We clearly have a problem when it comes to cybercrime — admitting that is half the battle
By Justin Augat
iland VP of Product Marketing
Last year, cybercrime incidents involving ransomware, viruses, trojans, and phishing incidents increased across the board, not just in terms of frequency, but also impact, duration, and sophistication. These attacks were launched on businesses of all sizes in what has been called “the worst year on record” for data breaches.
Recent data from Accenture shows that, over the last five years, the number of security breaches rose 67 percent and the cost of cybercrime has gone up 72 percent. Juniper Research found that cybercrime has already produced $2 trillion in damages and it estimates that number will reach $6 trillion by 2021.
They say the first step to resolving a problem is admitting it exists.
Cybercrime is a major problem. There, now that’s out of the way.
Admitting the imminent threat of cybercrime will make for many a difficult conversation between customers and IT professionals this year. Whether you alone are responsible for your company’s data or you enlist the help of cloud service provider (CSP), understanding data security is no longer a luxury, but a necessity. Otherwise, you are putting yourself or your company at risk.
Never trust, always verify
Now for the good news: As organizations begin to take data security more seriously, including spending more on security and developing more advanced and focused strategies, our capabilities to defend against cybercrime are greatly improving.
One such strategy is called “Zero Trust,” which incorporates technology, services, people, and processes into a cohesive approach that includes multiple layers of defense.
Developed by Forrester Research a decade ago, the Zero Trust security model can be summed up as “never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organization’s network, no access is granted without verification. Zero Trust is necessary because traditional network security can no longer keep data safe from today’s advanced threats.
How to have “Zero Trust”
When it comes to keeping your company’s data secure, it’s okay to have trust issues.
Let’s start with this analogy: If you enter your house through the front door, you expect to have access to all the rooms inside. In a Zero Trust world, you would not necessarily have access to all rooms automatically. In fact, you may not be able to go beyond your entryway without further permission.
To achieve the level of security necessary for Zero Trust, I recommend starting with a look at your physical security as your first layer of defense. Physical data centers, whether on-premises or in the cloud, represent the epicenter of customer data and should be treated as such when guarding against cyber theft. Every data center should receive equal priority and attention with consistent security standards across all physical assets. This includes active monitoring, controlled access to all facilities via an approved access list, and secure environmental elements such as power, cooling, and fire suppression.
Every security measure should be applied logically across every layer of technical configurations and software to create a secure and stable foundation. Logical security approaches should be applied at the network, storage, and hypervisor layers; and you or your CSP should provide as much security as possible throughout each layer.
Check with your CSP to ensure they can properly manage your logical security. This also means making sure you have trained and experienced people protecting your data who understand how to work within the established controls to secure the various systems. Request employee background checks, security and compliance training, regular access reviews, annual penetration testing against your infrastructure, as well as regular patching schedules for all systems.
You can also confirm those resources through third-party validations. Even the most secure organizations can benefit from an additional review. You or your CSP should consider adhering to some of the following frameworks and standards: HIPAA, HITRUST, SSAE16, ITIL, GDPR, CSA STAR, CJIS, and more.
2020 and beyond
The IT industry puts a lot of time and energy into prognostication each New Year. In that spirit, let’s try this prediction on for size — cybercrime will only continue to increase in number, impact, and sophistication in 2020. Sure, that’s not exactly going out on a limb, but acknowledging it is the first step toward being prepared.
Between the huge risk associated external security threats (ransomware, malware, etc.) to the countless examples of malicious insiders taking advantage of valid credentials to do damage within companies, you can see why customers are pursuing Zero Trust strategies.
Learning to be a little less trusting with a Zero Trust strategy can eliminate many of the vulnerabilities that are left behind by technology implementations alone. So, when disaster does strike in the form of a cyberattack, we aren’t helpless.