This article was originally featured on Intelligent CISO.
The insider threat is one of the most harmful threats to an organisation and business leaders are becoming heavily reliant on operating with a Zero Trust approach to security. Renaud Perrier, SVP International, Virtru, discusses the importance of a Zero Trust model for transforming the way you monitor, prevent and mitigate risks associated with insider threats.
According to Verizon’s recent Data Breach Investigation report, 85% of data breaches involve a human element — whether that be a phishing attack, human error, intentional misuse of privileges, or data misuse. While this might seem a pretty alarming statistic, it represents an opportunity for security leaders to fundamentally shift how they approach securing their data and their organisation.
As many organisations still continue to focus outward — on the perimeter — to prevent malicious cyberattacks, they may overlook internal security behaviours that could put their organisation at even greater risk. But we all know that perimeters get breached and people make mistakes; why not switch things up and manage security from the inside out?
Most of the time, insider threats aren’t malicious or even intentional. It can be as simple as selecting Sarah from your stationery supplier rather than Sarah from finance and in the blink of an eye your sensitive customer data is out in the ether.
More unusual — but still an area of concern — is the disgruntled employee who chooses to exfiltrate company data. This presents a risk to organisations where data access is not carefully governed, granting employees with more access to sensitive data than they realistically need to do their jobs. Unfettered access to sensitive customer data is a significant risk that needs to be mitigated to reduce the likelihood of a malicious insider threat.
Regardless of the intent, data is the common denominator across these insider threat scenarios — and protecting the data itself has to be a key priority. But businesses still need to collaborate and share information. In a world where speed and innovation are essential, locking down the data can’t be the answer.
Instead, imagine this: rather than stopping the flow of data as a means of securing it, you can provide your workforce with a way to easily share and innovate across applications and ecosystems, knowing you have full control over where it goes and who can access it.
Zero Trust is gaining momentum, with ResearchAndMarkets.com estimating it to be a £44 billion market by 2028. But there are a wide range of definitions of what Zero Trust actually means. Put simply, Zero-Trust security is a policy of maintaining Zero Trust towards all users, providers and network traffic — even those inside the network.
Zero Trust operates under the guiding principle, ‘never trust, always verify’. All users, platform providers and network traffic are treated as potential threats, so additional measures are needed to mitigate risk.
So, what does strong Zero Trust security look like in action? This approach can transform the way you monitor, prevent and mitigate the risks associated with insider threats. When you stop treating the network as an automatically safe space and, instead, put processes in place to monitor and verify traffic, data access and the flow of data sharing, you gain more control over where the data goes and who is authorised to access it.
Because, at the end of the day, the perimeter is bound to be breached in some way. Insider threats are a powerful example of this: even a well-intentioned employee can, without malice, exfiltrate sensitive data and cause a breach. As cyberattacks like ransomware and phishing continue to escalate and become even more sophisticated, it’s essential to stop granting unearned trust to entities within the bounds of the corporate network.
The Zero Trust policy control plane is layered and has several facets: identities and people; devices and endpoints; network transport; apps and services; and — most critically — the data itself.
Why focus on protecting the data itself? Because it is the lifeblood of modern businesses and the core pillar of how organisations operate today. John Kindervag, the father of modern Zero Trust, is known for saying ‘The first principle of cybersecurity is to protect data and prevent breaches’. Across all security efforts, data is the common denominator.
Zero Trust is certainly a multi-layered endeavour. You can’t have strong security without considering how you authenticate the people, devices and systems that access your data. But, should the other areas of Zero Trust protection fail, if you are protecting the data itself with a layer of encryption as a data-centric protection, it still remains secure.
Ultimately, Zero Trust will always come back to the data.
So, how can security leaders take steps to make sure their data is protected in support of a Zero Trust strategy?
It’s essential to put processes and tools in place that automate security and mitigate risk, but ultimately, security is a human problem: you also need to bring your employees along with you, equipping them to make the right decisions when it comes to data.
This starts with implementing user-friendly tools that enable employees to protect the data they’re sharing. For too long, security and encryption products have neglected ease of use, which is a critical error. If you want employees to prioritise data security, you have to make it simple and you have to ensure it doesn’t introduce hurdles into their daily workflow. Efficiency, speed and innovation are table stakes for businesses today, so security should support those business objectives, not detract from them.
Finally, leadership is key to cultivating engagement around security. To get individuals invested in protecting data, it’s important to help them understand why they should care and that their actions truly have power. Educating employees about breaches in the news, for example, and their impact on businesses and their own teams, can help them gain perspective on how a breach could impact their own lives. If you make it personal, you will start to see a shift in awareness and behaviour, ultimately mitigating the likelihood of those hard-to-detect, inadvertent insider threats.
Security has to be a collaborative and cross-functional process. By making security conversations compelling, informative and engaging, organisations can better prepare their people to handle the sensitive data they’re entrusted to protect. This kind of a company culture, underpinned by strong Zero Trust practices, can equip your business to confidently navigate an increasingly complex digital world.