Looking back at 2019, businesses and organisations experienced a record-breaking year of cyberattacks as they increased in frequency, intensity and severity. One study recorded a 195 per cent jump in ransomware attacks in the UK in the first six months alone. Small businesses, city governments, schools and healthcare organisations were especially hit hard as cybercriminals took advantage of IT departments with fewer resources and budgets.
At every turn, organisations were confronted with ransomware, malware, email phishing and social engineering attacks. This resulted in record data breach levels. Insurance company Hiscox found 61 per cent of businesses quizzed in its annual cyber-readiness survey admitted a breach. And that’s just one among many reports putting breaches at a historic high.
These breaches are costly. IBM Security estimates that a data breach costs UK organisations an average of £2.99million per incident, a rise of 10 per cent on the previous year.
But cybercriminals aren’t going to let up any time soon. If businesses are going to shift the dial on data breaches, they need to admit the severity of the continuous threat to data. And, in the new regulatory environment, businesses are held to account for the data they hold. That means, whether they go it alone or enlist the help of their cloud service provider, understanding data security is no longer a luxury, it’s a necessity.
Never trust, always verify
As organisations take data protection more seriously, investments in security and developing more advanced, focused strategies is finally starting to match the scale of the threat. That means there are new and more effective options available to businesses. At the same time, companies are realising that security isn’t just deploying technology and hoping for the best; it is about instilling a strategic security philosophy across all parts of the business.
One such strategy is called “Zero Trust,” which incorporates technology, services, people and processes into a cohesive approach with multiple layers of defence.
Developed by Forrester Research a decade ago, the Zero Trust security model can be summed up as “never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organisation’s network, no access is granted without verification. Zero Trust is necessary because traditional network security can no longer keep data safe from today’s advanced threats. Cybercriminals find it all too easy to breach the outer walls and, once inside, are free to move around the network looking for valuable data to steal.
Implementing “Zero Trust”
Zero Trust might sound like a negative term, but when your data is at risk, this is exactly the conservative approach you need.
Let’s start with this analogy: If you enter your house through the front door, you expect to have access to all the rooms inside. In a Zero Trust world, you would not necessarily have access to all rooms automatically. In fact, you may not be able to go beyond your hallway without further permission.
Achieving Zero Trust security is a layered activity that starts with physical security as the first line of defence. Physical data centres, whether on-premises or in the cloud, are the crown jewels of customer data and should be treated as such when guarding against cyber-theft.
Every data centre should receive equal priority and attention with consistent security standards across all physical assets. This includes active monitoring, controlled access to all facilities via an approved access list, and secure environmental elements such as power, cooling and fire suppression.
Every security measure should be applied logically across every layer of technical configurations and software to create a secure and stable foundation. Logical security approaches should be applied at the network, storage and hypervisor layers; and you or your cloud service provider should offer as much security as possible throughout each layer.
Check with your CSP to ensure they can properly manage your logical security – trust is an important factor in your supplier relationships, too. This also means making sure you have trained and experienced people protecting your data who understand how to work within the established controls to secure the various systems.
Verify these people are trustworthy. It is perfectly acceptable to request employee background checks and require that they undertake security and compliance training to keep skills up to the necessary level. Audit your physical security performance regularly with frequent access reviews, annual penetration testing against your infrastructure, as well as regular patching schedules for all systems.
You can also confirm those resources through third-party validations. Even the most secure organisations can benefit from an additional review. You or your CSP should consider adhering to some of the following frameworks and standards: HIPAA, HITRUST, SSAE16, ITIL, GDPR, CSA STAR, CJIS and more.
Cybercrime will escalate in the months and years ahead. Even low-skilled cybercriminals have the means to get into your networks, disrupt your operations and steal your customer data. And if they can’t get through the front door, they may still find a side door open through one of your supplier organisations.
You have to accept the likelihood that attackers will find their way into your network one way or another, which means the smart approach is to ensure you minimise the potential for damage and theft once they do. That’s where Zero Trust pays off.
Adopting a Zero Trust strategy and choosing suppliers that support it can eliminate vulnerabilities that aren’t addressed by technology implementations and add an extra degree of control in the severe cyber-risk environment we face.
Justin Augat, VP of Product Marketing, iland