Trust no one and nothing. Always verify. That is the overarching theme of the Zero Trust model. More and more organisations are adopting a Zero Trust approach in their infrastructure such as email security with policies requiring verification for everyone and everything, regardless of who they are. With Phishing attacks and email-based threats growing in number and sophistication, we want to look at why you should be looking at a Zero Trust model for your security infrastructure if you’ve not done so already.
Cybercriminals have used the pandemic to target our emails by impersonating those around us that we trust with great success. Hackers can now create highly sophisticated emails that look legitimate, with the end goal of convincing the subject to click a dodgy link or send sensitive information and files. The HMRC last year reported a 73% rise in email phishing attacks in the first six months of the COVID-19 pandemic in the UK.
With Zero Trust Security, every access request is fully authenticated, authorised and encrypted before any access is granted. Every request is assumed as a breach, with the aforementioned ‘Trust no one and nothing’ theme at its heart. Utilising a Zero Trust approach to employee emails with a primary focus on authentication gives organisations the extra layer of protection and ensures that emails entering our inboxes are legitimate.
The three main things to remember are:
One of the most common and effective authentication methods used today by businesses is Multi-Factor Authentication, whether it’s in the form of a code on your phone, an app, or even scanning a fingerprint. Microsoft has previously reported that MFA can block over 99% of account compromise attacks and is relatively simple to implement throughout an organisation.
Despite all of this, the time and money invested in the Zero Trust model will be ineffective if employees don’t adopt a Zero Trust mentality to everything they do when in the office and most importantly when working remotely. There’s been a considerable increase in the number of remote workers performing ‘bad clicks’ to suspect emails that get through to their inboxes, causing significant breaches and data losses.
Therefore, ongoing cybersecurity awareness training and reminders are vital to ensure there are no cracks in your armour and employees are aware of the latest threats. Education on the signs of suspicious emails and how to report them is needed in conjuncture with a Zero Trust strategy.
As long as the rewards are worth it, cybercriminals will continue to target organisations data in order to force a ransom payment. Effective authentication and employee cybersecurity awareness training working hand-in-hand is the most secure way to protect your organisation from the ever-changing threat landscape, especially as devices move outside the usual security perimeters.
eacs offers a comprehensive suite of security products and services to help keep your organisation safe. Our Cyber & Security Practice provides advice and services that will ensure you are protected against the ever-changing threat landscape and is modelled against the predict, prevent, detect and respond methodology.