Op-Ed by Raymond Maisano, Head of Australia and New Zealand, Cloudflare
It’s been over ten years since Forrester initially coined the term ‘Zero Trust’. The cybersecurity concept has surged in popularity in recent years, becoming the choice approach to protecting remote and hybrid workers from the growing cyber threats and data breaches brought on by the pandemic.
The National Cyber Security Centre recorded a 15% increase in attacks towards Aotearoa New Zealand’s nationally significant organisations in its 2020-21 threat report, including major banking and financial organisations and healthcare providers.
This is an upward trend that is common across the region. According to recent Cloudflare research, 44% of IT and security leaders in APAC said the pandemic had a significant impact on how their organisation approached IT security, leading them to increase their investment in IT security measures like Zero Trust. For 77% of respondents, IT security was one of the core areas “keeping them awake at night”.
The study further revealed a majority (86%) of organisations are aware of Zero Trust. In fact, 66% of respondents had implemented a Zero Trust strategy, and of those without, 58% planned to implement such an approach within the next 12 months.
However, while local IT and security leaders are clearly seeing the benefits of the Zero Trust approach, challenges in getting employees’ buy-in often prevent successful implementation. To overcome this hurdle, there are several steps organisations can take to enlist employees on the Zero Trust journey.
No longer just a concept—what does Zero Trust mean in 2022?
Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting any user by default, including those already inside the network perimeter. If a malicious actor managed to gain access from the outside of an organisation, or a current or ex-employee with access posed an insider threat, with traditional IT network security measures, they would be free to move laterally and wreak havoc from the inside. However, Zero Trust frameworks assume there are attackers both within and outside of the network, so no users or machines are automatically trusted.
This inherent lack of trust is effective in safeguarding an organisation against ransomware attacks that have rattled Aotearoa New Zealand organisations of late, like the Waikato District Health Board, and unauthorised access and malware attacks, which increased by 32% and 372% in Q3 2021 respectively.
Employing values and practises from CERT NZ’s list of top critical controls, like multi-factor authentication, micro-segmentation and least-privilege access only grant access once the identity, context, and policy adherence of each specific request is verified. Logins and connections time out periodically once established, forcing users and devices to be continuously re-verified.
While the security benefits are clear and proven, it is possible to take a Zero Trust approach too far and isolate workforces. If employees aren’t educated on its purpose, they might begin to view such frameworks as indications that their organisations cannot or will not trust them. Or, perhaps, they might see the related protocols as inconvenient processes that prevent productivity. Such sentiment risks disengaging employees from the Zero Trust journey, opening an organisation up to vulnerabilities.
How can businesses enlist employees on the Zero Trust journey?
First, engage employees in Zero Trust from the beginning. Not only does onboarding talent present the first opportunity to get effective role-based access control in place, but it also provides the chance to set expectations, answer questions, and establish best practices around employee engagement with the organisation’s security approach.
Day one adoption is particularly essential as 85% of APAC enterprises’ IT and cybersecurity decision-makers agreed workforces would be more mobile in the future. Moreover, amid staffing shortages, the ‘Great Resignation’ and increased turnover, a Zero Trust approach to offboarding with clear expectations is far smoother for all involved.
Cyber attacks are becoming increasingly costly for businesses of all sizes—with Aotearoa New Zealand organisations losing, on average, $4.1 million every three months. No longer can cyber security only be seen as the IT team’s problem; it must be recognised as a critical function that all employees at all levels are responsible for. Continued and accessible education is paramount. An effective Zero Trust experience works for and empowers every employee.
The industry needs to get comfortable with the idea that trust and education must be extended beyond the IT and security team to include the actual constituents we are trying to support and secure. This means that all employees should be continuously educated on the rationale behind Zero Trust security measures. Explaining that the measures taken are to protect, rather than monitor, means employees are less likely to feel distrust and instead be empowered to work with them.
Shifting to Zero Trust access for every application is the only way to secure today’s human and network resources. Zero Trust is a journey, and while our research indicates that the intent is there, many Aotearoa New Zealand and APAC organisations have only just begun to roll out this approach to IT security.
To progress on this journey, businesses must first overcome the challenges in getting employees’ buy-in and commitment to Zero Trust frameworks through continual engagement and education.