Founder & CEO of ERP Maestro. Jody is a trusted advisor and security thought leader who is a CISSP, a CISA, and former director of KPMG. Follow him on Twitter @JodyCPaterson.
Why You Should Place Your Trust in a Zero Trust Environment
Adopting a zero trust environment can seem scary when thinking about the workplace, especially when we know that trust is a foundation for productive teams, work collaboration and healthy cultures. Additionally, companies like to believe that employees are loyal and can be trusted. The notion of zero trust can be off-putting.
However, zero trust doesn’t mean operating without trust between colleagues. It is the term we use when referring to system security. It simply means that you can’t assume everyone in your organization will act with ethics and morality when it comes to respecting and protecting company assets.
There is solid evidence to support embracing a zero trust policy. Technology, bricks and mortar, products and services don’t make a business. People do. Employees are human and even the best of employees can go off the rails and steal company funds, data or assets for any number of reasons. Personal debt can be a strong motivator for an otherwise A-player employee to dip hands in the proverbial till. Greed, entitlement and retaliation are also powerful influencers on employee theft and fraudulent behavior.
Recent 2019 research in the UK found that 45 percent of employees would sell data to outsiders and that insiders are complicit in 28 percent of data breaches. Moreover, research from Santander Business found that half of UK firms are vulnerable to invoice fraud. Fraud is not limited to mega enterprises. UK SMBs have estimated losses of £18.9 billion due to fraud, and based on a global study by the Association of Certified Fraud Examiners (ACFE), it is estimated that worldwide losses due to fraud reach $4 trillion.
The financial services industry has long operated with zero trust. Bank employees, for example, touch money and process financial transactions all day long. The risk for fraud and embezzlement is tangibly real. The threat is just as likely, though, in any organization that doesn’t monitor employee access to critical information in business systems, such as enterprise resource planning (ERP) systems through which the majority of business transactions are processed. Seventy-seven percent of the world’s transaction revenue, for instance, touches an SAP system.
Even with all of the research and evidence on the prevalence of fraud, companies tend to not take the risk seriously – or not until they have experienced the damaging consequences of employee fraud or a security breach and realize their protective measure against insider threats need to be as strong as those for external attacks.
Zero trust requires strict rules and governance of who has access to what – without exception and regardless of the rank and authority of employees. It assumes everyone could be a risk, even unintentionally. Segregation of duties (SoD) and automated internal controls are a must. The risk is too great to monitor and manage access manually. Manual control processes don’t make good business sense either when you consider the required time, resources and potential for error.
The notion of zero trust also means that for every system you put in place, you also ensure that you have both external and internal security solutions and safeguards in place – before you go live. Choosing to operate in such an environment also entails making sure employees understand the severity of system security and fraudulent activities by way of training during onboarding and periodically thereafter to keep these dangers top of mind. In doing so, you are protecting your company, and as such protecting the livelihood of every employee who makes up your business.
You also need to create safe ways for employees to report suspected fraud amongst coworkers in the event that it should occur. Your reporting channel should protect the person who reports suspected fraud, without damage to reputation, harm from retaliation or threat to job security.
Zero trust in respect to system security and access control should be understood easily by employees and should not impact workplace trust, which is based on honesty, credibility, respect, teamwork and the confidence you have in employees to work with high integrity to get the job done. In fact, employees who know a company is doing everything to keep its systems and people safe should feel greater workplace security and trust.