President and CEO of Ericom Software. Cybersecurity expert with more than 20 years of high-technology experience.
Over the first half of 2020, organizations worldwide implemented the business equivalent of the Marshall Plan. What that effort produced in the course of the three years following WWII’s end (with massive government support) — enabling a war-torn and traumatized Europe to survive and thrive — businesses (also with massive government support) accomplished in one-sixth of the time. Though not all organizations weathered the Covid-19 storm, the surprise is that many who did have emerged better prepared for what lies ahead.
A recent article by McKinsey noted the dramatic transformation that business operations underwent as a result of the Covid-19 pandemic. Their global survey of business executives indicated that “companies have accelerated the digitization of their customer and supply-chain interactions and of their internal operations by three to four years.” Unfortunately, in the course of this lightning-fast transformation, many organizations did not keep security top of mind, as the many headlines covering the spike in successful ransomware and data theft incidents have made clear. It is no surprise that 51% of IT decision-makers attributed greater vulnerability to increased work from home.
Security Plays Catch-Up — And Zero Trust Is The Goal
For organizations that left security behind in their rush to digitize, the time to set things right has arrived. Security vulnerabilities that were exposed must be addressed without further delay, and at the same four-year-in-one pace, albeit at a six- to 12-month lag.
Before pandemic disruptions, over two-thirds — 72% — of CISOs and CIOs planned to implement zero trust security in 2020. Zero trust, a strategic security approach most recently advanced by Dr. Chase Cunningham, posits that implicitly trusting anyone or anything when it comes to IT resource access constitutes a vulnerability, and organizations’ security strategies must be designed to “never trust, always verify.
MORE FOR YOU
And while starting a zero trust journey can seem overwhelming, a look at the key threat vectors and performance of current defenses can help organizations prioritize where to start. As the CEO of Ericom Software, a company that provides cybersecurity solutions that help organizations adopt zero trust, I have been involved in many “where do we start?” discussions. For many, the answer, not surprisingly, has been with improving email security.
During Covid-19, phishing attacks went through the roof, increasing by 350% in just the first month of closures. Google alone detected over two million phishing sites in just the first 10 months of 2020 — an average of 46,000 newly detected sites every week and a 20% increase over the same period of the previous year. These phishing sites included spoofed sites designed for stealing credentials, as well as sites delivering ransomware, malware injectors, worms or other malware.
The bulk of these millions of malicious sites are not only “newly detected” — they are also new. Once identified as a phishing and/or malicious site by Google Safe Browsing or similar blocklists, they are entirely blocked or, at the very least, trigger red flags that warn users to beware. And as a result, they are rendered useless to phishers.
In largely successful attempts to outrun blocklists, savvy phishers have developed techniques for rapidly and automatically creating tens of thousands of URLs populated with malicious and spoofed content. Millions of phishing emails are instantly sent out, luring users to click before the blocklist crawlers find the sites and tag them as “bad.”
User training is often cited as the last, best defense against phishing — a “human firewall,” so to speak. But when it comes to sophisticated social engineering attacks, user training gets you only so far. In recent simulations, click rates were reduced by 40% following training, which sounds terrific, until you discover that initial rates for the most compelling emails hit 40%, leaving a worrisome 24% post-training click rate .
The Covid-19 pandemic played into phishers’ hands in a number of ways. First, it gave them compelling new themes to manipulate people into opening their emails. Second, users working from home generally browse the internet directly from their devices, without the benefit of enterprise-grade secure web or email gateways that might block malicious sites. And finally, stressed and distracted users are less likely to notice small variations in lookalike URLs or spoofed sites. And during the pandemic, many works were both stressed and distracted.
Given the rapid growth in phishing, the exposure of users working from home and the fact that phishing is the top delivery vector for ransomware, phishing is one of the most vital issues for organizations to address at the start of their zero trust journey.
Zero trust browsing, using remote browser isolation (RBI), is a fully secure way to protect users from phishing attacks. Since no content from the internet, including content found at URLs embedded in emails, can be verified as safe, RBI assumes it is not. When a user clicks on a link to a phishing site, the site is opened and rendered in an isolated browser container in the cloud; site content never reaches the user’s endpoint. Only safe rendering data is sent to the user’s regular browser on their devices, enabling full, natural interaction with site functions. Flexible policies can be applied to ensure that new, as-yet-uncategorized sites and known phishing sites are opened in read-only mode to prevent users from entering credentials. When the user stops browsing, all content in the isolated browser container in the cloud is safely destroyed, including malware.
Zero Trust Journey
As mentioned earlier, zero trust is a strategy —- not a product — requiring organizations to implement controls across their environments to enforce “never trust, always verify” access and use policies. While email is an important part of the equation, it is just a part. Throughout 2021, I’ll share additional zero trust projects that I am seeing customers prioritize on their zero trust journeys.