Cybercrime has been growing rapidly for years, and the sudden pandemic-fueled shift to work from home (WFH) only accelerated the threat, forcing businesses to start putting a real focus on establishing solid security protocols and building a strong relationship with their cybersecurity vendors.
In such a landscape, we can expect to see an influx of even more cybersecurity startups cropping up to join the many that already exist. We see especially great potential in cybersecurity startups coming from Israel, where there is strong private/public collaboration in the field of cyber and a lot of good cyber talent.
It’s time to rethink security standards
The WFH and hybrid work models dramatically expanded potential attack avenues for cybercriminals seeking access to corporate resources and assets. The need to tighten security standards for businesses across all sectors is both severe and urgent.
Unfortunately, too many companies remain slow to update their security protocols and even slower to implement changes with an upfront cost. Still, there’s no question that how and where employees work has permanently shifted, and security practices must shift too.
VPNs and VDI aren’t enough
Most businesses today use VPNs and virtual desktop infrastructure (VDI) to connect remote workers, but these are insufficient solutions with gaping security holes, as several high-profile breaches have revealed.
It’s also important to note that most VPNs are configured to provide all-or-nothing access. Although administrators can restrict sensitive applications or assets for certain users, this requires a level of management that is simply not practical for most administrators. Consequently, remote workers tend to be given full access to the corporate network. This combination of too little control and too much access creates a recipe for disaster, especially when VPN privileges must be given to third-party vendors or contractors.
Even U.S. President Joe Biden’s cybersecurity executive order recognizes the shortcomings of VPN and VDI and advises shifting toward a zero-trust policy for the federal government.
Security solutions must mitigate human error
An additional point that can’t be overlooked is the plain and simple fact that humans, including the very best employees, make mistakes. Security solutions that do not account for human error will simply not succeed.
For instance, it’s common for developers and IT staff to have to address urgent production issues like bug fixes immediately. If they’re out of the office, they may have to log into the system from whichever network is accessible, whether it’s a hotel network or the public Starbucks Wi-Fi. Inevitably, someone will forget to log out of the system and inadvertently allow attackers, who are always on the lookout for this type of scenario, an easy in.
Zero trust is the future of secure remote work
The adoption of zero trust network access (ZTNA) is the most effective way to improve security for all work environments, whether remote, hybrid or on-site.
In the zero-trust access model, no device, user or identity is inherently trusted. Instead, access is granted based on strong authentication and continuous authorization. In addition, features like supervised access and session monitoring provide an important extra layer of control and verification.
So, how can companies begin to shift from their current security approach (likely the castle-and-moat model) to a zero-trust framework founded on strong authentication and continuous authorization? While it’s true that there is no simple zero-trust switch to flip, the migration need not be as difficult or time-consuming as many fear. If companies choose a vendor that supports them throughout the process, they’ll see a faster ROI with far fewer growing pains than they likely expect.
Segmented access to minimize security breach
It is of vital importance for companies to identify their most vulnerable access points and o secure those first. For instance, instead of granting full VPN access to third-party vendors, these potentially risky users can be given micro-segmented access to only the parts of the corporate network that are essential to their tasks. Since WFH is here to stay, this tactic will keep the risk of an accidental user-error security breach to a minimum.
A zero-trust future is brighter for everyone
There are many real-world examples that show the clear benefits of the zero-trust approach. For instance, zero trust access could have saved Colonial Pipeline millions of dollars and prevented the infamous shutdown. Even if the attackers reached Colonial’s core systems, the ongoing authentication and verification processes that characterize zero trust access would have prevented them from doing lasting damage. As an even more current example, the zero-trust model denies unauthorized users access to critical apps and therefore prevents the exploitation of the newly identified Log4j vulnerability.
Overall, an increase in the implementation of zero trust access solutions will almost certainly lead to a decrease in news headlines about major security breaches. We also believe that integrating AI into these new systems can help identify and close security gaps with no manual input needed.
Contributing author: Sergey Gribov, Partner, Flint Capital