How Cybersecurity Is Evolving and What Boards Should Know

Nicholas J Price
For some time now, the motto for cybersecurity has been, ''trust but verify.'' With the prevalence of continued hacks, companies are finding that they need to take their approach to cybersecurity a step further. For instance, a stubborn computer virus at Lexmark International Inc. led to a new philosophy that true cybersecurity means we should trust nothing and no one. Such a big change in strategy means that companies need to invest a bit more time and money on systems as well as on getting everyone in the company on board with the philosophy. While the philosophy seems emphatically restrictive, the reality is that it gives users even more freedom because it limits their access to only the computer systems that they need to do their jobs successfully.

How Lexmark Created a Barrier to Trust in Cybersecurity

Four years ago, the IT team at Lexmark was forced to face one of its worst nightmares. They arrived at their office only to find that a serious virus had infected the company's entire computer system. The malware had infected over 8,500 users in multiple offices. As it turned out, there was no easy fix for the Kwampirs malware virus, which plagued the company for months. The IT team worked diligently to understand how the malware did its dirty work so they could get to work controlling it and getting the appropriate software patches in place. The virus was severe enough that the FBI even became involved at one point. Lexmark's IT team realized how vulnerable their system was, in part, because many of their employees worked at various locations. Some employees even worked at home or in other public spaces. Without much forethought, the company had allowed its employees to use its software without ensuring that those employees had a low risk of introducing malware into the company's system. In addition, the company had also begun to allow its employees to use their own electronic devices in the interest of lowering costs for the company and increasing convenience for the users. The company didn't always know which people were being added and they failed to inquire which electronic devices they planned to use. In retrospect, a simple lack of oversight led to a time-consuming and expensive cybersecurity incident. The easy solution would have been to tighten up the system and to require all employees to work in one of its offices. However, the company considered that their current infrastructure was in keeping with today's business demands. The IT team committed to finding a solution that allowed the company to operate according to modern business principles while bolstering its cybersecurity efforts even more. The concept that they ultimately produced is the concept of ''zero trust.''

The Concept of Zero Trust

In a drastic move, the IT team at Lexmark put all their efforts into developing an entirely different approach to cybersecurity and perfected it over the course of two years. They developed the philosophy that no user and no device could be trusted. They developed a system that allowed them to check every file request, every database inquiry and every print command to ensure that the request was coming from someone who had the proper privileges. The team assumed that every user who attempted to log in to its system was hostile until proven otherwise. They refused to allow for exceptions and assumptions. They also required users to register their devices and validate them before they could use their devices on the company network. The zero-trust concept isn't entirely new. Forrester Research Inc. toyed with the idea about 10 years ago. Those attempts were a little before their time. The maturation of cybersecurity protocols makes the zero-trust philosophy a practical one. Today's corporations have less to lose by giving it a try, as 2019 was potentially one of the worst years on record for the number of files being exposed by a single data breach. Google LLC has also made a public statement of supporting zero-trust principles. One of the major benefits of the zero-trust philosophy is that, in addition to bolstering the trust of systems and devices, it also requires the trust of users.

What Are the Components of the Zero-Trust Strategy?

Zero-trust leans heavier on the philosophy side than on the technology side. Most organizations are already using many of the necessary tools and processes, including multi-factor authentication, identity management, network segmentation and IT asset management. The most time-consuming part of the process is cataloging all of a company's information assets and rating them according to sensitivity. In addition, it's useful to enlist the help of automation and identity controls to protect users. IT teams still have to deal with exceptions to the rule in a timely manner. In addition to software and hardware processes, there is a human component to the zero-trust strategy as well. Companies that want to apply the zero-trust concept have to get their users on board with the notion that security is everyone's responsibility. The payoff for a little short-term inconvenience is that the company will have overall improved resilience and individual users will have a better experience. It's equally critical to get buy-in and trust from the board and senior executives right from the beginning. It's best to try to avoid any appearance that IT is clamping down on them. Those who have taken on the zero-trust philosophy state that the technology expenses involved aren't unreasonable and that, although the labor costs to implement it are higher, there is a payoff overall.

The End Justifies the Means with a Zero-Trust Approach to Cybersecurity

The proof of the success of the zero-trust approach to cybersecurity lies in the early adopters of the philosophy. They admit that the switch to zero-trust has drastically improved their defenses. Their sentiments support the idea that the end-goal justifies the means. Users also admit that they appreciate the benefits of zero-trust, as it provides them with the freedom from many of the traditional restrictions they've had to deal with in the past. Overall, zero-trust appears to be a win-win for everyone.