Ashvin Kamaraju | Vice President of Engineering, Strategy & Innovation
Organizations suffered an unprecedented number of cyberattacks in 2020. The FBI’s Cyber Division received as many as 4,000 complaints of digital attacks a day in H1 2020, reported by The Hill. That’s a 400% increase compared to what investigators saw prior to the pandemic.
Many of those security events bore fruit for attackers. In the 2020 Data Threat Report – Global Edition, more than a quarter (26%) of senior security executives from around the world with responsibility for their organizations’ IT and data security told Thales that their employers had experienced a data breach in the past year.
Contributing Factors to These Attacks
In its Mobile Security Index (MSI) 2021, Verizon explained that COVID-19 might have had something to do with this rise in digital attacks and data breaches:
One factor contributing to these results is the pressure put on companies to relax security policies due to the measures needed to cope with and adapt to COVID-19…. Companies were also likely to have been distracted. This could mean that they have not spotted compromises, or if they did spot them, they were not diligent in tracing them back to identify all involved sources.
It’s possible these sacrifices and distractions affected organizations’ digital security efforts beyond just incident response. Take the task of restricting public Wi-Fi use, as an example. In the MSI 2021, more than half of respondents told Verizon that their organizations allowed employees to access corporate IT assets over public Wi-Fi. Nearly one in five survey participants said that their organizations did not even have a security policy for such access. With that said, it’s not surprising that 71% of respondents admitted to using public Wi-Fi for work-related tasks in spite of the fact that over a quarter of them (26%) said that doing so was prohibited.
Verizon’s MSI 2021, page 72.
Verizon uncovered additional risks in employees’ use of home Wi-Fi networks and VPNs. The MSI 2021 found that home networks were 70% more risky that corporate networks. This could be due to the fact that fewer than a third (31%) of respondents to Proofpoint’s 2020 State of the Phish admitted to having changed the default password on their Wi-Fi router. Even fewer (19%) told Proofpoint that they had updated their Wi-Fi router’s firmware.
Meanwhile, Verizon found in its MSI 2021 that less than half (47%) of respondents with a VPN installed on their devices activated it. A fifth of survey participants said that they never use it or activated it only when there was no other option.
Verizon’s MSI 2021, page 73.
What This Means for Organizations Going Forward
The findings above highlight the need for organizations to strengthen and evolve their approach to security using Zero Trust Principles. These are foundational principles to design next generation security architectures.
According to the U.S. National Institutes of Standards and Technology’s (NIST) “Zero trust Architecture” publication, SP 800-207, “Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.
Zero trust is not a single set of technologies an organization can purchase. Instead, it is a Guiding principle that will require organizations to commit to, gradually adopting, as they shift resources from on-premises to the cloud and allow employees’ connectivity from home to these resources be it on premise or Cloud. The zero trust paradigm shifts emphasis toward concepts such as least privilege, continuous authentication, and micro-segmentation as a means to change the posture of security to reflect the new realities of an evolving IT environment.
To help them embrace a Zero Trust mindset, Verizon recommends that organizations take these steps: They hey must authenticate users with multi-factor authentication (MFA), biometrics and one-time passwords (OTPs). Next, they must limit access to assets and resources and implement the principle of least privilege by segmenting the network and deploying an identity centric approach to security.
For more information about the network security challenges facing organizations today, download your copy of Verizon’s MSI 2021 here.