Why organisations should be implementing a Zero Trust framework

The mass shift to remote working over the last two years has pushed the first line of cyber defence to employees’ own devices and the cloud. It is therefore more important than ever for enterprises to consider implementing a Zero Trust framework. But what exactly is Zero Trust and why should organisations prioritise this security-first approach?

The importance of Zero Trust

A recent study reported that 49% of employees have admitted to adopting risky behaviour as they felt they weren’t being watched by IT teams, and 56% of employers believe their staff have picked up bad security practices whilst working from home. Moreover, companies are weakening their cyber security posture by allowing their distributed workforce complete freedom within the internal network.

Zero Trust, however, believes every asset, device or user is a potential threat. It is defined by the National Cyber Security Centre (NCSC) as an approach to system design where inherent trust in the network is removed. Instead, the network is ‘assumed hostile and each access request is verified, based on an access policy’. This framework removes implicit trust, ensuring malicious actors cannot access a network through hacking a privileged user’s account, ultimately reducing vulnerabilities and creating a stronger security posture across the company.

Zero Trust is also increasingly important due to the continuing cyber skills shortage, which is putting existing security teams under significant pressure. Given news that the skills crisis continues ‘on a downward, multi-year trend of bad to worse’ and has impacted 57% of organisations worldwide, a Zero Trust framework should be embraced by employers struggling to find SecOps professionals that can take ownership of network trust and access. If the workforce is lacking security experts, and the cybersecurity posture of that enterprise suffers as a result, Zero Trust can be invaluable as a first-line of defence against threat actors.

Tips for Zero Trust implementation

Beyond personnel shortages, culture also remains a barrier for implementing Zero Trust. The approach is often perceived as a strategy that goes against company values, with the fear that employees will feel untrusted. To overcome this negative connotation and create a smoother transition to Zero Trust, it is important to integrate a security-first mindset across the company and this must be implemented from the top down. With clear boardroom investment (both in time and financial support), employees will be more open to embrace Zero Trust and cyber security will become part of the DNA of the organisation.

Uncertainty about where the responsibility for this initiative sits is also challenging Zero Trust adoption. Ultimately, every member of an organisation has responsibility for cyber security – whether that is understanding the correct response to receiving a phishing email, or being comfortable with embracing a multi-factor authentication process on logging into the company server each morning.

With the ever-evolving threat of cybercrime, a Zero Trust framework should be part and parcel of an enterprise’s holistic approach to cyber defence – from awareness training to 24/7 threat detection managed services. This enables an organisation to have full control of every aspect of security operations including their data, IT infrastructure and workforce protection.