Jaime Galviz, General Manager of Microsoft Colombia, explains the benefits of the Zero Trust approach. “While cyberattacks are dynamic and growing in sophistication, the best defense is to be suspicious,” he says.
Protecting health has kept the world in suspense for a year. We have designed the strictest protocols, permanent verification systems and risk mitigation plans. However, as we move into remote operations to protect the health and that of our communities, we are creating vulnerabilities for our organizations.
Accelerated virtuality and an unprecedented amount of Digital Transformation have increased cyberattacks, threatening the operational continuity and stability of organizations. Globally, it is estimated that these attacks cost companies about US$1 trillion a year and that it takes them, on average, seven months to detect them. Too late for the digital age, where data is the greatest asset. In Colombia, figures from the most recent CCIT report show that reports of cyberattacks between March and December 2020 increased 98%.
And it is in this time of the ‘virtual everything’ that organizations are much more exposed. Remote work, from any device and any network, with access to insecure applications in unprotected environments have become the achilles heels of cybersecurity in the remote world. As it has become clear, social distancing measures are not close to ending so we will have to change our behavior.
The solution to protecting information is called Zero Trust. With this model, the implicit trust that everything within a corporate network is safe disappears, and we start from the principle – apparently paradoxical – that to trust we must distrust.
Companies that operate with a Zero Trust mindset are more resistant to cyberattacks. The first line of defense is in access to the organization’s platforms. Any access request must be evaluated and verified as a potential risk, because, in reality, it is: More than 90% of attacks are caused by human error, and the gateway to the system must be the most monitored. Multi-factor authentication (MFA) for all users at all times is a critical factor.
Zero Trust and strategy
But verifying identity secures only the point of entry to the network. Establishing minimum privileges for access to information is also essential: access permissions to information are only granted to meet specific objectives, from the appropriate environment and on secure devices to compartmentalize risks, limiting the amount of data to a potential attacker who has managed to overcome the entry barriers.
As a complement to access, it is necessary to secure the devices of collaborators. Old operating systems or vulnerable applications on personal computers are a window for malicious actors to infiltrate. Solutions that limit or block access to unknown devices, or that do not comply with your security policies are critical at this stage. Additionally, it is useless if an authorized and validated user in suitable equipment is exposed by entering unsafe applications.
Implementing an application security agent in the cloud allows you to evaluate the risk profile and decide to allow access, block them or incorporate them into your cloud environment.
So when it comes to cybersecurity, there is no better defense strategy than always considering yourself under attack. The effective protection of information becomes essential in a world where the daily lives of companies and people occur in digital environments. Today’s risks cannot be fought with tools of the past, as threats and cyberattacks are increasingly dynamic and growing in sophistication, so the best defense is to be suspicious.
People will only use technology that they can trust, which in addition to being designed with clear ethical principles respects the privacy of the information as a fundamental right of its owner. We need to know that the information about our company, our clients, our personal life or our academic activity belongs to us and is safe. And while cyberattacks are dynamic and growing in sophistication, the best defense is to be suspicious.