Zero Trust (ZT) has become the default cybersecurity strategy for global business: In 2021, fewer than one in four of the organisations surveyed had a ZT strategy in place, but by 2023, this number has grown to 61%. In addition, a further 28% plan to implement Zero Trust within the next year and a half.
That’s according to the 2023 State of Zero Trust Report released by Okta. For the first time since the firm started issuing the State of Zero Trust Report in 2019, the number of organisations that already have a defined Zero Trust strategy in place, far exceeds those still in planning stages (or without such a strategy).
In partnership with Qualtrics, in April 2023, Okta conducted a global study including 860 information security decision makers from North America (US, Canada); EMEA (Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden, UK); and APJ (Japan, Australia).
“We now live in a Zero Trust world,” said Stephen McDermid, EMEA CSO for Okta. “The global figures suggest that within 18 months, nine in every 10 businesses will ‘be ZT’. And businesses are putting their cybersecurity money where their Zero Trust mouth is. Despite widespread cost-cutting, 60% of organisations have seen an increase of up to 24% in their ZT budgets since last year.”
The report suggests that leaders recognise the primary importance of Zero Trust in enabling today’s digital business. The research shows 93% of the global C-Suite now believe that Identity is important to their business strategy.
The report demonstrates that, despite growing knowledge of the low assurance value, passwords remain the standard for authentication – and are in use at more than half (55%) of our respondent’s organisations, across all regions.
Security questions were the second most commonly used practice, with just 19% (less than 1 in 5) of businesses) using high-assurance factors like platform-based authenticators and biometrics.
“In a world where businesses must never trust and always verify, the method of verification is critical,” continued McDermid. “The uncomfortable truth behind recent attacks is that verification based on passwords and simple questions is not enough. Social engineering has evolved dramatically and as such, so should the front line of identity verification. In practice, this will mean passwordless technologies.”
As an insight into the drivers behind this need to address social engineering, respondents to the research cited “People” as the biggest security concern for businesses with “Network” and “Data” coming in a distant second and third, respectively. While the user has always been rated a top priority, this year it’s an unusual outlier, reflecting an increasing understanding of the critical function of identity, in Zero Trust security initiatives.
In the face of this perception that the user remains the weakest link, more than two in three companies either say security is the unquestioned top priority or that their current priority balance is three-quarters security, one-quarter usability.
However, the research also reveals that holes still remain. Only 1 in 5 (20%) of respondents have automated provisioning/deprovisioning for external users such as partners and contractors. This suggests that companies remain especially vulnerable to attacks from within the supply chain.
McDermid added: “Companies have long since recognised that either through malice or simple poor practice, their people represent the single biggest security threat, but these figures suggest that businesses may have been too narrow in the definition of ‘their people’. Suppliers and partners are – from a security perspective – just as risky as an employee. But there seems to be a lag in addressing this.”
Within this incredibly active global market, there are some clear leaders when it comes to embracing ZT. Companies in financial services and software are more likely to have an initiative in place today (at 71% and 68%, respectively).
58% of public sector organisations have a ZT strategy, with almost another third planning to implement one in the next 12 months.
“It is easy to see the impact of regulation on these figures,” concluded McDermid. “Some industries will face tighter demands that necessitate Zero Trust and drive the market in the short term. We welcome this catalyst for innovation and look forward to seeing what early adopters can show the wider industry.
“The past two years have seen a huge jump in the number of businesses that say identity is a critical part of their Zero Trust strategy. Now that Zero Trust is set to define how business is done, it follows that getting identity right will be a major factor in making that business easier, faster, and better.”
Photo by Towfiqu barbhuiya on Unsplash
