Zero trust in NZ, and its rise from fringe approach to industry standard
In the last 18 months, cybersecurity has transformed.
Ever the opportunists, cyber-attackers took advantage of the vulnerable state of the world early last year, preying upon the swathes of workers making the abrupt transition to remote working.
Many had never worked from home before. Their devices were unsecured, they weren't trained in remote working security best practices, they weren't connected to the corporate, on-premises firewall — and cyber-attackers knew it.
VPNs were, historically, a popular solution to this problem. They provided a means to 'tunnel' into the corporate network — but they did not address the fact that perimeters had been weakened with so many devices away from on-premises networks. And when attackers pass through this perimeter, a VPN approach assumes they can be trusted throughout the network.
It soon became clear to many security teams that perimeter-based remote security was not a sustainable approach with half the world's workforce and students working from their living rooms. The zero trust model, while not new, quickly became the industry standard: according to a report from Zscaler earlier this year, 72% of surveyed organisations are adopting or have adopted the approach.
What is zero trust?
The guiding principle of a zero trust security model is that no one in an organisation — from a new recruit to the CISO — is granted intrinsic trust to access the network. Every user and device must be verified and authenticated regardless of role or security clearance.
It changes an organisation's 'default state' to one that assumes the network has experienced a breach, with access denied until a successful authentication is achieved.
The rise of zero trust has coincided with an increase in insider attacks — another risk factor made riskier by the onslaught of remote working. Without adequate protections in place, an organisation with a remote workforce is exceedingly vulnerable to breaches from within the company as well as without.
In the last two years, many organisations have gained new insights into who can constitute a cyber-threat — including trusted insiders. Insider attackers are often thought of as disgruntled employees, or spies with ill intent. But with heightened vulnerabilities as a result of remote working, well-meaning employees are just as likely to be labelled as insider attackers if they open the door to hackers through poor password hygiene, falling victim to phishing attacks, and general lack of cybersecurity know-how.
IT and cybersecurity company A10 Networks' vice president Adrian Taylor says a zero trust approach is an effective way to combat insider threats.
"While awareness and education can reduce the risk of successful phishing and ransomware attacks, a single moment of negligence can be enough to devastate the business," says Taylor.
"In this environment, it is safer to assume that even your most trusted user can pose a security risk — and design your cyber defence strategy accordingly."
The business benefits of zero trust
The rapid onset of remote working has exacerbated not only the volume of cyber-attacks but also the costs related to breaches.
According to the Ponemon Institute's Cost of a Data Breach 2021 report, the average cost of a data breach in 2021 is US$4.24 million — an increase of almost 10% year-over-year. This is the highest ever figure for this metric in the report's 17-year history. When remote working was presumed to be a factor in causing the breach, the average cost increased to $4.96 million.
But, a zero trust approach, the report found, makes a drastic difference in reducing this cost. While the average cost of a breach was $5.04 million for those without a zero trust approach, those that had adopted the approach had an average breach cost of $3.28 million — a huge 42% difference.
Aside from cost reduction, zero trust can also assist in bolstering user experience (UX). On Gartner's podcast channel ThinkCast last week, Gartner analyst and senior director John Watts says if the approach is implemented correctly, businesses can capitalise on better UX.
"Rather than dealing with a problematic VPN that is always prompting for access, some of these solutions could seem much more transparent to the user," says Watts. "There's a lot of value to be gained even just by trying to get to a zero trust architecture over time.
"The value in pursuing this mindset is in how you apply those principles, work to reduce implicit trust, and improve risk posture."
Zero trust in Aotearoa
The last two years have been eventful, to say the least, when it comes to cybersecurity in New Zealand. There were some 350+ cybersecurity incidents recorded in New Zealand over the 2019/2020 period, according to New Zealand's National Cyber Security Centre (NCSC) — an increase from previous figures.
The Reserve Bank of New Zealand suffered a breach in January this year, costing NZ$3.5 million; 100 local email servers were affected by the notorious Microsoft Exchange attack in March. Perhaps most notably, the Waikato DHB's entire network was pushed offline in a ransomware attack in May this year, impacting medical procedures and resulting in a major leak of confidential patient data.
There's no one solution to the cybersecurity woes of an entire nation, but moving closer to widespread adoption of zero trust architectures is a step in the right direction.
In August, it was reported that Kāinga Ora and the Ministry of Housing and Urban Development are leading the charge in adopting zero trust security in the New Zealand government.
According to reporting from Reseller News, Kāinga Ora led a zero trust architecture working group as part of the Government Information Security Forum. The Crown agency told Parliament's social services and community select committee that it had 21 projects planned under its cyber security initiatives programme in its 2022 financial year. One of these projects was the implementation of a zero trust architecture.
This should also be considered for the IT systems of the country's health system, according to Palo Alto Networks New Zealand country manager Misti Landtroop — especially following the Waikato DHB breach, as well as the Government's recent decision to scrap district health boards (DHBs) in favour of a centralised new body, Health NZ.
"Surgeries were delayed, confidential patient information was sent to the media by the hackers and questions were asked about whether the other DHBs had taken the necessary steps to avoid a similar fate," says Landtroop.
"With plans to centralise the country's 20 DHBs into a single health service, we need to be confident that the IT systems undergirding such crucial public services are robust and that sensitive data remains safe — and a Zero Trust network is the best way to do that.