Change your company IT culture to Zero Trust to prevent cyber attacks, suggests Andy Heather, VP at the authentication and Privileged Access Management product company Centrify.
In an increasingly uncertain and dangerous world, the cyber threat facing organisations has never been more prominent. Government departments, businesses and even charities have been targeted by a frighteningly efficient and ruthless wave of cyber attacks. Scarcely a week goes by without an incident of data loss or a major new security leak, as hackers exploit vulnerabilities and complacency amongst companies of all shapes and sizes.
One would assume that the prevalence of such incidents would mean that CEOs have done their homework to fully understand the threats they face. Alas, all too often the opposite is true, with research showing that the majority of company leaders assume malware and more traditional hacking methods are the prime source of a security breach. Technical experts know that cyber-attackers no longer “hack” in – they log in using weak, stolen or default credentials.
Companies are already counting the costs of such complacency. According to the 2019 Cyber Security breaches survey, so far this year, the average mean cost for a cyber attack on a UK business is £4,180 – a significant increase on the £3,160 average in 2018 and £2,450 in 2017. This is in spite of new figures which have shown that three-quarters of businesses cite cyber security as a high priority for their organisation’s senior management. This can mean one of two things: either many businesses are neglecting to implement the cyber security measures they so clearly need, or they are implementing measures that their business simply doesn’t require. Often it is the latter, simply because business managers fail to correctly diagnose the security issue or breach before going on to implement a costly and ineffective solution.
Admittedly, a lack of awareness around the true nature of these threats can be blamed on the media. We have seen many sensationalised stories of ‘malware’ or ‘phishing’ attacks and hacks from external forces on huge organisations, misleading many business owners into believing that all cyber attacks are carried out by elite groups of professional ‘hackers’.
In truth, one of the biggest threats facing a business’s security actually starts from within the organisation; often even from its very own employees. This is exemplified by our own research which proves there has been a recent increase in credential abuse, such as passwords, PINs and log-ins. Our polling, released in a report titled ‘Privileged access management in the modern threatscape’, comprised of 1,000 IT decision makers – 500 from the UK and 500 from the US. Our study specifically found that 74pc of data breaches involved privileged credentials to accessing critical infrastructure and data. All too often in this kind breach, attackers use weak user credentials of employees to enter the network without suspicion.
In truth, regardless of the amount of workplace cybersecurity training sessions, some employees will always continue to neglect the absolute basic security measures. Unfortunately, humans are fallible, and many will continue to use weak, default, or easily compromised passwords, for example. Therefore, we must assume that hackers have already gained access to an organisations’ internal IT system, be it via a compromised password or by using a stolen device.
Critical to tackling this threat is to limit the movements of someone with malicious intent once they have gained access to a system. This means ensuring all organisations adopt a Zero Trust mandate, whereby any request for access is treated with suspicion until the requestor can pass certain tests to prove they are who they actually claim to be. In a nutshell, this approach limits the movement of all employees in a company’s IT network, ultimately verifying all users trying to gain access to servers, databases, cloud workloads and other critical infrastructure, and stopping attackers in their tracks.
One of the main ways of doing this is through a Zero Trust approach to Privileged Access Management (PAM), or Zero Trust Privilege. This approach verifies who is requesting access, the context of the request, and the risk of the access environment before granting access. Only then will the requestor be given least privilege access – just enough privilege for just enough time to do what they need to do on any given resources, and nothing else.
Sophisticated Zero Trust cybersecurity software can even monitor employee activity, which means a data breach can be traced back to its very roots. This option not only allows every possible breach to be quickly diagnosed, but also sparks enough paranoia amongst internal employees to ensure that everyone is carrying out the correct security procedures at work.
Today, it is not just infrastructures and databases that must be protected, but also cloud-based environments, big data projects and DevOps. With multiple methods and points of entry, taking a Zero Trust approach to implementing Privileged Access Management is more vital than ever. But still, internal security measures remain a major weakness for many businesses.
In fact, our recent polling data found that 70pc of companies take more than one day to shut off privileged access for employees who leave the company. This is more than enough time for a malicious individual to leak data, compromise passwords and even sell sensitive information.
We also found that 27pc of UK businesses do not use multi-factor authentication, 60 per cent do not have a password vault and 44pc of IT decision makers were not positive about what Privileged Access Management even is.
These are troubling statistics in an age where company information is becoming more sensitive than ever and cyber-attacks are increasingly sophisticated and damaging. Moving forward, it is essential that IT and business decision makers for all organisations implement a Zero Trust mandate as soon as they possibly can. It is no secret that every and any organisation is prone to a cyberattack, which makes it even more vital that every business has the cybersecurity measures in place to prevent an attack from any possible angle, even when it comes from within.
