A snapshot of security: How a top business priority has evolved

Security has rapidly become one of the most critical priorities of business leaders today. The business landscape has evolved, driven predominantly by the need to adapt to change and digitally transform. The many benefits businesses are seeing include greater levels of collaboration and data sharing between employees, and more democratised learning driven by digital capabilities. 

Though these changes have been underpinned by a widespread move to the cloud and the shift to remote and hybrid work brought on by the pandemic, the benefits they have produced mean there is no going back for modern businesses.

In this new era of working, the traditional perimeter-based approach to security — which was fronted by firewalls, antivirus and other technology, and defined by static permissions to company resources — is no longer sufficient. 

Now, the dynamics have changed and employees need to access data, documents, databases and networks from external connections and various geographies. This increasingly distributed, off-premise computing landscape has the user at its centre, with the crown jewels — data — largely being stored in the cloud, and a growing number of security risks and cyberattacks.  

A recent IDC Cybersecurity survey, commissioned by Microsoft, showed 50% of SA business leaders are concerned with the consequences of security breaches — and that cloud security is the number one priority for investment, with 28% of leaders stating they will move to the cloud to help address security priorities.

This research also found that organisations are putting the user at the centre of this new paradigm: confirming users’ identities, together with an additional layer of security, emerged as the most important security priority for 49% of business leaders in SA in the next six to 18 months. 

The need to confirm identity is a central feature of the Zero Trust principle, which has emerged as a guiding security strategy for businesses in the last few years. This model means trusting no individual or system, needing to explicitly verify their identity, using least privilege access to give them access only to what they need, for as long as they need it, and always assuming breach.

Protecting businesses where they’re vulnerable: using least privilege access and Zero Trust

Identity remains the number one place where people are vulnerable because many users simply do not know what security is required for accessing data, networks and confidential data and information — or do not realise their identity is being compromised. 

Popular identity attacks involve credential theft through broad and spear-phishing emails and credential-stealing malware — with research indicating that phishing attacks can successfully compromise employees from even well-trained organisations. Other attacks include using sophisticated automated tools for credential stuffing attacks and password spraying, because of people’s propensity to reuse credentials such as usernames and passwords.

Many users — and even businesses — have traditionally only considered security when they have been breached. But because the Zero Trust mindset means now considering it a case of when rather than if a breach or attack will happen, and security architecture and strategies are built with this in mind, it is also ever more important to prioritise and protect a user’s identity to ensure that identity exploits are minimised.

Access control and management — as one of the main drivers of the Zero Trust principle — is important in this new paradigm and world of work. Organisational data, systems and networks can no longer come with static permissions because this will leave a gaping hole that bad actors will be able to exploit. 

More businesses are using least privilege access, which essentially means granting users access only to what they need, for as long as they need it, before revoking permission. This ensures that users are still able to perform their role with the minimum level of access required to plug as many holes as possible in their security environment, while ensuring minimal disruption to productivity.

Least privilege access is a core element of Zero Trust, which then needs to be matched by additional layers of security, such as multi-factor authentication and facial recognition or encryption. It also requires strengthening the people and culture side of the equation to ensure employees understand the value of security to the business rather than assume it’s someone else’s responsibility. 

The good news is that security, and cloud security in particular, is becoming a boardroom discussion and priority for investment. 

The technical and cultural side of security need to merge: the people, processes and technology that underpin the security of modern businesses have to be in harmony. The IDC research showed that business leaders are recognising this, with 49% saying they are investing in building a security culture and increasing understanding of security’s value to the business.

Part of this culture change will also mean making security pre-emptive, rather than its traditionally reactive approach. In this changing world, it needs to move to being proactive and underpinned by end-to-end automated and intelligent security — using intelligent solutions and tools such as artificial intelligence — to continuously monitor the organisation’s computing environment, and then pick up, triage and act on incidents before they happen.

About the author: Colin Erasmus is modern workplace and security business group lead at Microsoft SA.

This article was paid for by Microsoft.