What Australia’s getting wrong about zero trust

However, for cyber security professionals, this new world of work has led to complex environments, increased cloud adoption and a surge in new types of endpoints like kiosks and robots. It’s a dangerous mix that opens up a host of new threat vectors for attackers, and it’s in part responsible for the surge in global ransomware attacks that has plagued organisations since the start of the pandemic.

In the face of this evolving security landscape, organisations are increasingly turning to zero trust to prevent breaches from turning into disasters. Zero trust is predicated on an “assume breach” philosophy – which encourages cyber security professionals to assume that they have or will be breached. This mindset shifts security thinking from being passive to active and drives continuous activity to protect and detect attacks.

By doing this, security teams are armed with a different approach to security. Instead of asking if a breach can occur (and a breach will inevitably happen), it requires security teams to ask themselves: how prepared are we to deal with a breach when it does occur? How severe will the impact be and what can we do to curtail the resulting business implications proactively?

This change in focus leads to examining your organisation’s security approach, from the inside out, in greater detail – ultimately enabling your enterprise to build greater cyber resilience, as the threat landscape widens.

Building trust in zero trust

While 90 per cent of organisations report zero trust is one of their top three cyber security priorities for the year, Australia is falling behind the curve when it comes to zero trust adoption – specifically the adoption of zero trust segmentation, a key component of zero trust.

Zero trust segmentation is a modern security approach that stops the spread of breaches, like ransomware, by ring fencing applications and services then only allowing communication based on least privilege principles. According to recent research from ESG, zero trust segmentation users are 2.7 times more likely to have highly effective attack response processes, have averted five cyber disasters annually, and save over AU$28.9 million in annual downtime costs.

In Australia, only 9 per cent of respondents feel their organisation is fully prepared to handle a breach, with 61 per cent believing a breach is likely to become a disaster. For an international point of comparison, 26 per cent of respondents in the United States feel they’re prepared to handle a breach. Additionally, 72 per cent of Australian organisations are still at the nascent stage of zero trust segmentation adoption.

VIEW ALL

In short, the time to accelerate your zero-trust journey – or make up for lost time – is now.

How to get started

For organisations unsure of where to get started or how to accelerate their zero trust journeys, start small and focus on protecting your highest value and most at risk assets first. First, identify the highest risk assets by mapping systems that are most likely to be targets against the impact of an attack on those systems. Secondly, map all of the data flows to determine what should and should not be allowed. This should include applications, endpoints, cloud and OT devices in a single view. Finally, add vulnerability data to determine any areas of immediate risk.

From there, implement security controls that help you meet your unique cyber resilience needs. Zero trust tools like zero trust segmentation helps reduce business and operational fallout in the event of a breach by isolating attacks to a single point of entry.

Keep in mind that zero trust is a journey and a mindset. It’s better to make small progress today than it is to spend months or years building a perfect plan on paper.

Staying ahead of the curve

Cyber criminals are always looking for the path of least resistance. They are continually refining their tactics and techniques to optimise, accelerate and extend the breach. The challenge is with a combination of low zero trust segmentation adoption and businesses transforming, Australia risks becoming a prime target for attacks – especially when those attacks are already profitable for perpetrators.

According to the recent ESG research, the average ransom paid in Australia amounts to AU$344,000. Nearly 9 out of 10 organisations that have had data and systems held hostage by a ransomware attack reported that they were ultimately forced to pay the ransom. The ultimate cost of a breach is much higher due to lost production, loss of reputation and the difficulty of restoring lost data.

Successful breaches are becoming increasingly harmful and frequent. Zero trust is a trusted, proven strategy designed to strengthen business resilience in the face of ongoing ransomware attacks. Australia’s cyber security leaders must impress the urgency and desperate need for zero trust to the rest of their organisation. There’s no time to waste – the time to make progress on your zero-trust journey is now.

Trevor Dearing is the director of critical infrastructure at Illumio.