'Trust No One' Should Be Our New Security Motto

To protect against cybersecurity breaches, every company should rethink who it considers a trusted partner.

cybersecurity theme

Last year's cyberattack involving the IT company SolarWinds illustrated with painful clarity how security breaches can trigger a domino effect: a single company gets hacked, putting thousands of others at risk. Given the increasing frequency and scope of these incidents, it's time for a rethink. We need to start taking a "zero trust" approach to cybersecurity.

Traditionally, cybersecurity protocols are implemented on a company-by-company basis. Although some organizations harden their networks against attack, many lack the proper defenses to protect their systems and their customers' data.

What's more, it's hard to know how robust a company's cybersecurity armor really is. Companies generally don't like to talk about the measures they've taken, for fear that doing so might invite an attack or give away information that helps their potential adversaries.

For those reasons, you can't simply assume that a Fortune 500 company will have proper security measures in place. Likewise, judging a company's trustworthiness based on its country of origin is likely to induce a false sense of security.

For example, there's a misconception that U.S. companies make secure products, while Chinese companies don't. Yet SolarWinds, once a trusted supplier, is headquartered in Texas, about as trustworthy a location for a corporate headquarters as an American company can have.

On the other hand, DJI, the world's largest maker of commercial drone aircraft, is headquartered in China. That was enough to get the company blacklisted by the U.S. government for fear of security issues. But DJI was later vindicated when a Pentagon audit said two of its drones were "recommended for use by government entities and forces working with US services."

Consumers and businesses need to know if they can trust the companies they do business with to keep their information safe. President Biden's recent Executive Order on cybersecurity is designed to help make that possible.

The Order states that the federal government must put in place a zero trust model "based on an acknowledgment that threats exist both inside and outside traditional network boundaries." This means government agencies must protect themselves from the inside out. They must guard against external threats, while at the same time minimizing the potential damage that could be done by insiders — either by accident, such as when an employee carelessly clicks on a phishing email, or on purpose and with malicious intent.

The Executive Order further explains that this approach "eliminates implicit trust in any one element, node, or service and instead requires continuous verification" from multiple sources. Too many organizations perform significant due diligence on new suppliers, products or software, but then get complacent about verification and auditing, even when new versions are released. They develop a "set it and forget it" mentality — for example, allowing someone to enter a password once and then remain logged in indefinitely. That little "Your session has timed out" message may be annoying, but from a security standpoint, it's good practice.

The zero-trust approach mandates organization-level policies for continuous supplier and product verification, as well as application-level mechanisms, such as application timeout and multi-factor authentication. It continuously checks for red flags, such as whether information is being accessed from an unknown IP address.

Although no laws or regulations force private companies to adopt such measures (except for companies that do business with the federal government), every organization should rethink who it considers a trusted partner. And given what's at stake, companies should be required to prove that they are worthy of trust. They can do so by meeting certain globally recognized cybersecurity standards, just as many companies use the ISO family of standards to evaluate organizational systems such as quality management.

To make this happen, governments and the private sector should collaboratively decide which standards companies need to meet. Fortunately, several good standards already exist, including the ISO 27000 series of standards on information security management and the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce.

There also needs to be a verification system to ensure that once companies put security procedures in place, they follow them strictly. Independent organizations will need to continuously audit the compliance of companies, products and services according to those agreed-upon requirements. Just as health inspectors make sure that restaurants are sanitary and store their food properly, these third-party organizations will verify that companies have done everything they can to protect their systems and their data.

With a zero-trust approach, we won't have to wonder if a company is actually taking the proper precautions to secure its systems. Greater transparency and common standards will make this crystal clear.

We need better protection for the digital society we have built. Assuming that a company's products are safe or trustworthy won't cut it anymore — we need to understand and manage risk better. "Trust no one" has to be our new cybersecurity motto.

The Newsweek Expert Forum is an invitation-only network of influential leaders, experts, executives, and entrepreneurs who share their insights with our audience.
What's this?
Content labeled as the Expert Forum is produced and managed by Newsweek Expert Forum, a fee based, invitation only membership community. The opinions expressed in this content do not necessarily reflect the opinion of Newsweek or the Newsweek Expert Forum.