Jo Riches, journalist

Shoring up digital defences is a relentless reality for organisations facing a rising tide of cyber-attacks putting vital financial information at risk.

As data flows seamlessly across platforms, workspaces and devices, many find themselves at a crossroads. Should they double down on existing IT defences? Or embrace a vision that challenges existing assumptions about cybersecurity?

Cybersecurity strategies must address the regulatory landscape

Companies and customers are benefitting from the convenience and functionality of cloud computing, phone-friendly apps and software as a service (SaaS). However, these powerful innovations have multiplied the number of routes hackers can use to attack networks. Grant Thornton research estimates that cybercrime cost Irish businesses €9.6bn in 2021/22, with one in three small to medium businesses in the state falling victim between May 2021 and April 2022.

Mike Harris, cybersecurity lead at Grant Thornton Ireland, says the firm’s most recent International Business Report reflects ‘the increased cybersecurity challenges facing Irish businesses’, with 48% of respondents saying they intended to increase investment over the coming 12 months and 52% having upgraded controls and testing in the previous 12 months.

Compliance brings additional challenges, since cybersecurity strategies must address the regulatory landscape. The EU’s enhanced network and information security directive (NIS 2), for example, has expanded the list of sectors subject to cybersecurity regulations and boosted enforcement measures.

‘It’s no longer about building the walls higher’

All these pressures are exacerbated by recruitment challenges for IT departments, an acute pain point in Ireland where skilled professionals are in short supply.

Never trust, always verify

A fresh approach is now being hailed as the cybersecurity shield of choice for embattled businesses. Zero-trust security assumes that traditional network perimeter defences will be breached, so solutions focus instead on strict access and authorisation controls. Zero-trust solutions may also include containment and isolation procedures, as well as continuous monitoring and analytics, and endpoint security that protects desktops, laptops and mobile devices.

Nick Seaver is cyber-risk partner at Deloitte, which recently announced it will add 300 jobs in a new technology and analytics hub at its Cork office. ‘It’s no longer about building the walls higher,’ he explains. ‘Zero-trust is redefining the rulebook, moving away from the concept of simply protecting organisational boundaries and assuming things inside those boundaries are trusted, to validating every access request and transaction every time.’

‘Verify every access, protect every data point, and never ever take security for granted’

While some may view this as too radical or complex a change, Seaver says the zero-trust approach is, in fact, straightforward. Its ethos, he says, is this: ‘Verify every access, protect every data point, and never ever take security for granted.’

He does warn, though, that the transition process can be convoluted and may require significant changes to existing infrastructure, policies and practices. ‘Careful planning, pilot testing and phased implementation is critical to help mitigate potential disadvantages.’

He adds: ‘Zero-trust is part of a good security strategy, and most effective when combined with other security practices and tools, such as endpoint protection, threat intelligence, intrusion detection systems and security awareness.’

Clear case

As former global security solutions lead at Gartner, Phil James gained extensive insight into the evolution of digital defences. He agrees that zero-trust adoption requires preparation. Currently security partner at Cio-Office, he advises companies to devise a clear business case before shopping for products.

‘You can insist on all staff jumping through every security hoop at every level, but the business case depends on the type of organisation you are, what level of threat you’re facing, and how much inconvenience you’re prepared to absorb to be more secure. Only ever invest when there is a clear requirement, and that will determine the type of solution.

Artificial intelligence can be used to check for viruses or undertake behavioural analysis

‘If the granularity of access an organisation wishes to give – and the level of surety they wish to ascertain prior to giving it – is beyond their current tooling to deliver, then that is the point they might want to consider zero-trust solutions. You’ll also need a senior cybersecurity leader. If you can’t afford one, get an independent consultant. It’s more cost-effective than buying a bells and whistles system you don’t know how to use.’

Zero-trust combined with artificial intelligence (AI) and machine learning (ML) offers the compute power to evaluate user requests in real time, assess security contexts such as network, device, location and user, and calculate a risk score. AI/ML can also be deployed to check for viruses or undertake behavioural analysis to identify suspicious actions. Downsides could include overzealous policy enforcement, blocking of legitimate requests for access and the consequent interruption of work or revenue streams.

Best fit

The most appropriate access controls will always be those tailored to the type and sensitivity of relevant data, as well as the relevant regulatory context. After this, factors including cost, user convenience and scalability come into play.

With Gartner already listing more than 50 zero-trust products in its review section, it is likely that this new approach to a perennial problem will appear on the shortlist of many organisations seeking to fortify their defences within an increasingly complex cybersecurity landscape.

More information

Take a look at the resources on ACCA’s cybersecurity hub