With several vaccines now approved for use across the world, signs are that we’re beginning to turn the corner in the fight against the deadly novel coronavirus.
But during the past year, we’ve had to face another epidemic as cyberattacks on public and private organizations surged.
“Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit,” Interpol said in August. “Criminals are taking advantage of the increased security vulnerabilities arising from remote working to steal data, generate profits and cause disruption.” 1
A cyber intrusion against SolarWinds in December compromised 100 companies such as Microsoft and Intel, along with a dozen US government agencies including the Treasury and the departments of Defense, Justice and Energy, according to the Texas-based company’s Chief Executive Officer Sudhakar Ramakrishna.
Embarrassingly, the hackers also breached Cybersecurity and Infrastructure Security Agency systems, the Department of Homeland Security branch charged with protecting federal computer networks from such attacks.
The same group is suspected of being behind another infiltration of Microsoft customers and US government agencies, while a ransomware attack that shut down a major US fuel pipeline led to panic buying in east-coast states by consumers worried that gasoline supplies would dry up. And as I write this, news is breaking of an attack that shuttered several plants operated by JBS, the world’s biggest meat processor.
Like Interpol, Microsoft believes the rise in hybrid working may be partly to blame and is taking steps to protect itself and its customers.
“In Asia, adopting multi-factor authentication together with a zero trust approach are the foundations to safer work from home or hybrid work scenarios,” Mary Jo Schrade, Assistant General Counsel for Microsoft Digital Crimes Unit Asia, said in a May news release.2
The biggest enterprise software provider will introduce products and verification processes aimed at securing home offices, keeping devices virus free and moving toward a zero-trust security framework across its networks.
Microsoft’s announcement came six days after US President Joe Biden signed an executive order stating that the federal government must “advance toward Zero Trust Architecture,”3 which the US National Security Agency in February said “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”4
President Biden’s order also said the US must “accelerate movement to secure cloud services,” while Microsoft’s release said “there will be a rapid migration to the cloud over the next six to 12 months,” as companies gain a better appreciation of the tools and products needed for the provision of multifactor identification and authentication.
The executive order “was like reading the Cloudflare product catalog,” Matthew Prince, CEO of the platform that makes the Internet run faster and more securely, told the 49th JP Morgan Global Technology, Media and Communications Conference.
Okta CEO Todd McKinnon said on the identity management software company’s first-quarter earnings call on May 26 that what he was told in an “urgent meeting” with the chief security officer of a government agency that was a victim of the SolarWinds attack sounded like “literally a marketing script that Okta would say.”
By assuming that bad actors will breach network defenses, zero trust shifts focus by using smarter identity tools and endpoint security to limit the ability of criminals to move around and wreak havoc. Since Microsoft lacks the products needed to do this, it may have to find acquisition targets or partners. Companies including Cloudflare and Okta are already cooperating, and such associations may become more common as the uptake of cloud-based solutions accelerates.
Since zero trust requires multiple layers of security, each with independent verification, cloud solutions are better placed to perform the tasks than on-premises systems that weren’t designed for the purpose. Even if on-premises networks can be upgraded, the cost may be prohibitive, while multifactor authentication may be more difficult without using the cloud if more peer-to-peer devices are communicating directly in a hybrid working world.
One reason public and private organizations are focusing on zero trust is the rising cost of indemnity against ransomware attacks, which quadrupled in 2020 to $348 million, enabled by cryptocurrencies, according to the Wall Street Journal.
One technique used by attackers is to look for a document detailing how much ransomware insurance a company has, which allows them to set their demands at the policy limit so as to avoid hurting the victim’s bottom line.
AXA was hit with a ransomware attack shortly after saying it would no longer underwrite ransomware insurance in France, while cyber insurance provider CNA paid $40 million to get its data back from pirates looking to obtain a list of companies with ransomware coverage.
Such insurance premiums might be better spent on cloud-based protections, which may in turn also allow some of the $150 billion to $200 billion spent on enterprise IT security annually to be redirected to better effect.
With public and private institutions increasingly adopting zero trust, the indications are that cybersecurity modernization is gathering momentum. A zero-trust architecture that leverages API-enabled partnerships between access (Okta), governance (SailPoint), privileged access (CyberArk), endpoint security (CrowdStrike), email security (Proofpoint), and Cloudflare, would prove much more resilient than outdated firewalls or other “moats” around servers whose vulnerabilities are now clear.
With no sign that attacks will abate, organizations must assume that their data isn’t secure and prioritize building a multi-factor authentication architecture that presumes threats are real, attacks will happen and that they can originate both inside and outside traditional network boundaries.
Brad Slingerlend is co-founder and an investor at Denver-based NZS Capital, which manages more than $1 billion in assets and focuses on innovative companies that create more value for all their constituents – including investors, employees, vendors, the communities they operate in and the planet as a whole – than they take for themselves. NZS Capital has a strategic partnership with Jupiter Asset Management.
1 Source: Interpol, INTERPOL report shows alarming rate of cyberattacks during COVID-19
3 Source: WhiteHouse.gov, Executive Order on Improving the Nation’s Cybersecurity
4 Source: NSA.gov, NSA Issues Guidance on Zero Trust Security Model
The value of active minds – independent thinking:
A key feature of Jupiter’s investment approach is that we eschew the adoption of a house view, instead preferring to allow specialist fund managers to formulate their own opinions on their asset class. As a result, it should be noted that any views expressed – including on matters relating to environmental, social and governance considerations – are those of the author(s), and may differ from views held by Jupiter investment professionals