This summer, my to-do list was full of stories about cybersecurity issues related to hybrid work. I was hopeful that the path to the end of the pandemic was ahead of us. Many companies announced their plans for keeping fully remote or hybrid workforce models with as much certainty as possible during a global pandemic. Approaches like zero trust can make those plans smoother.
And now, the virus is surging once again. We can’t build a good cybersecurity strategy around a single problem that we are responding to in a panic, be it a specific attack or a global pandemic.
Even the best responses we put together on the fly are not likely to be as effective as a well-thought-out approach. Businesses that stay in reactionary mode are failing at risk management. That ultimately puts their business continuity at risk to the point that they could even go out of business. And in some industries, like healthcare and finance, organizations risk compliance issues.
Building a Flexible Approach
Instead of reacting, change the focus to building a flexible and complete approach.
People often focus on a specific product or solution as the answer. But the answer is bigger than that. We need to totally change our mindset and build a framework that allows us to protect our data before problems happen. We also need the agility to make changes instead of trying something brand new when a new threat or pivot appears.
That requires a solution that will solve most (if not all) of cybersecurity challenges regardless of what happens in terms of where their employees physically do their work. And the longer companies stay in remote work mode, the more likely they will be to consider a long-term hybrid or remote model, making flexibility even more important going forward.
Problems feel urgent right now, with the future of the work model uncertain and digital attacks continuing to increase. But the right answer is to stop and pause instead of just reacting.
A long-term, complete zero trust approach covers remote, hybrid and fully on-site work — and probably even some other setup we haven’t even thought about yet. But zero trust can’t be a piecemeal solution that considers only one department or network. You have to dive in headfirst and make a total shift, in tech, mindset and strategy.
Zero Trust Is the Answer
The zero trust model means shifting all cybersecurity processes to start from the position that every person or device that requests access is not automatically authorized. Every request must be verified before the zero trust architecture grants access.
This same approach applies to data access as well. Only people, devices and apps that need access to the specific piece of data are allowed access. By using micro-segmentation, organizations can allow access to only the data, apps or network someone needs to do their job.
Using a zero trust approach, employees can securely access data and apps residing on multiple environments from wherever they’re located, using any device. With a zero trust approach, all security information is consolidated across all security domains. That makes it possible to use a least-privileged access model. When put in place correctly, users can easily access what they need, without needless barriers, while sensitive data remains safe from unwanted access.
Explore zero trust
As part of zero trust, you combine multiple tools and solutions. MFA, adaptive access, endpoint protection and unified endpoint management all go into it. These take charge of screening both in-office and remote workers requesting access. There are some other techniques to authorize apps and web browser requests for access to the corporate internet, too. Consider zero trust network access, data loss prevention, sandboxing, secure web gateway, cloud access security brokers and remote browser isolation.
All of these techniques can work together as part of an integrated framework using the same zero trust approach. And once they do, organizations can phase out VPNs for remote access and reduce network access risks.
Zero trust also helps protect employees from phishing attacks. That in turn reduces the likelihood of unauthorized access and breaches. In addition, zero trust helps identify and reduce risky internet behavior by employees.
Determining Zero Trust Success
One of the challenges with zero trust for remote work is knowing when your approach is successful. By using the following key metrics, you can identify where your organization is on the path to zero trust:
- What percentage of employees adopt more than one form of authentication across all channels?
- How many devices and access points do you monitor and manage for security?
- What percentage of applications have you migrated from VPN-based remote access to ZTNA-based access?
Zero trust isn’t a short-term project. Nor is it something that you implement and are done with. Instead, it’s a shift in approach, technology and processes that encompasses every aspect of the organization. It’s tempting to try to do it all at once. But that’s a recipe for stress and failure. By creating an overall and encompassing plan, then beginning with a small and defined project that moves you toward zero trust, your organization can achieve the long-term fix. That will keep your data safe and save hundreds, if not thousands, of hours reacting to each threat or change.