MyFitnessPal’ which affected almost 150 million users in all regions across the globe.
In a written statement at the end of March 2018, Under Armour, who owns MyFitnessPal, claimed that they had become aware of the attack a few days before, despite the fact that the attack actually took place in February – meaning it had taken them over a month to realise 150 million usernames, emails and passwords had become compromised from right under their nose.
Similarly, back in July 2017, Dixons Carphone, which owns Currys and PC World, suffered an enormous data breach which saw hackers attempt to compromise 5.9 million payment cards. The retailer confirmed in 2018 that the breach ended up affecting over 10 million customers – giving away access to their personal records such as names, postal addresses and email addresses. At the same time, approximately 105,000 non-EU issued payment cards had been compromised and Dixons Carphone now looks to face a £400 million fine.
This is a problem which is not slowing down either; it has been estimated that a ransomware attack will take place every 14 seconds throughout 2019, even as cyber security spending is predicted to increase over the $114 billion mark that was spent globally last year. Reports have even suggested that a projected $1 trillion will have been spent on cyber security overall by 2021 (since 2017).
So, how does an increase in cyber security spending correlate with an increase in cyber-attacks? Is it just a matter of cyber criminals becoming more technologically capable whilst our business leaders and employees are becoming increasingly technologically inept?
The answer is: not exactly. It is true that hackers are constantly reaching new heights, and that large data breaches are not slowing down. However, this is not necessarily because workers are ‘inept’ when it comes to technology or cyber security, but because they have a limited understanding on the nature of these attacks, and the measures that need to be in place to prevent them.
Recent research has shown that 61% of CEOs cite malware as the main cause of data loss when in fact, phishing, privilege breach and compromised passwords are way more prevalent. This cyber blind spot means that companies may have invested heavily in some areas of cyber prevention, including software and staff training, and neglected the biggest weak spot of any company – which is the internal security measures.
Admittedly, it can be very easy for a company to invest heavily in protection from external attacks and assume that because certain systems are in place, all the sensitive information that resides in their servers or on the cloud is completely safe. One of the main reasons this belief exists is because the media often sensationalise and speculate on key information when covering a national cyber-attack.
News outlets will often point the finger towards international networks and ‘elite’ groups of professional criminals, provoking the image of expert ‘hackers’ and cutting-edge malware bringing down entire IT systems. The reality of it all is far less glamorous and far more damaging.
To improve cyber security measures, companies must get used to the idea that many attacks are born through a compromised credential. Attackers no longer hack in – they log in using our own usernames and passwords. Business leaders must assume that every employee, regardless of their position in the company, is a potential security threat.
In order to effectively combat internal weaknesses, a company must adopt a Zero Trust approach to identity and access management. Just as the traditional security perimeter continues to dissolve, so too do old approaches of securing access. The old adage, “trust but verify” doesn’t cut it in a modern threatscape where identity is the new security perimeter. The new mandate is, “never trust, always verify, enforce least privilege.”
Of course, there is a fine line between successful and excessive cyber security measures. The last thing any company wants is reduced productivity, which can be hindered by being locked out of systems and databases, or constantly having to request different levels of authentication just to access every day files. The ideal solution to this problem is through adaptive multi-factor authentication.
This factors in several criteria, such as the device being used or the location, to instantly create a risk score that is used to determine whether the user requesting access is a threat and should not be granted access or privilege. More sophisticated cyber security systems can even log user activity, so if a cyber-attack does occur as a result of an ‘enemy from within’ leaking data or passwords, it can be traced back to the specific user, sparking just the right amount of paranoia from all ‘potentially corrupt’ employees for this to ever occur in the first place.
This is not to say that companies should neglect any protective measures they have against external cyber threats, because the truth of the matter is that nobody knows where, when, or in what form a cyber attack might arrive.
All that matters is that an organisation minimises the threat of a cyber-attack from all possible angles, leaving no weak spots, and having the necessary cyber security measures in place at all times. Taking a Zero Trust approach can significantly reduce any organisation’s risk of becoming the next data breach headline.