In the fight to safeguard the world's most critical digital assets across industries, even a casual observer can tally the catastrophic breaches and ransomware attacks over the past several years and glean the truth of the situation: the good guys are losing.
SolarWinds, Colonial Pipeline and Kaseya are just some of the best-known security breaches, but an amplitude of lesser-known attacks continue to cripple operations for organizations and businesses — even hospitals and schools — leading to damaged reputations, enormous financial losses and halted services.
Now the attackers have sunk to new lows: threatening educational systems. The Los Angeles Unified School District, one of the U.S.’s largest school districts, suffered a ransomware attack in September that district officials said caused “significant disruption” to computer systems. Immediately following the attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned that cybercriminals may soon launch a wave of attacks against schools, just as many of the country’s children return to class.
Organizations must assume breach
An Illumio and ESG survey conducted earlier this year found that nearly half (47%) of security leaders do not believe that they will suffer a breach. They believe this in the face of near constant breaches and attacks, where organizations continue to hemorrhage millions in losses to ransomware — despite having legacy and perimeter security defenses in place.
The time has come for everyone working in cybersecurity to stop telling themselves bedtime stories. History has proven that if sophisticated hackers put a network in their sights, they can eventually get in. That's the reality of the world today: breaches are bound to happen. Today's hyperconnected infrastructure has opened new doors for attackers, providing them not only with more opportunities to gain access, but also the ability to move across environments with ease. What organizations need now is clear-eyed pragmatism. The community an organization serves won’t care if they've invested large sums and countless working hours into creating an “ironclad” perimeter defense if they’re still getting breached.
Today, if there’s one fundamental truth to emerge from this long, dark period for the security profession, it is this: legacy paradigms and traditional prevention at the perimeter approaches alone are no longer enough. Modern organizations across industries — particularly in sectors like education, where resources are often limited — must turn to an “assume breach” approach to cybersecurity: a zero trust approach. This strategy reduces the risk from inevitable cyberattacks by proactively limiting the reach of a breach.
Trust in zero trust
Zero trust is not one product or platform. It is a security framework built around the concepts of “never trust, always verify” and “assume breach.”
A critical component of zero trust is segmentation. This describes how network areas, workloads and devices are isolated to prevent intruders from moving across networks, therefore limiting their impact even after an initial breach. In a segmented environment, intruders are immediately confined to where they entered the data center, endpoint or network — making their initial entry point their only point of access. It’s the equivalent of a burglar entering a hotel and discovering that they’re trapped in a single room — stuck and isolated with nowhere to go. Although there may be some initial losses, the rest of the IT estate remains secure.
For example, imagine if one student or teacher clicked on a phishing link and their laptop gets infected with ransomware. Without zero trust segmentation, that ransomware infection could spread to every school laptop and/or to the school district’s cloud and data center environments. But with zero trust segmentation in place, the ransomware has nowhere to go. It reduces risk for the school district at large.
Zero trust’s success isn’t a secret — many security leaders are seeking it out. According to ESG, an overwhelming majority (90%) of business leaders said that advancing zero trust strategies is one of their top three security priorities this year. According to those surveyed, they’re turning to zero trust to improve cyber resilience and reduce the risk of cyberattacks snowballing into calamities. The survey showed that more decision makers plan to increase investments into zero trust, with 39% of all security spending over the next year earmarked to advance zero trust initiatives.
Act to build resilience across communities
Too much is at stake and there’s too much vulnerability in the era of hyperconnectivity, hybrid work and remote schooling to wait and cling to the status quo. It’s helpful to have a solid plan on paper, but organizations and the communities they serve won’t be any more secure until they start implementing that strategy.
We know that schools and other entities with limited resources are often vulnerable to cyberattacks, “but even well-defended school systems can be at risk to opportunistic hackers,” CNN writes.
As more organizations find themselves in the throes of the next ransomware wave, it’s imperative that security and organizational leaders prioritize shoring up high value assets (personally identifiable information and other sensitive data) first — since that’s what bad actors are most often after. Make sure to have a comprehensive understanding of the entire infrastructure (end to end visibility is key here) to inform how leadership should prioritize reducing risk and leverage that visibility to inform the security approach.
Regardless of which security controls an organization implements first, zero trust should be at the forefront of cyber resilience strategy. In fact, the U.S. government continues to strongly endorse a shift to zero trust, making it a cyber resilience best practice. Assume breach. Minimize impact. Increase resilience. That’s the end goal, and that’s where we need to get to ensure safer digital environments for all our communities.