Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
This October is time again for the European Cyber Security Month (ECSM), an initiative which is managed by the European Union. During the campaign which lasts throughout the month, the EU aims to increase public awareness of the importance of cyber security. Other organizations, companies and associations are also called upon to promote cyber security with their own events throughout October. The first ECSM took place in 2011, since then much has happened in the field of cyber security, for better or for worse. Checking the balance after eight years, it's a close call of whether the bad guys or the good guys are winning. For years, attacks and defensive measures have balanced each other out, and the verdict seems to depend on the research. VdS Schadenverhütung GmbH sees more reasons to celebrate. The organization runs a free Quick Check survey for IT security managers to assess their cyber security measures by answering 39 questions. In the last 12 months 1700 companies have taken part, since the Quick Check was launched 5000 companies have responded.
If the overall result from 2018/2019 is to be believed, a clearly positive trend can be seen compared to the previous year. The maturity level in the Technology categories improved by 7% to 64% and climbed 8% to 64% in the Organization category compared to the previous year. However, self-assessments should always be treated with caution. Often managers are not fully aware of their actual cyber security status and may green light areas where yellow or even red would be more appropriate. The 64% maturity level in the Organization category, including employee information, access management and policies, for example, sounds too good to be true. There is no strong demand for awareness campaigns, nor do the vast majority of companies have them, and the VdS is primarily concerned with medium-sized businesses, with reasonable security guidelines that are applied, maintained and monitored. There is no other explanation for the fact that only half of all IT experts can say with relative certainty that ex-colleagues no longer have access rights, which paints a far less rosy picture than the VdS research. This disturbing fact was found by Ivanti, in a survey which also revealed that the biggest challenge for IT professionals in onboarding and offboarding employees is that the process is not clearly defined (24 percent), closely followed by a lack of automation (23 percent). Even more alarming: Apart from that, half of all respondents said they knew someone who still had access to the applications and data of a former employer.
The VdS survey also shows deficits in the general willingness and understanding of the participants in some areas. For example, the Management category which includes the activities of the companies related to IT outsourcing and cloud computing, is far behind. More than 60% of companies have still not defined security requirements for these topics. And well over half of them also have no guidelines for dealing with a security incident or a disaster recovery plan for critical systems. Both measures are absolutely essential and cost little or no money. Why it still seems so difficult to do the homework and take the first step before the second is inexplicable. After all, Gartner analysts estimate that by 2020 around 95% of all security breaches in the cloud will be caused by user errors in operation and configuration.
But there is still hope: companies can easily protect their digital assets and avoid their worst-case scenarios through the following best practice rules.
1. Perform regular updates.
2. Protect network connections through VPNs, proxies and firewalls
3. Encrypt data, both on servers and on end devices
4. Use passphrases instead of passwords and two-factor authentication
5. Implement need-to-know and least privilege concepts
6. Sensitize employees with meaningful awareness campaigns
By implementing these simple measure before the next ECSM 2020, companies can tip the balance and make sure that future studies will finally clearly tend in favor of the defenders.