As hybrid working models continue to grow in popularity, organisations are rapidly having to pivot to maintain a healthy security posture. Despite the flexibility and other benefits this model provides, it’s unfortunately brought with it some unintended consequences. New and developing cyber threats, such as social engineering, phishing attacks, and ransomware, are becoming increasingly prevalent among employees working in this way.
In the world of work-from-anywhere, businesses must question even the most established security practices to remain vigilant. Over the last few years, the ‘Zero Trust’ methodology has emerged as the desired approach to protect businesses and their operations. Zero Trust principles mean initially treating every user and device as hostile, until verification and authentication prove otherwise (and continuously) – thereby establishing trust.
In practice, Zero Trust can feel like a ‘one-size-fits-all’ approach and become a source of friction – when not implemented with the workforce in mind. This begs the question – have security practices really moved on over the last few years to enable greater worker freedom or have they reverted to a ‘lockdown everything’ approach of old but under a new name … ‘Zero Trust’?
Why does Zero Trust need a glow-up?
The Zero Trust model itself is not an issue. Instead, it is how many organisations have approached the model. Zero Trust was meant to help organisations adopt a granular, risk-based approach to security, and thus provide increased flexibility for the workforce, whilst balancing the security posture needs.
In reality, organisations often adopt Zero Trust in a way that imposes the same rigid rules on all employees – whether they’re regularly accessing sensitive corporate data or not. Many don’t take individual job functions into account when mapping the risk and, therefore, doesn’t trust anyone. This can limit productivity for those performing considerably “safer or less risky” roles. For instance, does it make sense in holding the person delivering your parcels to the exact same corporate security standards as an office-based VP of a business, especially if the process for access is time consuming?
Zero Trust shouldn’t mean putting security above all other aspects of the business, including individual job functions and the organisation’s overall need to focus on user experience, agility and innovation.
On a day-to-day level, the more draconian organisations are with Zero Trust, the more backlash they could face from employees. Understandably, if an employee’s job functions are being disrupted by tight security controls, they’re probably going to find ways around it – which can create a whole host of new security issues.
The term ‘Zero Trust’ itself also presents challenges. Stepping into the shoes of an employee who isn’t clued up on specific ‘IT language’, it could easily be perceived with negative connotations about how they are ‘trusted’ (or not trusted) to do their job.
Introducing ‘Tailored Trust’
With this in mind, what can be done to embrace the principles of Zero Trust whilst balancing the needs of your employees?
Organisations should look to adopt a bespoke or tailored approach to Zero Trust. This means leveraging Zero Trust principles but combining them with risk profiling, treating users and devices with the appropriate scrutiny reflective of their job function. It’s a ‘persona-driven’ approach which places the individual – rather than just the organisation – at the heart of the process, to provide a more flexible experience, without compromising security.
There are several key elements to consider with this approach. The first step is understanding the job function and then the associated risk, in relation to the apps and data required to be accessed as part of that person’s working day. These risks might be location, data sensitivity, or the device being used etc.
The second element is the concept of verification, as it can hugely impact the experience. Imagine going to a restaurant, you’ve booked under your name and getting asked for your I.D. at the front desk on arrival – which sounds reasonable. Now imagine that every five minutes the waiting staff ask you again to show your I.D. Sounds less acceptable?
Putting this into the context of the workplace, we need to consider how constant authentication requests might impact employees. There must be a balance, an appropriate level applied based on risk and importantly if that risk changes. Back to our restaurant example, Tailored Trust would be when the staff only ask someone to show ID again if they notice they look completely different to the people who came in. In other words, look for changes and things out of place. Verification needs to happen, but not at the expense of the end user.
A great example of a customer using this Zero Trust approach is Rentokil Initial – a leading pest control and commercial hygiene service provider. Their security teams use an intelligence platform to help identify risks based on user behaviour, which can help with profiling.
As an extension of Tailored Trust, businesses’ approach to security training should reflect their overall security posture. Just as with any other form of training, security training ideally should be personalised to a specific job function or level. Employees will likely switch off after hours of security training that isn’t relevant to them, which creates further problems for IT teams down the line.
It's hardly surprising that many organisations seem to be adopting a rigid approach to Zero Trust security. The growing number of cyberattacks is putting increasing pressure on IT teams to tighten security measures and put the necessary provisions in place to secure their infrastructure. Data from our Digital Floorplan report found that anywhere work led to a higher number of data breaches in 2022, compared to the previous year across EMEA. However, we need to find a middle ground.
In the wake of The Great Resignation, cybersecurity cannot be prioritised above all else – especially when it jeopardises the employee experience and the ability to get their jobs done. Employing Zero Trust, as a rule, isn’t a bad decision, but it needs to be applied in a considered and realistic manner.