Why the zero-trust framework is here to stay
In 2021, 49% of businesses were hit with data leaks caused by compromised, careless or negligent employees. In the face of rising cybersecurity threats, more and more Australian organisations are making the move to zero-trust principles. Recent months have seen utility companies, banks and universities signing up, with one CISO describing zero trust as “mandatory in the modern world”.
But if zero trust is to be effective, it must be implemented across the board, without exception. Unfortunately, many executives think restrictions shouldn’t apply to them. They often need access to sensitive data fast, and since being responsible is at the heart of their job, they may feel confident that they won’t fall for a scam. Yet it’s that very sense responsibility that brings danger. Senior executives are arguably the biggest vulnerability in your workforce, simply because they have the access to the most sensitive data. That’s why including them in zero-trust policies is for their own good. Let’s explore zero trust and why there shouldn’t be any exceptions to its rules.
What does zero trust mean?
The term was coined in 1994, but it wasn’t until the 2010s that it began to gain traction. Since then we’ve seen phishing attacks grow more sophisticated and a huge rise in remote work. Zero trust, with its mantra of “never trust and always verify” offers a compelling way to keep criminals at bay – and your data safe – in a challenging post-pandemic world.
Zero trust is based on the principle of least privilege. In a traditional model of IT security, users who have gained access to a given network or system are free to access or alter the assets within that network.
In a zero-trust model, every attempt to access a node or network segment is considered a new access attempt, asking the user to prove their credentials each time. In other words, in a zero trust, system:
all resources are accessed securely, regardless of the user’s location
users are granted the minimal level of access they require for a task
all traffic is inspected, logged and verified
The idea is that even if one node, network segment, or set of assets are compromised, the damage is contained because the hacker can’t access the rest of the network.
For zero trust work, it must be comprehensive
If zero trust is to be successful, it must be implemented across all your organisation’s systems. Doing so can be a huge task. Plenty of companies that offer zero-trust solutions, or claim to have implemented zero trust, have some glaring gaps. For example, some only scan web traffic, while others just create tunnelling services between users and apps. These gaps leave vulnerabilities, and exempting the C-suite from zero trust controls is one of the most serious vulnerabilities of all.
The key to keeping zero trust both frictionless and useful is the Principle of Least Privilege. While the default assumption is that senior executives need full unrestricted access to all data within an organisation, is that really true? What is the minimum degree of access they need to perform their duties? This can vary greatly from executive to executive, but putting controls on the data they can instantly access can be a powerful cybersecurity measure.
Hackers hunt whales in the C-suite
“Whaling attacks”, the term for cyberattacks that target senior company stakeholders, are an increasing trend and are one reason why successful business email compromise (BEC) attacks declined in number but rose in value (by $50,600 per incident) in 2021.
Attackers specifically focus on senior executives who tend to:
have privileged access to key data
work long hours and deal with numerous requests at speed
be especially prominent on social media – meaning any personal information they share can rack up plenty of eyeballs
be important enough that, if a scanner does manage to impersonate them, employees may leap to fulfil their requests without thinking first
All these factors make the C-suite uniquely vulnerable targets, whether they’re hurriedly clicking on a deceptive link on their phone, authorising a release of funds on an email chain or sharing personal details via a LinkedIn update.
That’s why zero trust is so important to securing the C-suite. By validating every request from C-level users, and ensuring such users only have access to the data they need, zero trust can dramatically reduce the damage scammers, malware and ransomware – as well as simple mistakes – can cause.
Monitoring makes all the difference
Successful zero-trust policies don’t just limit access – they monitor and assess real-time risk. Sophisticated zero-trust programs use behavioural analytics to interpret user actions around data and systems. As well as imposing access rules, they can assess behaviour and determine whether it is normal or represents a potential threat. This makes zero trust a dynamic approach that, when executed correctly, can prevent threats escalating without adding significant friction for users.
This intelligent monitoring and logging are particularly important for users with high access privileges, such as the C-suite. Security reports and analytics can be shared with executives, showing their patterns of behaviour and incidents such as failed logins, dangerous click-throughs and idle sessions. This process can illustrate the dangers of unverified access and show the C-suite why zero trust is vital to their security.
Making zero trust work
Zero trust is a popular buzzword in cybersecurity today. Policies such as network segregation mean many organisations are already part of the way to zero trust, while other companies may aspire to zero trust without fully signing up to its principles.
But as we’ve seen, it’s crucial zero trust should encompass all users – especially the C-suite. A proper zero-trust framework that constantly re-validates every interaction and makes real-time decisions about user behaviour will greatly reduce the level risk your organisation is exposed to, and put you in a strong position to defend against the growing threats lurking in cyberspace.