COVID-19 has thrown the supply chain into disarray. Just-in-time manufacturing methods have been disrupted, bringing into question six decades of thinking. The pandemic also raises questions about the security of supply chains, each company, or link, having its own IT security, processes, and teams. But interdependence means the weakest link could compromise your security. So, what can be done?
Breaches are expensive
A recent global report from IBM examining the financial impact of a data breach found each breach costs a company an average of $US3.86 million. Of those breaches, the most expensive were ones where employee credentials were compromised.
Despite this cost, a study from Webroot discovered that in 2020 one in five respondents in Australia and New Zealand reported having received phishing emails related explicitly to COVID-19. It also found that only one in three people were more concerned about phishing than they were at the beginning of the year.
Globally, the statistics are sobering. Overall, nearly thirty per cent of people reported clicking on a phishing link or had fallen victim to a phishing scam. While 81 per cent of people say they take steps to determine if an email is malicious, 76 per cent say they open emails and click links from unknown senders.
Clearly, there’s a lot that can be done to improve education around phishing and identity scams, but there’s also another strategy business can take to secure their perimeters: zero trust.
Why Zero Trust matters
COVID-19 has changed the way we work. According to the IBM study, hybrid work models are creating less controlled security environments. The report found that 70 per cent of companies that have adopted telework or remote working believe the pandemic will exacerbate data breach costs.
This shift to telework also encompasses the supply chain: with multiple parties all dependent on one another. The only answer is to adopt a security and identity strategy that trusts no one with their own IT environments.
The zero trust model was created by Forrester Research and embraces a new access model. In essence, it treats everyone as untrusted.
With the Zero Trust model, cloud applications and security are looked at with the same importance as on-premises systems and applications.
Achieving full effectiveness with Zero Trust starts with the identity of the user. This means including identity governance controls for roles, entitlements, separation of duties (SoD) policies, and risk.
There also needs to be lifecycle automation for all identities, including employees, contractors, suppliers, and other business partners.
The importance of analytics
The IBM report found that companies with fully deployed security automation also reported significantly shorter response times to breaches (the average response time for companies without automation and analytics to a breach was 74 days).
Companies implementing AI, machine learning, analytics, and other forms of security automation were, according to IBM’s findings, able to respond to a data breach 27 per cent faster than their non-automated peers.
Focusing on identity can help with the Zero Trust approach by using AI, ML, and analytics to provide insight into identity data and events. Companies should also adopt policies emphasising continuous evaluation and governance of identity assignments, policies, and risk.
Zero Trust, when it comes down to it, isn’t a single product or solution. The smart deployment of technology and practices recognising corporate boundaries don’t end at the firewall – but extend to the individual end-user. Identity is the new firewall and should be at the centre of any Zero Trust strategy.