Can You Trust Zero Trust Networks in the Remote Workplace?
In an ideal world, all employees — including members of management — know what and what not to do when it comes to safeguarding a company's information and IT infrastructure.
Unfortunately, we do not live in a perfect world. Mistakes happen in spite of the best intentions. Plenty of malicious people are more than willing to steal and use corporate data for financial gain. And in our interconnected (and heavily connected) world, zero trust networks have become central to curbing that risk.
The Need for Zero Trust Networks in Remote Workplaces
Most remote and hybrid companies recognize zero trust networks have become a necessity. The new work model not only increases the risks of malicious threats, it has also provided new ways for attackers to gain access to information.
"The move to distributed work has increased cybersecurity risks," said Amit Saha, CEO of Orange County, Calif-based Saviynt. The proliferation of apps and tools (i.e., entry ways into the corporate network) and the move to Cloud-based operations are two of the contributing factors.
An estimated 300 billion passwords are used today, and about 20% of organizations have reported having had a digital security breach because of a remote worker. Unsecured devices can compromise entire networks and cause substantially crippling harm to organizations.
Cybercrime is expected to cost the global economy $10.5 trillion by 2025 — up from $3 trillion in 2015. And the brunt of that cost appears to be reliant on those organizations that fail to protect their operations.
A study by IBM found nearly 80% of critical infrastructure organizations the company surveyed had failed to adopt a zero trust strategy for their operations. And the breaches that resulted from that lack of protection cost them, on average, $5.4 million — 28% higher than those organizations that had zero trust policies in place.
Related Article: A Zero Trust Security Primer
The Zero Trust Challenge
All this, however, is easier said than done. Zero trust is not one piece of software, one installation or a simple policy organizations can put in place. There are many aspects and steps to creating a business with a zero trust structure.
A company can invest in a new IT infrastructure or security suite in an attempt to gain maximum protection, and yet remain open to the most basic forms of cyber attack.
Earlier this year, cybersecurity advisory firm CBI released a research report in partnership with the Ponemon Institute and Check Point that found that 80% of companies have experienced a ransomware attack despite spending an average of $6 million annually on ransomware mitigation resources.
One common thread to these attacks is human error or negligence. This does not mean employees are leaving data accessible for anyone to see — though a 2020 report found more than 100 UK government laptops were lost on trains, taxis and other public transport by government officials leaving them behind. These losses are embarrassing, but they're not the main threat.
The bigger problem, rather, is hackers gaining access to a network through a single user account thanks to the interconnectivity of IT software today. These seemingly innocent integrations, when implemented poorly, can enable bad actors to move around a company's IT infrastructure, take over parts of the network and ultimately gain full privileges within the system.
Related Article: How Microsoft 365 Affects Digital Workplace Security
Is EX to Blame?
Part of the problem is that when IT teams are securing infrastructure with remote workers, they often enable privileges that allow the remote employee to change location, device and even behaviors without requiring a new verification of identity.
Learning Opportunities
While this makes for a smoother employee experience, the whole point of zero trust is assessing the user's behaviors to determine whether they are legitimate at each touchpoint. If a user enters the network from different IP addresses, it is difficult for the system to know whether or not the person is a legitimate actor. A zero trust system should flag this event as suspect and track the information being accessed.
That's a critical component of zero trust in an EX-focused workplace. If the system allows users to log in from different IP addresses without requiring a security check, it needs to assess behavior. For instance, is the person accessing financial information or customer data they otherwise wouldn't need to access in their duties? Such behavior could be a significant red flag.
This requires a great balancing act on the part of companies. Staff should be kept from being encumbered by IT security, but they should also be sensitized to the importance and rationale of those checkpoints.
Related Article: What Is Identity Management (and Should Companies Care)?
3 Tips to Help Make Zero Trust Work
There are several things organizations can do to make zero trust work in their environment. Here are three considerations to explore.
1. Security Training
Companies should consider hosting regular workshops and offering alerts to new types of scams to remind staff of the threats and precautions they should take. Training can take place in the office, but there is a continuously growing number of companies that now offer fantastic online interactive programs.
"Training and communication efforts should be consistent and not only focus on behaviors for employees to follow at work but also those that help protect them at home," said Richard Barretto, chief information security officer at software company Progress. When employees practice bad habits at home, he said, they're often repeated in the workplace.
2. A Unified User Policy
A MobileIron study from 2020 had found that senior executives often request to bypass the company's cybersecurity measures for practical reasons. Though this may make work easier, it leaves the company more vulnerable to attack and can jeopardize the organization.
Having a unified policy for user activity is therefore critical to safeguarding an organization. All users should have the same security processes. A CEO is not more protected from hackers or errors than a front-line employee, and the repercussion of even a small mistake can in fact be tenfold at that level, given the files and data this person has the privilege to access.
3. Automation
As much as possible, security processes should be automated. While some users might get frustrated by having to make a request every time they want to step outside of what is considered "normal behavior" as defined by the cybersecurity system, having the process automated means that security teams can free up some time to focus on red flags and unusual circumstances.
About the Author
Kaya Ismail is a business software journalist and commentator with years of experience in the CMS industry.
Featured Research
Research Report
Read Now
eBook
Read Now
Guide
Read Now
Guide
Read Now
Research Report
Read Now
Buyer's Guide
Read Now
Infographic
Read Now
White Paper
Read Now
Related Stories
Smarter Experiences Win — Learn from Today's Leaders
