With several vaccines now approved for use across the world, signs are that we’re beginning to turn the corner in the fight against the deadly novel coronavirus.
But during the past year, we’ve had to face another epidemic as cyberattacks on public and private organizations surged.
“Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit,” Interpol said in August. “Criminals are taking advantage of the increased security vulnerabilities arising from remote working to steal data, generate profits and cause disruption.” 1
A cyber intrusion against SolarWinds in December compromised 100 companies such as Microsoft and Intel, along with a dozen US government agencies including the Treasury and the departments of Defense, Justice and Energy, according to the Texas-based company’s Chief Executive Officer Sudhakar Ramakrishna.
Embarrassingly, the hackers also breached Cybersecurity and Infrastructure Security Agency systems, the Department of Homeland Security branch charged with protecting federal computer networks from such attacks.
The same group is suspected of being behind another infiltration of Microsoft customers and US government agencies, while a ransomware attack that shut down a major US fuel pipeline led to panic buying in east-coast states by consumers worried that gasoline supplies would dry up. And as I write this, news is breaking of an attack that shuttered several plants operated by JBS, the world’s biggest meat processor.
Like Interpol, Microsoft believes the rise in hybrid working may be partly to blame and is taking steps to protect itself and its customers.
“In Asia, adopting multi-factor authentication together with a zero trust approach are the foundations to safer work from home or hybrid work scenarios,” Mary Jo Schrade, Assistant General Counsel for Microsoft Digital Crimes Unit Asia, said in a May news release.2
The biggest enterprise software provider will introduce products and verification processes aimed at securing home offices, keeping devices virus free and moving toward a zero-trust security framework across its networks.
Microsoft’s announcement came six days after US President Joe Biden signed an executive order stating that the federal government must “advance toward Zero Trust Architecture,”3 which the US National Security Agency in February said “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”4
President Biden’s order also said the US must “accelerate movement to secure cloud services,” while Microsoft’s release said “there will be a rapid migration to the cloud over the next six to 12 months,” as companies gain a better appreciation of the tools and products needed for the provision of multifactor identification and authentication.
The executive order “was like reading the Cloudflare product catalog,” Matthew Prince, CEO of the platform that makes the Internet run faster and more securely, told the 49th JP Morgan Global Technology, Media and Communications Conference.
Okta CEO Todd McKinnon said on the identity management software company’s first-quarter earnings call on May 26 that what he was told in an “urgent meeting” with the chief security officer of a government agency that was a victim of the SolarWinds attack sounded like “literally a marketing script that Okta would say.”
By assuming that bad actors will breach network defenses, zero trust shifts focus by using smarter identity tools and endpoint security to limit the ability of criminals to move around and wreak havoc. Since Microsoft lacks the products needed to do this, it may have to find acquisition targets or partners. Companies including Cloudflare and Okta are already cooperating, and such associations may become more common as the uptake of cloud-based solutions accelerates.
Since zero trust requires multiple layers of security, each with independent verification, cloud solutions are better placed to perform the tasks than on-premises systems that weren’t designed for the purpose. Even if on-premises networks can be upgraded, the cost may be prohibitive, while multifactor authentication may be more difficult without using the cloud if more peer-to-peer devices are communicating directly in a hybrid working world.
One reason public and private organizations are focusing on zero trust is the rising cost of indemnity against ransomware attacks, which quadrupled in 2020 to $348 million, enabled by cryptocurrencies, according to the Wall Street Journal.
One technique used by attackers is to look for a document detailing how much ransomware insurance a company has, which allows them to set their demands at the policy limit so as to avoid hurting the victim’s bottom line.
AXA was hit with a ransomware attack shortly after saying it would no longer underwrite ransomware insurance in France, while cyber insurance provider CNA paid $40 million to get its data back from pirates looking to obtain a list of companies with ransomware coverage.
Such insurance premiums might be better spent on cloud-based protections, which may in turn also allow some of the $150 billion to $200 billion spent on enterprise IT security annually to be redirected to better effect.
With public and private institutions increasingly adopting zero trust, the indications are that cybersecurity modernization is gathering momentum. A zero-trust architecture that leverages API-enabled partnerships between access (Okta), governance (SailPoint), privileged access (CyberArk), endpoint security (CrowdStrike), email security (Proofpoint), and Cloudflare, would prove much more resilient than outdated firewalls or other “moats” around servers whose vulnerabilities are now clear.
With no sign that attacks will abate, organizations must assume that their data isn’t secure and prioritize building a multi-factor authentication architecture that presumes threats are real, attacks will happen and that they can originate both inside and outside traditional network boundaries.
Brad Slingerlend is co-founder and an investor at Denver-based NZS Capital, which manages more than $1 billion in assets and focuses on innovative companies that create more value for all their constituents – including investors, employees, vendors, the communities they operate in and the planet as a whole – than they take for themselves. NZS Capital has a strategic partnership with Jupiter Asset Management.
1 Source: Interpol, INTERPOL report shows alarming rate of cyberattacks during COVID-19
3 Source: WhiteHouse.gov, Executive Order on Improving the Nation’s Cybersecurity
4 Source: NSA.gov, NSA Issues Guidance on Zero Trust Security Model
The value of active minds – independent thinking:
A key feature of Jupiter’s investment approach is that we eschew the adoption of a house view, instead preferring to allow specialist fund managers to formulate their own opinions on their asset class. As a result, it should be noted that any views expressed – including on matters relating to environmental, social and governance considerations – are those of the author(s), and may differ from views held by Jupiter investment professionals
Market and exchange rate movements can cause the value of an investment to fall as well as rise, and you may get back less than originally invested. The views expressed are those of the individuals mentioned at the time of writing are not necessarily those of Jupiter as a whole and may be subject to change. This is particularly true during periods of rapidly changing market circumstances.
This document is intended for investment professionals* and is not for the use or benefit of other persons, including retail investors (except in Hong Kong). This document is for informational purposes only and is not investment advice. Every effort is made to ensure the accuracy of any information provided but no assurances or warranties are given.
*In Hong Kong, investment professionals refer to Professional Investors as defined under the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong).and in Singapore, Institutional Investors as defined under Section 304 of the Securities and Futures Act, Chapter 289 of Singapore.
Issued in the UK by Jupiter Asset Management Limited, registered address: The Zig Zag Building, 70 Victoria Street, London, SW1E 6SQ is authorised and regulated by the Financial Conduct Authority. Issued in the EU by Jupiter Asset Management International S.A. (JAMI, the Management Company), registered address: 5, Rue Heienhaff, Senningerberg L-1736, Luxembourg which is authorised and regulated by the Commission de Surveillance du Secteur Financier. 27660