Zero Trust: a priority from the boardroom down

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

There are many indications that 2021 was another challenging year for cybersecurity. Cyberattacks and data breaches are all on the up and it seems that cyber criminals are getting bolder with every breach. The continuing fallout from COVID-19 leaves many organizations struggling to keep their defenses up in the face of a remote, disparate workforce. Dynamic data centers, distributed workloads, vulnerable endpoints and a complex application landscape make up massively interconnected attack surfaces that are increasingly vulnerable.

About the author

Vats Srivatsan, President and Chief Operating Officer, ColorTokens.

With the beginning of a new year comes a new focus. My firm belief having been working in the industry for many years is that cybersecurity should no longer be isolated to tech or IT teams. It needs to be a priority from the boardroom level down.

Cybersecurity – a CEO issue

To date, CIOs and CISOs have been tasked with cybersecurity. However, given the impact any cybersecurity breach can have on a companies’ customers, brand, employees and its ecosystem, CEOs will need to get educated fast in the cybersecurity measures at their companies.  

Cybersecurity needs to be a topic on the agenda of any CEO/board conversation. It is no longer question of if a company will be exposed to a breach - it’s a matter of when and where and how you are geared up to respond. 

Cyber threats loom across multiple sectors

Almost a third of all reported data breach victims belong to organizations that operate the manufacturing or healthcare sectors. If you are responsible for cybersecurity of your company in these sectors, you need to act now before your attacker turns their attention to your organization. 

These two industries remain particularly attractive targets due to the prevalence of valuable personal information on the one hand, and a significant footprint of legacy systems on the other. Other industries are not immune, since attackers do not limit themselves to sector boundaries. No industry has been immune or will be immune from attacks.

The key parts of your IT that need protecting

The messaging and education on endpoint security and phishing attacks has been largely taken up by businesses as a whole. To a smaller extent, identity management and authentication methods like two-factor authentication are seeing broader adoption. However, this does not mean organizations are more secure. 

As endpoints getting protected, attack modes will shift towards other areas such as misconfigurations, unpatched vulnerabilities in common systems or even in rarely used systems that connect to your crown jewels through lateral movement. 

Security focus

Where should you focus your security spend? What needs fixing or attention first? Sadly, without applying some form of 80/20 rule on what to fix, companies can never win this asymmetric cyber-war. After all, an attacker needs only one win while the defender needs to win all the time. In this context, protecting your business across any manner of scenarios and against all combination of possible attacks is impossible given how thinly-stretched your security resources already are. 

Prioritization therefore is imperative for good execution. For this to work, first identify your organization's ‘crown jewels’, your most valuable digital assets (and any associated systems that can access your crown jewels in one or more hops). This is where you prioritize your security investment. The connected nodes that currently surround your crown jewels will undoubtedly need a higher level of security than you currently have.

Zero Trust investment

Perhaps you’ve already looked into the concept of Zero Trust. Remember, this isn’t one singular product or solution that can be bought off the shelf. Rather, Zero Trust is an overall approach whereby organizations seek to paralyze any threat attempting to gain access to their system. 

In a Zero Trust environment, you trust nobody. Traditional security approaches protect one weak area at a time. However as soon as one area is protected, another pops up as a pressure point. This game of playing “whack a mole” will ensure any attacker is always one step ahead. Stop being reactive, be proactive and start adopting Zero Trust now, at least for your most valuable assets and data.

Coping with new attack vectors

Keep an open mind when it comes to cybersecurity protection – prepare for non-traditional attacks, not just known ones. Attackers are always changing their game, creating new headaches for your IT security team. As an example, supply chain attacks have been rising and tend to spread damage across the entire ecosystem. They can come from a compromised supply chain partner who has access to your systems or is the weakest link in your supply chain. 

The notorious SolarWinds attack was an example of a software supply chain attack and arguably provided the impetus for cybercriminals to pivot a similar approach to other supply chains. The recently published java Log4j attack exploits a common Java logging system design vulnerability to attack servers. Applying patches, after the fact, protects you against this particular attack mode but protecting critical servers from executing “unwarranted processes” prevents you from similar attacks in the future.

Should I only protect my cloud?

Most organizations will be heavily invested in the cloud with a whole new infrastructure built there using a public, private, or hybrid model of cloud storage and computing. And there will be a commensurate investment in cloud security. However, organizations must also provide protection across their brownfield environments, not just their cloud. 

Most businesses will have hybrid environments with some workloads within the cloud and others in their own data centers. From a security standpoint, you need to protect both at the same time, so invest in a cloud security approach that provides end-to-end Zero Trust, built to control and secure all traffic, communications and processes across a hybrid infrastructure. 

What we can expect for the year ahead is more headlines for breaches and attacks. And just like death and taxes, you can count on some kind of security issue coming your way sooner or later. It’s up to security professionals to adopt the mindset of the cybercriminal - constantly evolving and updating.

We've featured the best business VPN to connect securely online.

Vats Srivatsan, President and Chief Operating Officer, ColorTokens.