Ransomware has easily become one of the most notorious enterprises of the 21st century — gleaning unprecedented success in the past 24 months by targeting vulnerabilities in the cloud and across the software supply chain, attacking industrial processes and targeting unsuspecting victims on holidays and weekends.
What’s worse, as our hyperconnected world breeds new and emerging threat vectors daily, we know that breaches today are inevitable and cyberattacks are the new norm — they’re happening as we speak. Research shows that 76% of organizations have been the victim of a ransomware attack in the past two years, and 82% have paid at least one ransom.
Spending on cybersecurity is higher than ever, yet we’re still hemorrhaging losses to ransomware — and not just financially. Attacks like on Colonial Pipeline and SolarWinds reaffirm the societal and economic implications of ransomware, and we continue to witness one devastating attack after another on U.S. critical infrastructure and other essential civilian sectors (think education and healthcare).
Far too many organizations are still sitting ducks in the eye of a cyber storm, so apathy and lack of action are unacceptable. Business leaders must act proactively to bolster cyber resilience before it’s too late.
Assume breach, improve resilience, control impact
A decade ago, it was enough for business leaders to focus solely on bolstering prevention at the perimeter defenses (VPNs, firewalls). Now, in the wake of accelerated digital transformation efforts — largely spurred by the pandemic and today’s era of hybrid work — the attack surface has widened significantly, leaving more endpoints, cloud environments and potential exploitation avenues open and available for bad actors.
With organizations now managing a hybrid workforce, sprawling hybrid IT estates, and widening supply chains, it’s no longer a question of if bad actors will defeat perimeter defenses; it’s a question of when. That’s why today’s industry-wide focus on “bolstering resilience” has never been more timely or essential.
One of the resilience frameworks that’s been thrust even further into the cyber spotlight in the past 24 months is zero trust. This cybersecurity approach was first introduced by Forrester over a decade ago. It is a framework predicated on the principles of “assume breach” and “least privilege”.
Under a zero trust approach, organizations are encouraged to restrict access to a select and necessary few (least privilege) and assume that everything will inevitably be breached (assume breach). The duality of the zero trust mindset recognizes the certainty of a breach, while ensuring that organizations are rigorously safeguarding access and mitigating exposure proactively. We like to call this “breach risk reduction.”
With zero trust practices, technologies and policies in place, organizations are better positioned to address cyber incidents quickly (reducing downtime) and mitigate accompanying business and operational impacts. But there are still steps that agencies, organizations and the federal government must take in order to help the private and public sectors maximize resilience.
Zero trust resilience starts with education and alliances
In today’s hypercomplex, dynamic, cloud-first world, cyber resilience won’t work unless we come to a collective agreement on our best path forward.
A great deal of confusion remains within the federal government regarding cybersecurity mandates and best practices. While President Joe Biden mandated a federal move to zero trust architecture in his Executive Order last May (reiterating the significance of the zero trust framework earlier this year), multiple agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), and the U.S. Department of Defense have all adopted separate and varying zero trust best practices.
Organizations are increasingly recognizing cybersecurity as a critical imperative, but there’s no unified agreement on what zero trust should look like in action. The lack of a single plan creates confusion and stunts our ability to educate, which ultimately hinders resilience efforts in general. In order to become more durable in cyberspace, we must build consensus on an effective plan — a playbook of sorts — and present a unified front for organizations to follow as they look to enhance foundational resilience efforts with zero trust.
Continued cybersecurity education, at a more general level, is also essential to further ongoing resilience initiatives. In June, President Biden signed into law the “State and Local Government Cybersecurity Act of 2021”, which requires the National Cybersecurity and Communications Integration Center (NCCIC) to provide training, conduct exercises and promote cybersecurity education and awareness across all lower levels of government. Additionally, earlier this year, the “Cybersecurity Grants for Schools Act of 2022” was introduced, allowing CISA to award grants for cybersecurity education and training programs at elementary and secondary education levels.
This is the federal cyber momentum we need. As the hybrid attack surface around us continues to evolve and widen, we need to continue taking steps in the right direction — and we need to move faster. The enemy of a good plan has always been a perfect plan. While we’re looking for perfection, the attacker is always moving. While we’re debating, they’re attacking. We must incrementally get safer and build resilience daily.
The road ahead
Ransomware and cyberattacks aren’t going away. In fact, the threat landscape is changing, with bad actors rebranding and innovating more aggressively than ever. But companies, government institutions and other organizations can catalyze resilience efforts by continuing to educate on cybersecurity best practices, issuing formalized guidance on zero trust and other core resilience frameworks — and ultimately, taking action.
As our world becomes increasingly hyperconnected, resilience initiatives like zero trust are only as strong as the weakest link in our global chain. And as our adversaries continue to move more aggressively in cyberspace, there has never been a better time for all of us to get on the same page and shore up our resilience than right now.
Andrew Rubin is CEO & cofounder of Illumio
The post A practical approach to building resilience with zero trust appeared first on Venture Beat.