Cybersecurity: why Zero Trust is best

Matthew Evetts explains why taking a ‘Zero Trust’ approach to cybersecurity could keep New Zealand businesses more secure.

According to the government’s Computer Emergency Response Team (CERT), $20 million was taken from New Zealanders by scammers in 2022 as cybercriminals continue to adopt new and more sophisticated scams. That loss was a massive 19 percent up on 2021, at a time when living costs are rising and people really can’t afford to be giving money away to scammers.

If you live any of your life online, you’re almost certain to have been targeted, and cybercriminals are getting better at it. Gone are the days of badly worded appeals for money from a random prince. Now you’ll get short, believable texts and emails which appear to come from friends, relatives or organisations you already deal with.

Cybercriminals often rely on human behaviour, such as clicking on links or downloading and opening/executing files. Reports show that 82% of all breaches involve a human element, which is why CERT have just introduced a new critical security control focused on getting businesses to provide adequate security awareness and training to their people.

How can we deal with these threats – at home and at work – without shutting down entirely? The answer is Zero Trust, the gold standard in cybersecurity you’ve probably never heard of.

When you first hear the words Zero Trust, you might think it’s not really the Kiwi way. We’re a friendly bunch who are generally trusting of others. Our society wouldn’t function so well – or at all – if we didn’t trust each other. So how do we keep the valuable part of living in a trusting society, while dealing with the vulnerability that this inevitably creates?

We don’t have to put up the shutters, we just need to take a different, more disciplined approach. In a workplace context, Zero Trust means the default position for an organisation’s IT security is that every person and device must be verified and authorised before getting access to information, devices or networks.

This means having the right processes, policies (guardrails) and technology in place to help prevent employees from ‘tripping up’ and generally make it harder for the bad guys. This could be as simple as not giving access to files that an individual doesn’t need to do their job. It’s about enforcing minimum standards like multi-factor authenticaiton on every account. It’s also about educating employees so they know what to look for, what is expected of them and that they understand they have a role to play in the security of their workplace. It’s a two-way street.

For people at home, I would describe Zero Trust as continually asking in your online interactions “who are you and do I trust what you’re doing?” Until I’m comfortable with the answer I’m not going to let you go any further.

For example, you might get an email that seems to be from your partner, or a workmate. Someone who if they showed up at your desk or home, you’d immediately trust. But online, you don’t have that physical recognition factor, so you have to be more cautious. Before you click a link or open an attachment, look closer. Is the email address real? Is the link weird? Would my partner/workmate send me something like this or talk that way?

Zero Trust matters so much because of the shift to targeting people rather than systems. These days only a few scams are the equivalent of a bank robbery; most are more like smooth talking the bank teller into cleaning out your account. Even worse, once an attacker finds a way in, they quickly move to other parts of your life: your friends, relatives or your workplace. A Zero Trust model stops them getting into your world and makes this movement hard.

In a 2022 Datacom-commissioned study by Forrester Consulting, which surveyed over 200 cybersecurity leaders in Australia and New Zealand[1], 83% agreed that Zero Trust is the future of their firms’ security. But 59% of them felt their existing security approach was antiquated and that they needed to accelerate their shift to a Zero Trust Framework.

It’s difficult to overstate the size of the risk that this represents and how urgent the work is to reduce it. Cybercrime is on the rise, and organisations need to act now to improve their security to avoid exposing their organisation to risk.

Another reason to adopt Zero Trust, is that if implemented well it has a positive impact on the employee experience – particularly in the hybrid or work from home environment. It makes it easier for staff to access the information and tools they need, while keeping them safe. Zero Trust gives the right people access to the right data and applications at the right time, while significantly reducing the risk of successful cyber-attacks.

There’s a wider, societal benefit to this too. Introducing Zero Trust and improving security awareness and training for staff as CERT recommends, will protect your business and your employees at home. The more businesses that adopt it and the more widely Kiwis understand and act on the concept, the better protected we’ll all be as a society. A herd-immunity from cybercrime.

So it might seem weird for a country as open and friendly as Aotearoa New Zealand, but Zero Trust is the future.

Matthew Evetts is Director for Cybersecurity at Datacom, and has over 20 years experience in business and IT.

Sources: CERT’s latest critical control relating to people: https://www.cert.govt.nz/it-specialists/critical-controls/security-awareness-building/

CERT media release on their most recent annual summary: https://www.cert.govt.nz/it-specialists/news-and-events/record-losses-to-cybercrime-a-concern-even-as-reports-decline/