Their latest global cybersecurity outlook 2024 insight report delivers insights into the growing gaps in cyber inequity, cyber insurance, the cyber-skills shortage, achieving cyber-resilience, and building a better cyber ecosystem. Being prescriptive about how to close those gaps with zero trust would make the WEF’s cybersecurity vision report complete.
Accenture and WEF collaborated on the study based on interviews with senior executives from 49 countries. Key findings include:
- Geopolitics and its ongoing instability are the top cybersecurity drivers at a global level. A total of 70% of leaders say this factor influences their organization’s cybersecurity strategy.
- Attackers will have the upper hand when it comes to gen AI. Approximately half believe gen AI will be the most influential technology in cybersecurity in the next two years. Just over the majority, 55.9%, believe that gen AI will provide an overall cyber advantage to attackers, while 35.1% believe it will remain balanced to defenders. 27% of surveyed chief information security officers (CISOs) will use generative AI in their SOCs to provide data enrichment of alerts and incidents. Most cybersecurity leaders see enterprises losing the AI war.
- Leaders are concerned about LLMs becoming more weaponized, along with Gen AI being used to create attack tools and apps. Venturebeat continues to see this trend accelerating, validating the fact that the age of weaponized LLMs is here. Leaders are also concerned about how gen AI and LLMs are being used to create attack products and services, including ransomware-as-a-service and FraudGPT. Attackers are using ChatGPT to fine-tune social engineering attacks at scale and mining the data to launch whale phishing attacks. Ivanti’s State of Security Preparedness 2023 Report found that nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on the same link or sending money.
- Nearly every senior leader knows of an industry colleague whose company has been breached. The vast majority of organizations, 98%, have a relationship with at least one-third party that have experienced a breach in the last two years.
- A large majority of leaders, 73%, say they are stressing cybersecurity fundamentals to close security gaps. A small percentage, 13%, think human error will be the primary reason a breach occurs in their organizations in the next twelve months.
Closing the trust deficit needs to start with zero trust
Not paying attention to zero trust and cybersecurity is the single greatest threat to how trusted any business will be over the long term. Dozens of companies never report ransomware attacks, especially in manufacturing, because they want to retain the trust of their suppliers, investors, and customers. In the meantime, ransomware sweeps through entire industries and decimates smaller companies that don’t spend on cybersecurity.
Ransomware attacks soared last year, as did new social engineering attacks that took advantage of the inherent trust help desks had in hackers who called up and impersonated their colleagues to get login credentials. Nation-state attackers are fine-tuning their tradecraft to launch lucrative ransomware attacks aimed at stealing billions in bitcoin to finance their missile programs and create vast underground networks to launder cryptocurrency.
“Ransomware defense isn’t something you do when you are under attack. Ransomware defense looks a lot like doing security right, throughout your environment, every day–from identity and secrets management to provisioning infrastructure, to managing data protection and backups,’ advised Merritt Baer, Field CISO, Lacework, during a VentureBeat interview late last year.
Going all-in on zero trust starts with the assumption that networks and infrastructure have already been breached and the intrusion needs to be contained. Assuming a wide variety of breach attempts and ransomware attacks are inevitable is one of the cornerstones of zero trust.
By assuming all devices, endpoints, identities, systems, and users are untrusted by default and require authentication and continuous validation, trust in each user, session, and resource request is achieved. The NIST 800-207 standard provides a useful framework for organizations looking to adopt the framework.
John Kindervag, who created the zero trust framework while at Forrester, told VentureBeat in a series of interviews last year that “you start with a protect surface. I have, and if you haven’t seen it, it’s called the zero trust learning curve. You don’t start at a technology, and that’s the misunderstanding of this. Of course, the vendors want to sell the technology, so [they say] you need to start with our technology. None of that is true. You start with a protect surface and then you figure out [the technology].”
Making the WEF vision complete with zero trust
Taking Accenture’s and WEF’s insightful research a step further to help close the gaps that drain trust out of organizations, industries, and customer relationships, VentureBeat has completed an analysis of the survey data using zero trust principles.
The following is how and where the WEF vision for cybersecurity needs to be strengthened with zero trust:
Securing software supply chains with a zero trust framework needs to be a higher priority – “When it comes to the supply chain, which is one of the areas that demands the most collaboration, 54% of organizations fail to understand cyber vulnerability in their supply chain sufficiently – and it shows,” writes WEF. “The cyber maturity gap between large corporations and medium/ small companies is constantly widening, creating a systemic supply-chain security risk. Global companies must have a larger play in raising the bar for their smaller partners to prevent them from becoming threat vectors,” said Christophe Blassiau, Senior Vice-President, Cybersecurity and Product Security, Global CISO and CPSO, of Schneider Electric.
Least Privilege Access. A core element of the zero trust standard, WEF reports the growing importance of cyber resilience. Taking action to gain greater resilience starts by granting the least privileged access needed for each session.
Microsegmentation. Table stakes for getting a zero-trust framework right it’s considered to be one of the most difficult aspects of any zero-trust initiative to get in place at scale. “You won’t really be able to credibly tell people that you did a Zero Trust journey if you don’t do the micro-segmentation,” Holmes said during an Illumio webinar titled The time for Microsegmentation, is now. “If you have a physical network somewhere, and I recently was talking to somebody, they had this great quote, they said, ‘The global 2000 will always have a physical network forever.’ And I was like, “You know what? They’re probably right. At some point, you’re going to need to microsegment that. Otherwise, you’re not zero trust.”
Multi-factor Authentication (MFA). Getting MFA right needs to start by designing it into workflows and minimizing the impact on user experiences. VentureBeat has learned that CIOs and CISOs are driving identity-based security awareness while considering how passwordless technologies can alleviate the need for long-term MFA. Leading passwordless authentication providers include Ivanti’s Zero Sign-On (ZSO), Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access, and Windows Hello for Business. Enforcing identity management on mobile devices has become a core requirement as more workforces will stay virtual.
Continuous Monitoring and Evaluation. The report underscores the need for pursuing continuous monitoring and evaluation, finding that 29% of organizations reported being materially affected by a cyber incident in the past 12 months. As Jeetu Patel, EVP and General Manager, Security & Collaboration, Cisco writes in his recent WEF article, “AI can learn from vast volumes of data to understand indicators of malicious behaviour. AI can then analyze encrypted traffic to infer anomalous behaviour in near real-time and automatically take the appropriate actions.” Having that level of visibility is essential for getting zero trust right.
Zero trust can trust into a business accelerator. Ultimately, cybersecurity is a business decision. In 2024, it’s going to be evaluated more than ever in terms of its risk reduction potential and ability to contribute to revenue growth. Cybersecurity budgets face new scrutiny in 2024 that’s having reverberating effects across the industry.
Security leaders need to strive to create a unified framework that can adapt and flex as their security and governance needs change. Zero trust has been effective in accomplishing both of those goals.
Pursuing zero trust and making sure each endpoint, device, network, and identity can be trusted are table stakes for accelerating a business’ growth. It’s time to think of cybersecurity investments as essential to customer experiences and preserving revenue. Trust is the catalyst of growth, and getting it right is key to any business growing in 2024.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.