ex Chief Digital & Information Officer and Global Head at Wipro HOLMES.
getty
Life changed dramatically for almost everyone last year, and that includes the almost 200,000 employees and external people my team and I support. In the office, our personnel, data and IP were fairly safe from a cybersecurity standpoint, but transitioning a team of this size to remote work threatened to open up a much larger potential attack surface.
With the amount of damage an attack could cause to a company's reputation and bottom line, it makes sense to trust no one — whether you're in the company or outside it. With the increase in entry points with boundaryless employees, a zero-trust framework is emerging as the best practice in cybersecurity.
The Zero-Trust Model
Although they might not call it a zero-trust framework, many companies have already begun implementing the kind of identity access management that characterizes the zero-trust security model. That means, for example, giving an employee in finance access to the core financial SAP systems but not the CRM. For an employee in sales, it would be the opposite.
The transition to zero-trust security represents a stark contrast from the previous (or, in many cases, existing) cybersecurity landscape. However, other aspects of zero-trust security include steps many of us already take in our personal lives. You probably already have antivirus software on your home computer, and enterprise users take the same step.
Multifactor authentication (MFA), where users receive a text or email with a code to verify identity before accessing an online account, is another component. Almost all logins will allow you to reset your password via email with a "forgot password" button. That means a compromised email address can access loads of accounts. MFA is like putting an extra lock on your door while the threat comes through the window.
Doors and windows are far from the only entrances into your organization's network, and the number and variance of threats is always increasing. According to a study published in September in Security magazine, phishing attacks are on the rise, with 38% of those surveyed reporting that a co-worker had been a victim of such an attack in the previous 12 months.
While a zero-trust security policy will help combat these rising threats, it might sound complicated and time-consuming to implement. A large organization just starting out on the zero-trust journey will be looking at a 12- to 18-month implementation period at breakneck speed.
The good news is that many CIOs have already started the journey without necessarily realizing it. In fact, CIOs agree that zero trust is a direction in which they should be moving. According to the 2020 Zero Trust Progress Report from Cybersecurity Insiders and Pulse Secure, 72% of organizations surveyed intend to implement zero-trust capabilities in 2020. For many of those companies, MFA was a common starting point, according to research conducted for Microsoft in October 2019.
Implementing A Zero-Trust Framework
Ultimately, a zero-trust architecture involves compromises. The CIO has to juggle two priorities that are often at odds: Security posture and user experience. Implementing MFA, for example, adds steps and time to employees' daily tasks. Too many of these fail-safes could easily turn cumbersome. Yet it's possible to achieve zero trust while maintaining employee experience. At my organization, we strive for a three-click maximum while employing zero-trust systems. To achieve this delicate balance, there are a few key steps:
1. Build awareness and buy-in from employees.
New employees should participate in Information Security tests before they ever come on board — and existing employees should be trained, as well. Employees need to be aware of the consequences of a breach, including financial cost and loss of customer trust, so they will put in the work to avoid being compromised. Your own in-house experts can be a valuable source of insights, but third-party solutions might be even more effective in establishing a baseline security knowledge for your entire organization.
2. Update security posture as necessary.
No one likes tying up their devices with a new patch download or vulnerability fix, but these steps are necessary to stay on top of the constantly changing landscape of cyberthreats — especially when employees are using home networks or personal devices to access company platforms and systems. Updates should be routine and automatic, ensuring that an outdated version of software can never serve as an opening for malicious actors.
3. Run drills and prepare for the worst.
Preparing for a cyberattack should imitate any disaster response: Use drills for effective crisis management. These drills help leadership should know exactly how to respond before the breaches occur so they're not left flustered and fumbling when it's most important. Designate a response team, and delegate clear responsibilities, including shutdown and containment mechanisms. Run through simulated situations so the necessary individuals can practice their responses.
Zero-trust security is built on practices that have become standard over the last few years. Whether CIOs and other organizational leaders call it by that name or not, they're likely on a trajectory toward a zero-trust architecture that improves their cyber defenses and shields them from the growing number and variety of cyberthreats. In a landscape with increasing entry points and threats, zero-trust frameworks can help companies continue running smoothly.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
