Business leaders are doing more to reduce the widespread impact of cyberattacks on their organisations and this involves revising their cybersecurity strategies, particularly as we enter into a new year and potentially face new threats. Richard Meeus, Director of Security Technology and Strategy EMEA at Akamai, offers expert insight into how taking an ‘assume-breach’ approach and investing in cybersecurity measures such as Zero Trust will help businesses tackle the threats that lie ahead.
This year we have seen a real turning point in cyberattacks, in particular the rise of RaaS (Ransomware-as-a-Service) and DDoS attacks. Criminal enterprises have been able to turn cyberattacks into profitable and scalable businesses and 2022 saw some of the most sophisticated cyberattacks in recent years, such as the breach against Nvidia from ransomware group, Lapsus$, and unfortunately this trend is showing no signs of abating.
What’s more, recent research by IBM revealed the average cost of a data breach worldwide rose almost 13% over the past two years, hitting an all-time high of US$4.35 million in 2022. Amid rising inflation and the corresponding costs of running a business, rethinking cybersecurity strategies can help businesses be prepared against increasing cyberthreats.
For consumer-facing businesses like retailers and high street banks, the downside of a poor security strategy is even greater, as 59% of UK consumers say they would stop shopping at a retailer if it was a victim of a cyberattack. What’s more, our research showed that more than half (58%) of British people reported receiving a scam attempt at least once per week in 2021, with 51% saying they would switch banks if they were not reimbursed after falling victim to fraud.
Against the backdrop of macroeconomic turbulence and evolving cyberthreats coupled with consumer demand for robust security, it’s clear business leaders must prioritise cybersecurity or risk losing credibility and consumer trust, as well as facing hefty recovery costs. Looking to the year ahead, businesses must therefore take a risk-based approach to ensure their systems and customer data is protected.
Here I will outline how taking an ‘assume-breach’ approach and investing in cybersecurity measures such as Zero Trust will help businesses weather the storm as we face more uncertainty in 2023.
Never trust, always verify
Though the concept of Zero Trust has been popularised across many sectors, numerous organisations are yet to reap the benefits of this approach. In fact, according to IBM, almost 80% of organisations don’t adopt Zero Trust strategies, resulting in average breach costs of US$5.4 million, US$1.17 million more compared to those that do.
Zero Trust means what it sounds like: no one person or device on a network is trusted. Users are given only the access that they require for their task and the network is segmented to make it difficult for would-be attackers to move through the network in search of valuable data to steal. As such, businesses must leverage Zero Trust capabilities in order to protect sensitive data and enforce ‘authorised only’ access to information that is critical for security and compliance.
Such Zero Trust technologies mitigate the widespread impact cyberthreats can have within an organisation. This approach can also reduce a lot of the potential regulatory and network security headaches simply by removing implicit trust within an IT ecosystem and replacing it with a risk-based approach to accessing organisational resources.
Strengthening security with an assume-breach model
Assume-breach approach takes Zero Trust one step further, ensuring the focus of any organisation remains on prevention and protection from unwanted cyberattacks and removing implicit trust from any device or user. This approach can help guide decision-makers when discussing investments in security technologies and operational best practices as it aims to limit the trust placed in networks, applications, services and devices (both IT and IoT) by treating them as though they are already compromised.
According to Verizon’s 2022 Data Breach Investigations Report, 82% of data breaches involve human error, such as employees exposing information directly or by making a mistake that allows cybercriminals to gain access to the organisation’s systems. As such, instilling an assume-breach approach by assuming a network is compromised and putting the necessary tools in place can help prevent breaches from expanding and penetrating further into the network.
What’s more, testing systems regularly to detect vulnerabilities is another crucial aspect of the assume-breach approach. Using simulations to test your incident response strategy can better equip businesses in the case of a cyberattack attack and help identify weaknesses in your security infrastructure.
Great security equals better protection
It comes as no surprise that better protection comes with better security planning. Security leaders must ensure they bring security to the forefront of any organisation. Prevention also comes with dedicating budget and resources for backup generation and network segmentation. Looking ahead to 2023, organisations must create response plans in advance of a ransomware attack or breach — after all, being organised and prepared means quicker and efficient reaction times.
The evolving threat landscape means businesses must adapt their security solutions to ensure their systems and data are fully protected. Traditional techniques that rely on only detecting known threats or require employees to make the right judgement call leave organisations vulnerable to attacks that could compromise customer data — putting their reputation on the line.
By implementing established Zero Trust technologies, businesses can be assured that their systems are protected. Businesses can also go one step further and take an ‘assume-breach’ approach, which builds on the concept of Zero Trust and treats every device or user on a network as hostile, ensuring that no one is trusted – this in turn helps mitigate the widespread impact cyberthreats can have within an organisation.