722 Radio Drive, Lewis Center, OH 43035 740-549-3701 info@horizonsystems.com

Zero Trust - What is it and why should I care?

Zero Trust

Your organization likely depends on data to operate. That data most likely consists of sales projections and/or sensitive information about customers and vendors (the list can be very long on this one.)  Without proper security measures in place, you may be open to attacks by cybercriminals. If you're like most of us, you get bombarded with information that is to complicated, specific, or doesn't give you a valid reason why you should even care.  Because this is related to technology, it does have some complexity, sorry about that. The spirit of this article is about running a business and doing it safely with a security model known as Zero Trust. Focusing on the business aspects of it, and why it matters to people responsible for maintaining a business.

So how do I protect my business from risks related to cyber activity?  We work to answer some of those questions here in this article.

Understanding your risks is the first step to protecting your business from cyber threats.  Learn about any potential weaknesses and try to correct them. In the long run, investing in cybersecurity can be a much cheaper option than paying the costs from a cyberattack.

 

 

So what is this thing called Zero Trust and why does it matter?  

 

Zero Trust is a standard brought forward by the National Institute of Standards and Technology, otherwise known as NIST,  and is an operational framework to a more secure business computing environment. NIST has issued a guide on Zero Trust under publication NIST 800-207.

Zero Trust is an operational philosophy that combines

  • Least Privilege based software and hardware products. 
  • Policies and processes allowing a user the ability access only the resources required. 
  • Operation knowledge based on context of the machine state, the user id, time of day, behaviors, etc. 

There is not a single product you can buy that will make you a Zero Trust shop. This requires adopting how procedures are done, and tools that help support the implemention of those procedures. Zero Trust is a massively overused term, please don't get caught up by any one manufacturers definition. 

For this to be done right at an organizational level, please keep in mind there needs to be a balance of being nimble, agile, safe, and secure. Otherwise productivity comes to a screeching halt, and everyone will revolt against this process.

 

What's the problem being addressed? 

 

Commerce attracts crime, and it must be defended against.  To do so brings the complexity of protecting multiple exposures in day to day operations related to commerce. Since a business, by definition is related to commerce, it matters.  The two primary components contributing to this problem are people and technology.

 
How People contribute to the problem:

 

The people you work with (Executives, Administrative, Information, Operational) are all human.   They need to accomplish their assigned tasks or functions within your organization to be productive.   What happens when people eventually leave and new hires are brought in to replace them?  Are the levels of expertise the same for each and every time a person gets hired or promoted?  Of course not.  Can everyone in your organization identify a fraudulent email?  Does everyone know what websites are good and bad to visit?   Do people know what links in emails should be clicked on?  Simple fact is that human beings make decisions all day long, and mistakes happen.  Sometimes those mistakes can be devistating.

The next part is Attribution, or the lack of knowing who someone is. We are not face to face in a digital world like we are in the physical world. Even in the physical world this can be a challenge.  There are no uniforms being worn to indicate a good or a bad actor. The people interested in taking advantage of you are located all over the world, and they collaborate together to create a cyber crime environment that makes them millions of dollars.  For them, this is not personal, you're just a set of digits with some monetary value assigned, and they want it.

The humans in your organization are a huge source of unintentional errors. Just know this will continue to be the case, so we just need to design a solution that is forgiving when this happens.

 
The Technology problem:

 

What we have practiced for years a methodology of information security known as "Perimeter Defense".   We would secure the organization's assets by protecting desktops, servers, networking equipment by putting them in protected zones or locations. Often times the office was much more protected from the outside world because it was fortress that was fortified with firewalls and other scanning devices. Now that mobile users, the cloud services, and working from home is much more the norm, how do we equally protect those users with our corporate information.  Nothing was really wrong with a perimeter defensive method of information security until the rules of the game changed.  As an example: It used to be if you got across the "mote" and through the "gate" of the fortress you were known to be good, otherwise you would not of made it this far.  This is no longer the case. You can't assume that someone who bypassed your defenses and got in must be granted complete access to the kingdom.

We need to start augmenting our existing technology so that we can enable a safer way of conducting our day to day business.

 

Statistics to be aware of (What the world is throwing at us.) 

 

These are statistics you should be paying attention to, as they will continue to get greater and worse,  if we continue doing what we've always done.

