The cybersecurity sector has largely failed to protect the everyday user from the malicious threats that lie in wait while they go about their lives online.
Headlines of million-pound fines for GDPR breaches have now faded into the ether and have been replaced by new attacks that now involve the likes of Microsoft and the NHS. The SolarWinds and, more recently, Kaseya attacks have shown that reactive cybersecurity, such as multi-factor authentication and detection and response solutions, to be an insecure and ineffective method for tackling malicious attacks.
In the enterprise world, employees have been vilified throughout the pandemic for their lackluster network security and for falling for phishing attacks that open the door for bad actors to gain access and cause havoc. In reality, enterprises have built their IT networks for maximum interoperability, creating a massive attack surface. Attackers move laterally within networks, taking advantage of what’s connected. Further, IT infrastructures were never built for a mass shift to remote working, which presents greater opportunities for attackers.
All this has shown that bad actors will inevitably go undetected when they can take advantage of any trusted process or access to move throughout a network, and therefore reverting to a system that trusts no one is critical.
Encouragement from Across the Pond
Therefore, it is encouraging to see President Biden endorsing zero trust security as an answer to many of the problems that have plagued the technology industry.
For too long, we have believed our own marketing, thinking that building walls would keep bad actors out and that there was no way there could be a breach. Yet, every year there is a new attack, a new set of victims and another round of advice along the lines of “change your password and check your account details,” which is not good enough.
As we move forward, it’s clear that zero trust security architecture is the most effective and practical solution to the current problem. Constant surveillance and checks throughout organizations’ IT infrastructure, along with rigorous hoops to jump through to gain access, will mean that it is difficult to get in and harder to stay undetected.
According to Okta, that’s the view of 75% of businesses worldwide, who have decided to make zero trust an increasing priority. They also found that 90% of businesses worldwide have started work on a zero trust initiative, increasing nearly 50% over last year.
Although cost concerns can catch the eyes of the CFOs, it’s clear that organizations around the world are taking seriously the pressure IT teams are being put under to carry out cybersecurity responsibilities. All but the UK.
Silence from Parliament
It’s typical for the UK to follow the US’s lead when it comes to policy. With Johnson’s eager eye on technology, it is surprising that there seems to be a reluctance to endorse zero trust technology.
The disruption cyber-attacks can cause needs to be taken seriously. For example, the Colonial Pipeline ransomware attack this year and the SolarWinds attack at the end of last year has wreaked havoc on individual companies and disrupted society at large by disabling infrastructure.
The Kaseya attack is yet another example of how vulnerable businesses are. Still, there is similarly no statement from Kaseya to help, aside from “We encourage Kaseya customers to read the company’s incident update page, which recommends that people who have been affected do not click on any links emailed to them by the attackers as they could be malicious.”
Zero trust security assumes the worst and takes ultra-cautious steps in the name of protecting the business. Rather than hoping networks are secure, zero trust assumes they are not until proven otherwise.
Adapting to changing situations is what all governments have done for the past 18 months. But, for now, the UK government sits on its hands and has yet to endorse a technology that benefits its citizens.