Record levels of ransomware, supply chain attacks, and breaches of various types are motivating organizations to prioritize “zero trust” security in 2021.
Zero trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Zero trust is not about making a system trusted; it is about eliminating trust entirely.
The unrelenting pace of breach attempts and cyberattacks continues to accelerate, making zero trust-based adoption increasingly urgent for enterprises, according to a recent survey of cybersecurity professionals. Eighty percent of organizations say they are planning to implement zero trust security in less than 12 months; 83% agree that zero trust is strategically necessary for their ongoing business. Additionally, the Department of Defense is now mandated to move to a zero trust approach, marking the first time a global cyber strategy requirement has been defined for a major government agency.
Ericom’s first Zero Trust Market Dynamics Survey assesses the market’s perception of the zero trust security framework, explores organizations’ plans for adoption and implementation, and identifies key issues that inhibit their moves to zero trust. Approximately 1,300 security and risk professionals participated in Ericom’s July 2021 survey.
Ericom intends to issue the survey annually to gain insights into annual trends. “Security vendors that can help organizations address their pain points around budget, complexity, and flexibility will be in a strong position to partner with businesses as they implement their zero trust programs,” said Dr. Chase Cunningham, Ericom’s chief strategy officer and a former Forrester Research analyst focused on zero trust security.
What’s driving the state of zero trust
This year, 2021, marks the time in which cybersecurity decisions carry weight equivalent to the weight of business decisions. Organizations realize they need to have a more proactive, at-parity approach to all threats, especially those that are advanced persistent threat (APT)-based and state-sponsored. Inferring from Ericom’s survey results, organizations are prioritizing zero trust security to protect current and planned digital business initiatives at scale across all endpoints.
Ransomware damage costs are projected to reach $20 billion this year, according to Cybersecurity Ventures. The Cybersecurity and Infrastructure Security Agency (CISA) has issued two alerts on ransomware this year so far, with a total of 17 published to date. CISA Alert (AA21-243A), Ransomware Awareness for Holidays and Weekends reports that from January to July 31, 2021, the FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints associated with more than $16.8 million in losses, representing a 62% increase in reporting and a 20% increase in reported losses, compared to the same period in 2020. Homeland Security secretary Alejandro Mayorkas recently said that $350 million was paid out for ransomware attacks in 2020, with 2021 seeing nearly 300% more.
Zero trust security frameworks are now a regular topic at the board and C-suite levels. Executives are demanding more visibility and control across their networks to the endpoint. With those market dynamics in mind, key insights from Ericom’s Zero Trust Market Dynamics Survey include:
- Eighty-two percent of S&R professionals say zero trust is an essential strategy for their organizations, and 56% plan to move to zero trust in six months or less. Consistent with discussions and interviews VentureBeat has had with board members and C-level executives of distribution, logistics, financial services, health care, and manufacturing companies, most S&R professionals say zero trust is now a core cybersecurity and operations strategy they are actively pursuing. The goal is to provide least-privileged access while enforcing identity and access management (IAM) to the privileged credential level. The most popular initial focus area for respondents’ zero trust security programs is IAM, followed by network security and web security.
- C-level executives say their budgets reflect an increased emphasis on multi-cloud and hybrid cloud infrastructure as their organizations strive to become entirely virtual. Another priority is digitally transforming customer experiences online and across all channels to make them more consistent, contactless, and real time. Executives say protecting the many new digital platforms and infrastructure is another factor accelerating zero trust security adoption.
- Fifty-two percent of S&R professionals adopt zero trust security to achieve a more proactive approach to securing their core business operations. Ericom’s finding that just over half of S&R professionals want a more proactive approach to cybersecurity further underscores how organizations view such investments in zero trust security as a business decision. Traditional approaches that rely on inter-domain trust relationships can’t enforce policies on individual identity, access credentials, or reach endpoint levels the way least-privileged access can. Zero trust has proven effective in overcoming the challenges of legacy systems, further proving how effective it is in combating sophisticated attacks. Twenty-eight percent of S&R professionals say legacy technologies drive their business, which makes changing to a new cybersecurity infrastructure difficult. While respondents are bullish on the necessity of adopting a zero trust security approach, they are less confident in their abilities to implement solutions successfully. More than 70% believe that having a partner to help implement zero trust would speed the process.
Cybersecurity investments need to scale
Ericom’s survey shows that in 2021, cybersecurity investments are as much a business decision as an operational one. Organizations choosing to start their zero trust security journeys with IAM, network security, and web security are consistent with a business case-driven approach to funding a new cybersecurity framework. These three areas are crucial for securing IT infrastructure, operations-based systems, and protecting customer and channel identities and data.