Published by Cybersecurity Practice
March 23, 2023
As we continue to see targeted phishing and ransomware attacks become more commonplace in both the public and private sectors, it’s increasingly clear that organisations cannot afford to continue operating on a ‘wait and see’ basis for their cybersecurity. It’s critical for the continuity of business and operations that effective solutions are implemented proactively – limiting an organisation’s exposure to cyberattacks and shoring up their defences. For an organisation looking to do this today, a zero trust implementation is an essential part of any comprehensive cybersecurity solution.
Zero trust as a concept distinguishes itself from traditional approaches to defending networks and IT infrastructure; previously, these were protected by building as strong as possible a defence between the systems under the organisation’s control and those that are external – everything inside would be treated as safe, and everything outside as potentially malicious. This approach provides good initial protection against outside attacks, but is less useful for detecting and blocking attacks that come from inside the network, and cannot protect users and systems that exist on the outside, like remote workers, cloud-based services, and edge devices.
What zero trust does differently, then, is to remove the single network-wide implicit trust found inside traditional network architectures. Instead, it assumes a constant state of breach, requiring that every request made on the network is verified as though it originates from an external source, regardless of the physical or network location. Even after granting access, zero trust enforces the principles of micro-segmentation and least-privileged access to ensure that each verified request can still only access the information and systems it requires, and limits lateral movement throughout a network.
A case in point comes with the news at the end of February that News Corp, the owner of many major media corporations including the UK newspapers The Sun and The Times, had not only suffered from a cyberattack, but that the perpetrators had remained in their systems for two years before being detected.¹ While any intrusion is naturally cause for alarm, the notable thing about this story is the amount of time the attackers were able to retain a presence within News Corp’s systems without detection. A thorough zero trust implementation would have required constant verification and authentication from the attackers, limiting their movement within the network and likely flagging their activity as suspicious far earlier than happened in reality.
As anyone paying attention to such stories will be aware, the potential damages that come from a successful ransomware attack can be devastating – both in terms of financial losses, and continuation of business. There have been countless news stories of high-profile targets brought to a standstill due to such attacks, both in the private and public sector; Hackney Council is still attempting to recover from ransomware that infiltrated their systems over two years ago.² More recently, Royal Mail was unable to handle any international shipping for weeks after an attack breached their systems, and the attackers continue to threaten the leak of company data collected in the attack.³
In the world of cybersecurity, there’s no such thing as a perfect defence. Unfortunately, it’s not realistic to think that an organisation’s system can be built to rebuff every cyberattack, absolutely and entirely, no matter how sophisticated the attack might be. That said, a comprehensive implementation of zero trust will severely limit the systems an attack would be able to access, and thereby hold hostage. Combined with other cybersecurity best practices, an organisation can develop effective protection against the worst outcomes of an attack or data breach.
With all this in mind, it’s notable that adoption of zero trust solutions doesn’t appear to be progressing proportionate to its importance. According to Dell’s 2022 Global Data Protection Index, of the 1000 IT decision makers surveyed, just 12% indicated that their organisation had “fully implemented a zero trust security architecture and its ongoing maintenance”.⁴ This is despite 72% of the same respondents indicating that – at the very least – they have an understanding of zero trust, and are committed to implementing it.
Why is this? Without access to expertise in the area, implementing a zero trust approach for even a fairly basic network can be a daunting task. The nature of the task means that total comprehensive coverage is vital – a forgotten cloud service or overlooked outdated IoT device could provide a backdoor into an otherwise protected network. Deep, exhaustive audits of the existing network are vital before any planned zero trust rollout, in order to ensure that nothing is left unguarded and vulnerable.
Matters aren’t helped by a continuing global deficit of cybersecurity workers, with millions more required to close the workforce gap.⁵ As a result, even sizeable organisations with dedicated internal IT teams can find it a struggle to ensure they have the manpower and experience necessary to design and implement a truly effective zero trust solution.
All of this means that organisations are likely to postpone their zero trust implementations, hoping that they aren’t targeted by an attack in the meantime. At ITGL we have years of experience working with organisations – both in the private and public sector – to help map and secure existing networks, as well as to design and implement new ones with the tenets of zero trust in mind. To talk to us about the best approach to zero trust for your organisation, get in touch at email@example.com.