Nation-state hackers and cyberattacks on Fortune 500 companies might dominate the news cycle, but risk managers shouldn’t be overwhelmed at the prospect of patching all of their company’s potential cybersecurity gaps to protect against sophisticated threats. Instead, one expert recommends they focus on the basics.
“Risk managers need to think about the core fundamentals of what keeps an environment secure. It’s not always the latest-and-greatest attacks, it’s not always the most sophisticated attacks, or the most unusual attacks. A lot of the damage done to companies is in basic control failures,” said Tim Ryan, Americas Cyber Response Leader of EY Forensic & Integrity Services.
Emails that are up in the cloud, for instance, are standard for many businesses, and an inbox that only requires one password to gain access to it can be an easy target for a hacker. However, the evolution of cybersecurity will see measures that go beyond just multi-factor authentication when it comes to accessing any part of a company’s network.
“We’re going to see this emergence of something called zero trust environments or zero trust networks, where corporations are starting to re-architect or rethink how they protect their environment,” explained Ryan. “A zero trust network looks at everybody the same. We don’t care if you’re inside the network or outside the network. We’re looking at who you are, we’re looking at how we authenticate who you are personally, the device you’re using and how do we know that’s really a trusted device. We marry those two up and based on these two things together, it gets a trust score.”
If one person’s credentials are being used on another individual’s laptop, that would get a low trust score, so the database that was being accessed would recognize the suspicious activity and the user would need to go through either a second form of authentication or the network would lock them out completely and they’d need to contact their help desk for access.
Google has led the way in designing and implementing zero trust networks in-house, though it took the tech giant five years to do so, demonstrating the overhaul that’s required when a company makes this move.
“It’s going to be, number one, a different way of thinking about things, a different way of authenticating devices, so it’s more than just a certain piece of software,” said Ryan. “You have to have an asset inventory, you have to have a user inventory, you have to know what assets they can access, where they belong, and where they don’t belong.”
Because of the shift that’s required to transition to a zero trust network, it’s not a change that will happen overnight, according to Ryan. Nonetheless, it will be the new norm that risk managers should be prepared to meet.
“It’ll probably come to fruition in the next three years, and I think it’s going to be standard in the next five years,” he said.