Why your employees should adopt a Zero Trust way of thinking.


Cybercrime is now so advanced that we need to distrust everything by default

For many years businesses have approached IT security from a “trust but verify” standpoint. This means that communications like emails are trusted initially, with follow-up checks carried out afterwards.

But as cyber attacks become more sophisticated, this method is no longer reliable. Instead, we need to start talking about day to day operations in terms of “Zero Trust”.

What is Zero Trust?

shutterstock_367219643.jpg

As the name suggests, under the Zero Trust model all interactions are treated as being untrustworthy, both in the digital and physical world. This approach turns the old method on its head to become “verify but never trust”.

Why? Technology changes at a ridiculous pace which means that what you thought was trustworthy yesterday may be compromised today. 

Why your employees should trust nothing

Technology plays an important role in protecting your business, but people are usually your last line of defence – and your greatest security weakness too. So your people will need to change their mindsets if they are to properly understand the Zero Trust model.

Here’s an example:

Every month, your accounts department receives a statement of account from Julie at So & So Limited by email. Because Julie sends the same spreadsheet every month without a problem, you would assume that it must be safe, and would not think twice about opening it. 

But this trust is misplaced for several reasons:

  • You don’t know if Julie has checked the file is virus-free before she sent it.
  • You don’t know if Julie’s PC has anti-malware tools installed.
  • You don't know if Julie’s emails are scanned for security problems.
  • You don't know if Julie is sending the email, or someone else is sending the message.

At the most fundamental level, you just don't know. Which is why you must not trust anything received from the outside world – not just Julie’s monthly statement of account.

The machines are getting better at tricking you

Artificial intelligence and machine learning technologies are usually associated with efforts to improve our lives. Things like speeding up the process of designing drugs to cure cancer, or just making routine tasks easier.

But these same technologies can also be turned against us. Imagine a well-engineered virus is installed on Julie’s PC. By monitoring her behaviour the virus could learn to behave like Julie – making fake communications look even more realistic.

But when you receive her monthly report, you have no idea whether Julie really sent it or not.

Which is why your team needs to distrust everything that originates outside your company.

Stop tolerating bad habits

People are still the weakest link in your security provisions, especially if you have not trained them on using “Zero Trust” to identify fake emails. For years we have used technology to relieve end users of their security responsibilities – with limited success. 

The first step towards greater responsibility is to adopt the Zero Trust mindset. If your employees routinely distrust everything, they are far less likely to fall for a social engineering attack, keeping your systems and data safe from cybercriminals.

To learn more about the Zero Trust approach, and how to implement it in your business, please get in contact.
 

Cyber SecurityJames Kimbleysecurity, policies