Why trusting no one is the only way to combat cybercriminals

The practice of “never trust/always verify” aims to wrap security around users, devices and connections for every single transaction.

A cyberattack is a defining moment in any organisation’s life. It could be an attack affecting millions of customers, such as the Colonial pipeline incident, or your local supermarket chain having to pay a ransom to unfreeze its IT system. Whatever the circumstances, an attack leaves an organisation rattled, not to mention a trail of suspicious customers, unimpressed investors and a weakened balance sheet.

The outlook for cybercrime is bleak but unsurprising: criminals have always existed and always will. As it becomes more lucrative, the technologies and methods malicious actors use will become more intelligent and duplicitous.

Opportunities for attacks are multiplying as organisations become digitised, a shift that accelerated during the global lockdown. A recent report from ENISA, the European Union Agency for Cybersecurity, confirms the growth of the cybersecurity threat landscape in terms of the sophistication of attacks, complexity and impact.

This reaffirms that organisations should be vigilant about looming cyber threats– and the fallout that follows. A 2021 report of 537 breaches across 17 countries by the Ponemon Institute showed that from 2020 – 2021, the average total cost of a data breach increased by nearly 10 per cent, the largest single year cost increase in seven years. Lost business represented the largest share of total breach costs. Significant money and time also need to be spent on activities such as detecting the breach, notifying those effected as well as regulators, and potentially compensating customers and paying fines.

Safeguarding data

Given this environment, security risks need to be properly assessed and addressed by organisations. Almost all are investing in their digital transformation – with many opting to “spread” their data across multiple environments.

But for businesses to build customer trust, they must ensure that the data they hold is safeguarded. Any good business has a strategy to identify and handle competitive threats but not all have a similar strategy when it comes to security threats – which can be equally crippling.

Traditional, yet outdated, cybersecurity strategies centre on building a perimeter fence around an organisation’s network. Firewalls and other tools inspect and validate users moving in and out of the network. However, as applications, users and devices become more disparate that perimeter has virtually crumbled at the feet of the digital revolution, multiplying the risk of bad actors getting into the network.

There’s an old adage that still holds true: hackers don’t break in, they log in. The Ponemon Institute report showed that compromised credentials was the most common way cybercriminals gain a foothold into a victim environment and that malicious email attacks led to the highest cost.

As both of these “pathways” can allow a cybercriminal to remain in stealth on a victim’s network for longer, avoiding suspicions, we must rethink cybersecurity strategies to be a step ahead of attackers. Zero Trust is essential to achieving this.

Never trust, always verify

Zero Trust is a framework that assumes an organisation is already compromised, “forcing” it scrutinise trusted relationships, and who, what and why has access to its data. It comes down to this: never trust who’s in your network – always verify. The numbers show that using Zero Trust pays off: the cost of a breach for organisations not using Zero Trust was an average 42.3 per cent higher than for those with a mature zero trust strategy. I’m not referring to a boxed solution but a necessary security culture shift whereby anything and anyone is suspicious.

Think of it this way. If a company contractor who has restricted access to its collaboration tool typically accesses the tool during regular business hours, suddenly logs into the tool at irregular hours, from an entirely different region, and is downloading massive volumes of files that are irrelevant to their purposes, the security system will detect anomalous network activity.

In a zero-trust environment, not only would security controls be in place to flag and block the activity immediately, but it would’ve also forced iterative corroborations of the user identity to authenticate them – ultimately determining that the contractor was in fact a cybercriminal in disguise, likely using compromised credentials to access the corporate network.

The practice of “never trust/always verify” aims to wrap security around users, devices and connections for every single transaction. This includes supply chains which in today’s interconnected world, have morphed into an extension of organisations. In fact, ENISA, for the first time, produced a threat landscape report specifically for the supply chain, estimating a fourfold increase in attacks in 2021.

Governments are also increasingly focusing on supply chain security – in addition to updating its flagship security rules, the NIS directive, the EU is working on a legislative proposal called DORA (Digital Operational Resilience for The Financial Sector) which has a particular focus on security in financial institutions’ supply chains.

The saying goes “you’re only as strong as your weakest link” and in today’s interconnected world, every organisation has many links to manage – whether it be employees, devices, applications or third parties. Zero Trust teaches us that instead of trying to find which link is weak, assume they all are, and instead focus on the data.

Businesses must critically assess which data should reside on premises or in clouds, shifting towards a hybrid cloud approach that can allow them to better manage it, putting in place the proper security controls. Maintaining confidence requires an innovative security approach that leaves little to chance – the faster organisations recognise that, the faster they will be prepared to face the constantly evolving digital threats of our times.

Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.

You can contribute here. Thank you.

emerging europe support independent journalism