Future-proof IT

Why are we still losing the ransomware battle in the age of zero trust?

Jul 06, 2023
Why are we still losing the ransomware battle in the age of zero trust? Why are we still losing the ransomware battle in the age of zero trust?

Before ransomware began generating billions of dollars for cybercriminals, we had “simple” computer worms, with similar self-replicating capabilities, focused mostly on mischief and wanton destruction.

Did you know that the first major cybersecurity worm event happened in 1988? At the time, anywhere from 2-10% of all computers attached to the internet were infected by the “Morris Worm,” which took advantage of system vulnerabilities and “transitive network trust” to spread. Though the creator suggests he did not intend the worm to be actively destructive, it highlighted a major weakness in computer networks at the time.

Here are a couple of other famous worms you might have heard about: Melissa, I Love you, Code Red, Nimda, SQL Slammer, Blaster. All of these were unleashed over 20 years ago.

Fast forward to names like Wannacry, Petya, NotPetya. I bet you have heard of the Maersk incident. That was six years ago.

Zero trust architecture principles were first discussed by the Jericho forum in 2003, in recognition of the risk of the inherent trust placed into computer systems on the same network, that all of the above worms took advantage of to do their damage.

Why then are so many IT shops not taking any action 35 years after we saw the first worm events? We all have the tools, knowledge, and resources required at our fingertips. There are no excuses left.  

Part of my role at Zscaler is acting as an evangelist, not just for the products we produce, but also for the base concepts of “zero trust” –  the sexy marketing phrase that describes the changes in network architecture design principles needed to combat the cyber security threats posed today. 

I talk to enterprises of all sizes, from multinational conglomerates to small-and-medium to not-quite-mom-and-pop-sized businesses. While everyone recognizes the need to change from the network perimeter security model we’ve leaned on for the past 20-30 years, I’m dismayed sometimes at the lack of action from businesses outside of the large enterprise space. Just as dismayed that there are many companies out there that still have not implemented blanket MFA policies across their application suites. 🙄

I’d go as far to say that any IT leader who has not gone beyond talking about zero trust has failed in their responsibilities. They are derelict in their duties and negligent in their role, just as much as any IT leader who has not enforced MFA across the board. 

This isn’t a vendor telling you to change in order to generate sales, this is the entire IT industry along with government bodies across the globe telling you that we are doomed without change.

Last week I hosted an executive roundtable discussion at Milwaukee’s Summerfest Tech on the topic of zero trust, and of the roughly 15 participants quizzed on “Where are you on your zero trust journey,” only one CISO said they were seriously talking about it. Everyone else just shrugged their shoulders and admitted to having taken no action or not having any plans in place. This experience wasn’t unique to this event. As I said, it’s something I’ve witnessed across all industries across the globe over my last two years in this role but as time marches on, these responses are getting harder to comprehend.

The following day I presented a session at NLIT 2023, a DOE-affiliated cybersecurity conference and I asked the same question. There were many more hands up, different labs and agencies taking positive action towards zero trust architecture principles.

What? Government agencies evolving faster than their commercial counterparts? Has the world turned upside down? How could that be?

The 2008 remake of the movie “The Day the Earth Stood Still” includes a relevant quote that I’ll paraphrase here: Only at the brink of destruction do humans find the will to change, only at the precipice do we evolve.

How true this is in the cybersecurity world.

The U.S. government is forcing agencies to adopt zero trust through executive order 14028. People’s jobs are at stake if they don’t change.

On the commercial side, though? Some enterprises have that rare IT leader unicorn pushing their organizations towards zero trust. Others? Well, it seems they are waiting for that precipice to approach, most likely in the form of a ransomware incident that threatens to bring the entire company down, or their cyber-insurance premiums skyrocketing or coverage outright denied due to the inherent cyber risks in their antiquated infrastructure.     

What is needed outside of an actual ransomware incident to initiate a zero trust journey?

Two  things: 

  1. Strong IT leadership that can clearly articulate the need for change to the business
  2. Business leaders that empower their IT organizations to evolve

Nothing else. Have these elements in place? Go do it.

How do you get started?

  • Read the NIST Zero Trust Special Publication (It’s only 57 pages. You can do it!)
  • Start implementing a policy enforcement point (PEP) between your users and your applications (yes even your cloud apps): 
    • Start with your remote users 
    • Continue with your on-premise users
  • In parallel, figure out your priorities, link them to business outcomes, and plan out the rest of your journey
  • Profit!  

It really is that simple to start off down the path we know we’ve had to trod for at least two decades. I did it myself.

Without doing so, too many will end up being the next ransomware headline or losing billions in market cap after reporting a breach. 

What to read next

Complexity will cost you. Vendors are counting on it

The personas and roles required for a successful zero trust transformation

A brief history of zero trust: Major milestones in rethinking enterprise security