Zero Trust is the Best Digital Risk Management Approach
Sometimes, the worst scenario is the one you’re actually in. When it comes to cybersecurity, a worst-case scenario is when a network has been breached, an organization’s current prevention tools failed without notification—known as a false negative—and the company doesn’t know the hackers are in.
According to a study conducted by IBM, hackers can inhabit a network for roughly eight months before being discovered. During that time, they will gather and steal valuable data or funds from bank accounts. They are usually discovered only after the victims, or their banks, have been notified by the FBI or Homeland Security.
After being notified of the breach, companies will initiate an incident response plan (if one exists) and call their vendor—or try to find one to assist with the next steps. Once the dust settles, incident response teams will try to figure out how to prevent the breach from happening again. In such cases, the security products they purchased and implemented were no match for the cybercriminals. Recovering from this can be a monumental challenge.
The Damage from Security Breaches is Widespread
This kind of scenario shows how in the wake of cybersecurity issues, governance, risk and compliance or digital risk management (DRM) issues float to the surface, as well. Governance monitoring missed the hacker, your risks around cybersecurity are now marked red and will continue be a high to moderate risk for some time. Meanwhile, your compliance personnel are running around putting out regulatory fires: privacy breach violation, financial breach violation, etc.
Elevated risks and recovery from breaches are taking a toll—not only on the reputations of affected organizations, but on the people that work there, too. A report from Kaspersky Lab and B2B International concluded that nearly one in three breaches led to people being fired or laid off. It specifies that in North America, about 32 percent of all data breaches resulted in a C-level leader or other executive-level staff member losing their job in the fallout. As alarming as that percentage is, it comes as no surprise. Simple mishaps and accidents, like an unwitting employee clicking a phishing link, are repeatedly ground zero for major cybersecurity incidents.
Zero Trust Can Mitigate Security Risks
The rise in remote workers, satellite offices, cloud services and mobile devices has resulted in networks that are so complex they “[have] outstripped traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise,” according to the U.S. National Institute of Standards and Technology (NIST). A great deal of effort is expended addressing this issue, when a uptick in justified paranoia could have significantly reduced the risk. That uptick in paranoia is leading companies to implement proper zero-trust protocols.
In essence, a zero-trust approach to security assumes that every network can be breached, every machine can be compromised and every user is (unwittingly or not) at risk. No one and nothing on a zero-trust network can be trusted until it’s proven not to be a threat to organizational security. The US NIST defines it as, “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
NIST adds that there is a distinction to be drawn between zero trust and zero trust architecture (ZTA): “Zero trust (ZT) provides a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised.” ZTA is the technical design of these concepts to deliver a functional zero-trust system of protection and agile response.
Zero Trust as an Extension of Risk Management
Much like other kinds of digital transformation, zero trust isn’t a plug-and-play solution to the shortcomings of current cybersecurity practice; it’s a total commitment to a process that alters large swaths of an organization’s structure.
This necessitates that DRM aligns with this statement; procedures must be built out to facilitate the “collection of concepts….” and to address “per-request access decisions.” At the same time, you’ll need to add governance and the audits to validate compliance. With these components in place, this increased diligence will reduce your reputational risk, as well as financial risk of losing money from theft, fines and revenue loss due to clients leaving.
Continuous diagnostic and mitigation (CDM) systems, which gather information about an asset’s current security state, update the device’s OS and security software as needed and communicate that state up the management chain. Industry compliance checks ensure that traffic and assets are behaving within industry and organizational compliance rules. Industry compliance checks also cover:
- Threat intelligence feeds, like blacklists
- Malware engine definitions
- CVE entries
- Activity logs that can indicate unusual activity
Data access policies, which in a zero-trust system would be tightly designed and dynamically adjusted for each individual and asset, to eliminate lateral movement possibilities for a network intruder. Public key infrastructure (PKI) that validates certificates issued by an organization to its assets and validates them against a global certificate authority; and security information and event management (SIEM) systems that collect security-related data and use it for later analysis to improve the rest of the zero-trust system.
In the DRM space, zero trust facilitates a marked improvement in digital monitoring (governance), a reduction in risk and an increased maturity within the compliance framework. Zero trust also has a positive effect on the overall maturity of DRM within an organization. Employing zero trust methods and security protocols is the right approach to risk management, and the best way to protect your organization into the future.