It may sound illogical to not trust people in order to gain their trust, but then, uncompromising cybersecurity works as such.
In the worldwide telecommuting experiment last year, we witnessed first-hand how much of our technology and remote working practices have been built on unstable foundations, and how much of it continues to be a work-in-progress.
As economies reopen, many organizations plan to combine remote-working with time in the office to get the best mix of productivity and collaboration. With employees routinely switching between devices onsite and at multiple remote work locations, this hybrid environment presents even more challenges for organizations to maintain data and network security for the increasingly distributed, mobile workforce.
Security in this hybrid world is a top concern as employees access and communicate data beyond the periphery of the usual security firewall.
Greater DX, higher attack surfaces
The digital environment has become more complex, exploding with billions of sensors, connected cars, traffic lights, smart watches, drones and countless other IoT devices. Telecommuting, which depends on many of these connected devices, has therefore expanded the attack vectors by several orders of magnitude.
According to the World Economic Forum’s recent survey of the world’s top risk experts, half of the 350 respondents were particularly worried about an increase in cyberattacks against their companies. The pandemic has created a perfect storm for cybercriminals to exploit the security vulnerabilities of many organizations for their own gain.
According to our own 2021 Annual Threat Report, remote workers were cited as the cause of breaches for 20% of organizations since the start of the pandemic. A 2020 survey by Harvey Nash/KPMG also found that four in 10 companies around the world had experienced a surge in cyberattacks. In response, IT leaders collectively spent around US$15bn extra per week on technology, with security and privacy the top investment, to enable their employees to work from home safely and securely.
It is clear that the expanding threat surface and increasing sophistication of attacks, compounded by the sudden influx of remote devices coming onto enterprise networks, have put considerable strain on security teams.
Building trust with Zero Trust
With our homes becoming the ‘new enterprise’, the need for maximum security is at an all-time high, as is the need to maintain business resilience. However, part of the problem is that many people view cybersecurity through too narrow a lens. Fending off these evolving threats will need to begin with a deep cultural shift among business leaders towards more sustainable IT practices. This means managing security and privacy in a way that builds trust across the system, rather than through business practices that deplete trust.
In order to create connectivity that a remote-working world can truly trust, organizations must move to a Zero Trust security environment. This may sound counter-intuitive, but it is the exact approach needed when it is no longer enough to confine security considerations to the physical network or selected endpoints.
A Zero Trust model centers on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything: apps, devices, networks and people.
The model approaches verification of user identities as a constant process of authentication, not just at login. It not only considers traditional login credentials, but also biometric authentication, contextual factors such as location and device, and even behavioural profiling such as hand-eye coordination, individual scrolling patterns and other user norms.
With Zero Trust, the default action is to always verify.
Balancing security with productivity
The big challenge, of course, is to reduce the friction with the availability of resources and the ability to do work. As users, devices and data continuously increase, businesses need to ensure that this continuous verification process does not increase the burden on the users.
Our own approach to Zero Trust is through secured platforms that remove friction in the work environment, enabling the ‘Zero Touch’ experience that users demand. For instance, our employees, contractors and partners can use their own devices to gain secure access to any application or file, and have access to many of the same capabilities they would have with a traditional corporate-owned and managed computer—all without compromising the security of our networks and assets.
Another way we are ensuring that security and productivity go hand-in-hand is our use of AI-driven technology to detect and prevent cyber threats from executing when users open malicious URLs or visit spoofing websites designed to mimic legitimate pages. This kind of Zero Trust mitigation addresses the very real fact that to err is human, and mitigates against users falling prey to the kinds of pandemic-linked phishing and spoofing attempts, we are seeing today.
Securing today’s distributed workforce
Another important aspect of Zero Trust that is highly relevant in our global crisis is the area of secured communications. The American Red Cross, for example, uses BlackBerry AtHoc to communicate and make sure information is protected, managed, and delivered from a trusted source to any connected device and via any medium to their organization.
As traditional workplaces continue to evolve in the post-pandemic era, secured communications between the world’s distributed workforces is more important than ever. Organizations need the ability to gain real-time visibility into personnel safety, enhanced communication and collaboration, and improved situational awareness for rapid mobilisation and response. This is especially critical for the safety of people in the field, including health workers, first responders and others, who continue to rely on timely and secure information that reaches them even when there are spikes in network usage or when there is limited connectivity in emergency zones.
In these fraught times, a Zero Trust approach to security can provide the stability and assurance that organizations and governments need. From how they communicate, access their mission-critical assets, and mitigate cyber threats, a rethink in embracing this long-term, dynamic security model needs to begin at the top.