  1. There was an increase in data breaches, which is up 68% from 2020 to 2021.  (1)
  2. The number of reported "incidents" was 1,862 in 2021. Know that only about 10% - 15% of incidents are actually reported.  (1)
  3. Ransomware accounted for 22% of all attacks  (1)
  4. There was a 105% increase in Ransomware attacks between 2020 and 2021.  (2)
  5. Ransomware cost to the U.S. in 2020 was $20.9B. (3)
  6. Cyber crime expected to cost the world $10.5 Trillion annually by 2025. (4)

 

What are the risks being faced (and why should I want to avoid them?) 

 

A data breach or other cyber incident can have long-term effects on your business. It takes companies approximately 200 days to identify a security breach and about 70 days to contain a breach. The process of recovery is an expensive one.

  • The estimated cost of losses in 2021 was 6 Trillion Dollars.
  • Loss of Intellectual Properties. 
    • Intellectual Property Theft costs the U.S. $225 Billion to $600 Billion annually.
  • Resulting Lawsuits: 
    • The average cost for legal defense was $740,000.
    • The average legal settlement was $2 Million. 

Are we saying the previous security standards have not been effective?

 

Organizations have spent Billions on point products to protect themselves for years. With the onset of these new and sophisticated attacks, it's clear by these Ransomware numbers, we have not been as effective as we should be or need to be. There are holes in the earlier cyber defensive strategies we've been using, and that warrants taking a look a newer ways to address the issues we face today.

We need something new that is practiced, observed, and constantly adjusted. Yes, the previous standards have been effective, but just not complete enough.

 

Where should you start correcting the problem?

 

First of all, you should know where you currently stand.  Get a 3rd party Risk Assesment or Audit of your environment. Only with an objective review will you have an idea if there are any gaping holes that need to be fixed sooner than later.   This would be your more immediate action planning.  If you're like most organizations, lots of well intentioned people have touched your network, policies, and rules.  You need some type of assessment or audit to review the existing network and computing environment to ensure it was done in an appropriate manner for today's threats.

Next, start thinking about Security Awareness Training for the staff. Help give them the training to identify things that don't seem right sooner than later.  This also helps with containing the cost or even being able to acquire cyber Insurance as well.

Adopt a new belief around how to secure your organization.

Now is the time to adjust our way of thinking and adopt a modality of Zero Trust. Giving permission only to the resources needed to accomplish the tasks as required.

Start with a Risk Assessment and some penetration testing to start with. In order to plot a course you need to have two points. Begin with knowing where you are, then figure out how to get where you want to go.

What are the items I need to adopt a Zero Trust strategy?

You will need tools that support your environment with the following cabilities. You may already have some that can accomplish this functionality, or you may need some new tools added. These are the core elements you will need to get the job done in order to support a Zero Trust security model. 

  • Provide software define perimeters ( Make several defensive perimeters as needed with software)
  • Provide File and Folder Encryption (make the contents useless to the unauthorized)
  • Adopt a Privileged Access Management system (Control who executes what, and at what level.)
  • Adopt an Identity Access Management system (Know who is accessing the organizational content)
  • Make sure you can see all network traffic with Data Packet Inspection  (Have visibility of the traffic flowing inside your organization, even if it's encrypted with HTTPS/TLS/SSL/Etc.)
  • Be able to determine unusual user and device behavior (Why is a certain computer communicating to somewhere it never does at a very odd hour.) 

What is the upside to all of this?

 

Businesses will do more to avoid loss and reduce risk eventually making this better for all of us. Realizing there is not a need to throw everything out and start fresh is a good thing.  Adjusting our priorities and building a better environment and growing in a unified direction. Remember to always keep the balance of productivity and secure operations, you need both.

For you to survive well into the future it would be wise to pivot towards solutions that meet pervasive market needs. ZeroTrust meets that criteria.

Sources:

  1. https://www.cnet.com/news/privacy/record-number-of-data-breaches-reported-in-2021-new-report-says/
  2. https://sonicwall.com/medialibrary/en/white-paper/2022-sonicwall-cyber-threat-report.pdf
  3. https://www.comparitech.com/blog/information-security/ransomware-attacks-businesses-study/ 
  4. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
  5. https://www.insureon.com/blog/why-do-cyber-liability-claims-cost-so-much
(1 Vote)

Super User

Follow us

Contact Info

Address:
722 Radio Drive, Lewis Center, Ohio 43035

Phone:
740-549-3701

Email:
sales@horizonsystems.com