CYBERSECURITY: THE FIVE BASIC PRINCIPLES OF A ZERO TRUST STRATEGY
“Breach prevention is no longer enough. Today, cyber-attacks have become a matter of when and not if”.
To put it simply, breaches are inevitable which means that cybersecurity is no place to cut corners. While a surprising amount of businesses rely on conventional approaches to security, in today’s world, that is no longer enough. Businesses that fail to look after their cyber hygiene, may not see tomorrow. On our latest episode of Commerce Talk, we discussed all things cybersecurity with our well-respected guest, Jay Hira.
Jay Hira has spent the last 17 years working with global giants such as IBM, KPMG, Salesforce, EY, and many more. Helping them get close to customers and grow by protecting their data and enhancing their cyber resilience. He is now the Founder and Executive Director of MakeCyberSimple. A non-profit that aims to support small and medium businesses in their efforts to get the basics right when it comes to cyber hygiene. Both online shopping and navigating the world of cyber demand finding the right balance between risks and rewards.
In a bid to make the conversation around cyber security more accessible for all, we take a look at some of the basic principles that all retailers and business can build their awareness around in order to stay protected and continue to maintain and grow relationships with customers. We’ll tell you all about the benefits of using Zero Trust Strategies and how this can take you beyond perimeter security.
Aziza (Pembawa Acara):: I’m interested in what could be described as an opportunity intersection in retail between risk and reward. With the retail sector being a prime target for security attacks and customers having zero tolerance for breaches, how can organizations leverage cybersecurity practices to gain a competitive edge in the market?
Jay Hira (Guest): Yes! Let’s delve into the intriguing intersection of risks and rewards in the world of eCommerce. The COVID-19 pandemic threw us all off course, dramatically impacting consumer behaviors. This led retailers to pivot from the brick-and-mortar business model to online sales. As retailers hurried to establish their digital storefronts, two distinct approaches emerged.
Some meticulously crafted their online presence like master architects, integrating strong cybersecurity and privacy practices right from the foundation. Similar to building houses with reinforced steel beams, they made sure that everything was solid and secure right from the beginning. On the flip side, due to immense economic pressures, some treated cybersecurity and privacy practices as an afterthought. They added seasoning and spices to a cooked dish, sprinkling them on top. And if you know anything about Indian cooking, you’d understand how important it is to infuse the seasoning and spices throughout the preparation stage, rather than just sprinkling them on top. Because it doesn’t really work that way.
The point I’m trying to make is that we as consumers have become much savvier about the cybersecurity, privacy, and consent management practices of online businesses. We are well aware of the value of the data we hold, and we want to know if the businesses we’re dealing with value our data as much as we do. We want to see that they’re putting the right controls in place to safeguard our data. So, in the competitive retail landscape, transparency, authenticity, and trust are everything. The question is, how do you build that trust? How do you ensure that customers feel their data is being appropriately protected and not being misused or sold online?
Aziza: And when you talk about trust, then this leads us to a really interesting framework – The Zero Trust Framework. Can you talk to us a bit about zero trust policies, what it is, and how might businesses adopt or start adopting it?
Jay: Absolutely. So, most businesses, including retail businesses, rely on conventional approaches to security that are still heavily reliant on perimeter defense. The approach was reasonable at the time when it was created, as the idea was to build big walls around the castle to keep the bad guys out. But in today’s day and age, the old-school perimeter defense is like guarding the front door and leaving all of the windows wide open. Not exactly the wise or best strategy when your critical systems and applications are spread across on-prem private data centers and in the cloud. Now, courtesy of the rapid cloud adoption and the shift to a remote workforce, fueled by the COVID-19 pandemic, the perimeter is starting to fade and completely disappear. So, zero trust as a strategy focuses more on securing not just the perimeter but what needs greater protection. And it removes any implicit trust in users or devices just because these users and devices are appearing on your corporate network.
Now, let’s address the question of where organizations begin their zero-trust journey. And the first step is very basic. You’ve got to start with educating your key stakeholders, your boards, and your leadership teams on the core principles of the Zero Trust Strategy, which include five basic principles: focus on authentication and authorization at every single step, removal of any implicit trust just because someone seems to be on the corporate network doesn’t mean that they can be trusted. Aligning security initiatives with the business value that they deliver. The moment we start aligning the business value and why are we enabling this security feature tool or process, it connects the dots for the business. They can see where they’re getting the value. Adopting an “assumed breach” approach which we discussed, there needs to be greater focus and emphasis on capabilities to detect, respond, and recover as opposed to just protect. And lastly, think of zero trust as a journey and not a sprint. You can’t really just think of it as a destination that you need to get to. You’ve got to constantly keep working towards zero trust. You may never be able to achieve zero trust, but at least you’re working or shifting away from unreserved trust to zero trust. That’s the ideal first step to start the journey with.
Aziza: If we’re to look outside of the zero-trust framework, what other solutions can retailers adopt to cope with cyber attacks?
Jay: I think we could just keep things very basic. We talked about the importance of prioritizing cyber hygiene. Then there is this art of identifying assets that are most crucial to the business and ensuring that there is a combination of preventive, detective, responsive, as well as recovery controls designed and operating effectively around these high-value assets that are critical to your business. Segmenting the network is another technique that would limit movement of lateral movement of threat factors if they’ve already got access to a system in your network. They wouldn’t be able to hop and move laterally onto other systems. Enforcing Multi-factor authentication capabilities on all of your web-based platforms and applications. Those are really sensible approaches. Leveraging contextual information that the user brings, such as device fingerprint, location, the identity of the user, role assigned to the user, and enforcing conditional access controls. These are all important steps as well. Educating the entire workforce is very critical, but remember it’s not just our crew or just the employees. It’s about our allies too, a supply chain, just like forming alliances in the game. We’ve got to check the armor of our allies. One weak link in the chain can lead to a domino effect, which is where I think a lot of organizations continue to focus on strengthening controls that are limited to themselves without really witnessing or noticing what are these supply chain repercussions. What are these suppliers that we’re relying on that are delivering material services to us, and how are we even making sure that they’ve got the appropriate level of security capability or maturity or risk capabilities? I think it’s, you know, one like I was saying, one weak link in the chain has a domino effect, could affect you, and which is where I think that is another sort of space that organizations can focus on.