The road to zero trust

Digital transformation and distributed workforces are two of the defining features of modern work. Both have benefited employers and employees alike, but they present a significant security risk. In response, many organisations are adopting a zero-trust strategy. This is a security model, based on least-privilege access and repeated ID verification, that assumes by default that anyone seeking to access a network is hostile until they can prove otherwise. How do IT professionals envision the development of this model and what challenges do they face in implementing it?

At Davos this year, Sadie Creese, a professor of cybersecurity at the University of Oxford, warned of “a gathering cyber storm”. The rise in cyber attacks over the past few years and the increased frequency of attacks on core services like air transport, health and energy supply, have been well publicised. But this remark highlighted how perfect the current conditions are for a major cyber attack - and just how severe the consequences could be. Indeed, research from the World Economic Forum found that 91% of respondents believed a catastrophic cyber event was likely to happen within the next two years.

The high level of risk has motivated many tech leaders and security chiefs to embrace a zero-trust model. These decision makers expect zero trust to support strategic business goals like digital transformation and cloud adoption, but the main benefits are thought to be a modernised cybersecurity programme (51%) and a reduction in the number of cybersecurity incidents (43%).

As of 2022, 30% of organisations had implemented a zero-trust strategy. Fifty percent were either actively planning a zero-trust strategy, or were at least considering its use. Only 20% of firms had no plans to utilise zero trust. Gartner, a management consulting company, predicts that by 2025 60% of organisations will use zero trust as a starting point.

For those not sure where to begin, the most important tools for zero trust are single sign-on for employees, multi-factor authentication and an employee directory connected to cloud apps, according to respondents that have already adopted those tools. Throughout 2023, security leaders will be prioritising secure access to APIs and privileged access management to cloud infrastructure.

Of course, businesses face a number of hurdles in implementing zero trust. Funding is unsurprisingly a significant barrier, but the number-one problem for nearly a quarter of respondents is lack of qualified vendors with a complete zero-trust solution.

Firms are also encountering several problems with their current zero-trust strategies. Three in five businesses (59%) struggle to authenticate users and devices on an ongoing basis - a fundamental component of zero trust if it is to be accessible - and another 54% have trouble monitoring users after they’re authenticated.

With “a gathering storm” on the horizon, ensuring robust cybersecurity will continue to be a priority among business decision-makers. Zero trust may be the answer for many organisations, but there’s work to be done before zero-trust adoption becomes widespread and the benefits are fully realised.