Why You Need A Zero Trust Approach To Cybersecurity

As firms shift to work from home, work from anywhere or hybrid models, cybersecurity gets complicated. Forget the old ‘castle and moat’ approach.

The pandemic forced millions of workers to leave their offices and work remotely, creating new cybersecurity challenges for companies globally. Cybercriminals took notice, causing companies to experience record-setting losses brought about by data breaches. IBM estimates that in 2021 a data breach incident costs enterprises $4.24 million on average.

Even though the workforce is returning to offices in varying capacities, research on the topic indicates that managers are planning for a hybrid work future. According to Gartner, 82% of business leaders plan to let employees continue to work from home (WFH) in at least some capacity, while 47% plan to allow employees to do so permanently. 

Some companies—Spotify being a notable example—have turned to the work from anywhere (WFA) model to give their employees the option of working from an office or home, and even from a geographic location of their own choice. 

Cybersecurity-wise, this means that an increasing number of workers will access their online work environment through vulnerable networks, and additional security measures have to be put in place to mitigate the connected risks. 

The risks of a hybrid work environment

The switch to remote work left managers dealing with several cybersecurity threats stemming from unsecured home devices and networks, as well as unprotected internet traffic. When most employees work from a single location, there is only a need to protect the main network—which is less demanding than protecting as many endpoints as there are employees.

More employees working from anywhere means more devices connecting remotely, i.e., outside of the secured corporate network. As a result, businesses’ control over data is slipping rapidly. It is critical to understand what remote workers are doing with that data and rework the “new normal” to make it more effective and secure.

The elements that build for security and privacy that may normally be available in a controlled corporate setting with defined physical barriers are routinely obliterated in WFH environments. And the risks associated with WFH are amplified when the move is made to WFA. This is because it includes not only our home base but also frequently working on the road at customer locations, airports, coffee shops and just about anywhere with wired or wireless connections. Using unencrypted public Wi-Fi can lead to information being intercepted and malware being distributed—there is an array of ways in which hackers exploit unsecured public networks. Businesses have to adapt their cybersecurity strategies accordingly.

Adapting cybersecurity protocols

The consequences of poor cybersecurity hygiene while working remotely can include anything from compromised sensitive data to unauthorized access to the organization’s infrastructure. Secure communications while working remotely can be ensured by the combination of technical solutions and controls with proper employee operations security (OPSEC).

When it comes to securing your teleworkers, the first item on the agenda is developing a corporate policy. This policy should outline what’s acceptable in a remote working environment, how data is handled, what levels of authorization are available, etc. Risk-based decisions can also be made depending on the types of devices employees use for teleworking (for example, company-issued devices, personal laptops or smartphones). Devices that haven’t been issued specifically by the company should be subject to more stringent controls.

Since every remote employee is a potential threat to the integrity of a given company’s data, businesses are shifting their cybersecurity strategies away from the Castle-and-Moat approach. Previously, companies supposed it is enough to have a robust, perimeter defense-oriented approach to cybersecurity. Now, network security solutions based on the Zero Trust principle are replacing traditional, static defense strategies.   

In the Zero Trust framework, the given network is protected by granting users and devices access to only those parts of the network that are essential to their task. In such a system, every user is authenticated before being allowed to access the needed data through an encrypted tunnel. Because of this, even if a device gets compromised, it can’t cause network-wide damage. 

Organizations that have a Zero Trust-based system in place enhance their cybersecurity in three key areas—secure access, secure browsing and increased cybersecurity training opportunities.

A comprehensive security framework of this kind allows remote employees to safely connect to the company network without putting the whole network at risk. Web browsing becomes considerably safer, allowing cybersecurity personnel to ensure employee browsing habits are not potentially harmful to the company. Finally, due to the automated nature of Zero Trust-based systems, managers gain more time to educate their personnel on best cybersecurity practices. That kind of communication is critical—because defrauding humans is one of the chief enablers of successful cyberattacks.

Get the StrategicCIO360 Briefing

Sign up today to get weekly access to the latest issues affecting CIOs in every industry

MORE INSIGHTS

Strategy, Insights, Action

In our weekly newsletter, get insight into the biggest issues facing CIOs, along with strategic ideas, solutions, and interviews.

Strategy, Insights, Action

Once a week, get insight into the biggest issues facing CIOs, along with strategic ideas, solutions, and interviews.

Your information is secure – we don’t sell or rent your data to any third-parties.