ARTICLE
27 June 2024

Building Cyber Resilience: The Strategic Imperative Of Zero Trust

E
ENS

Contributor

ENS logo
ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
Explore
In the fast-evolving landscape of cyber threats, South African companies face a growing challenge to secure their digital assets. As businesses become more interconnected and data-dependent...
South Africa Technology
Photo of Priyanka Raath
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In the fast-evolving landscape of cyber threats, South African companies face a growing challenge to secure their digital assets. As businesses become more interconnected and data-dependent, the need for a robust cyber security strategy becomes paramount. One approach gaining traction globally is the concept of Zero Trust.

But what is Zero Trust?

At its core, Zero Trust challenges the traditional notion that entities within a network should be implicitly trusted. Instead, it advocates for a continuous verification process, ensuring that trust is never assumed, and security is upheld at every interaction. In simple terms, Zero Trust is based on the premise that everyone and everything requesting anything in your IT environment must be verified before it can be trusted.

Understanding the Landscape

South African companies operate in an environment where cyber threats are not only increasing but also becoming more sophisticated. Traditional security models, built on the assumption of a secure perimeter, are proving inadequate in today's dynamic threat landscape. This realisation underscores the need for a strategic shift – one that aligns with the realities of modern cyber security challenges: Zero Trust.

Zero Trust is undoubtedly gaining strong interest, with industry research indicating that 60% of organisations are planning on or are actively implementing a Zero Trust strategy. However, according to Gartner research, although many organisations have a Zero Trust strategy and are working to implement Zero Trust technologies, few are mature. A lack of integration across security products makes it hard to achieve end-to-end Zero Trust deployment, and organisations that have adopted Zero Trust struggle to verify an improvement in their security posture because there are no effective methods to measure the impact.

  • Through 2025, over 90% of enterprise networking products will still not meet the main requirements of Zero Trust networking.
  • By 2026, 75% of organisations will include only managed devices and modern applications in their Zero Trust strategy to reduce complexity and costs.
  • By 2027, 25% of organisations using Zero Trust Network Access (ZTNA) will shift from static, one-time access rules to continuous, dynamic risk-based controls.

Despite the complexities, cyber security professionals unanimously advocate for a Zero Trust approach, or at least a journey towards it.

Tailoring Zero Trust for South African SMEs

What makes Zero Trust appealing is that implementing it doesn't mean you have to overhaul your existing systems. Instead, it involves a strategic, phased approach that aligns with the unique needs and constraints of your business.

  1. User-Centric Security: Zero Trust revolves around the principle of "never trust, always verify." This places a strong emphasis on user authentication and authorisation. This can be achieved by implementing multi-factor authentication, role-based access controls, and regular user access reviews. By starting with static policies based on user and device signals, organisations begin a journey toward Zero Trust maturity.
  2. Identifying Critical Assets: Organisations should identify and prioritise their most critical assets. This could be customer data, financial records, or proprietary information. By pinpointing these assets, businesses can tailor their Zero Trust implementation to protect what matters most. As part of this process, organisations should identify resources that would benefit from dynamic access policies versus those that can be adequately protected by static role-based policies.
  3. Establish Governance: To overcome the challenge of immeasurability, organisations should establish governance around their Zero Trust programmes to ensure the benefits realised are measurable and quantifiable.
  4. Continuous Monitoring: Unlike traditional security models that focus on the perimeter, Zero Trust requires continuous monitoring of all network activities. This proactive approach allows businesses to detect and respond to potential threats in real-time, minimising the impact of a potential security incident.
  5. Vendor and Supply Chain Security: Many South African organisations collaborate with external partners and vendors. Zero Trust extends its principles beyond the organisation's borders, emphasising the need for secure connections and continuous verification throughout the supply chain.

Legal Perspectives

Cyber resilience and Zero Trust are not just technological imperatives; they are also critical legal considerations. From a legal standpoint, companies must ensure that their cyber resilience strategies align with regulatory requirements and industry standards. This involves not only implementing robust security measures but also documenting these efforts to demonstrate compliance with data protection laws such as the Protection of Personal Information Act, 2013 (POPIA) (South Africa's prevailing law on privacy protection) and any other privacy laws around the world that could apply to a company's use of personal information (e.g., GDPR, UK Data Protection Act, the CCPA, and others). Failure to do so can result in severe legal consequences, including fines, penalties, and reputational damage.

As mentioned above, Zero Trust architecture requires a meticulous approach to access control and data management (see "User-Centric Security" described above). From a legal standpoint, this approach is invaluable as it minimises the risk of unauthorised access and data breaches, which are central concerns under many data protection regulations. Organisations must establish clear policies and procedures for identity verification, continuous monitoring, and incident response. These policies should be regularly reviewed and updated to keep pace with evolving cyber threats and legal requirements.

Additionally, the risk flagged above on "Vendor and Supply Chain Security" raises the legal consideration that contracts with third-party vendors must reflect a commitment to cyber resilience and Zero Trust principles. This includes incorporating specific clauses that mandate adherence to stringent cyber security standards, regular security audits, and immediate notification about security incidents. Such provisions help mitigate legal risks and ensure all parties are equally committed to maintaining robust cyber security postures.

It's important to remember that Zero Trust, like all cyber security approaches, is not a silver bullet and it alone cannot eliminate all cyber threats. Cyber security is multi-layered and any good cyber security practice will advocate overlapping layers designed to work together to detect and stop intrusion. Zero Trust must, therefore, be complemented or supported by a holistic cyber security strategy to be fully effective.

Embracing Cyber Resilience

In a digital landscape fraught with uncertainties, applying at least the basics of a Zero Trust strategy is a step towards a resilient cyber security posture for South African organisations. It's not just about preventing breaches but building the ability to adapt, respond, and recover swiftly from any security incident. Resist the temptation to chase the latest cyber security trends and stick to the basics.

Integrating legal perspectives into cyber resilience and Zero Trust strategies is crucial. By aligning security measures with legal requirements and ensuring contracts with third parties include stringent cyber security obligations, organisations can better protect themselves from cyber threats and legal liabilities.

When embarking on a Zero Trust journey, organisations should adopt a pragmatic approach aligned with their unique evolving threat landscape. To fully understand the nuances and design a journey tailored to your organisation's needs and goals, partnering with an expert can help you navigate this shifting digital terrain with confidence.

About Cyberlogic

Cyberlogic is a trusted Managed Solutions Provider specialising in IT leadership, cyber security, business intelligence, and cloud solutions. For almost three decades, we've delivered transparent, open guidance to help our clients improve their technology processes, grow their businesses, and secure their data. To find out more about our comprehensive cyber security solutions, reach out to the ENS Team below.

About the TMT team at ENS

The Technology, Media, and Telecommunications (TMT) team at ENS has a diverse combination of specialist international skills, experiences, and backgrounds, which allows each of our lawyers to view your situation from a different vantage point. This means we can provide you with a multi-faceted, comprehensive offering. Our key differentiator is our understanding and knowledge of business challenges and intricacies in the TMT industry. This enables us to provide practical advice to TMT service providers and customers as we shape our services to meet your precise needs. For more information, visit ensafrica.com.

Reviewed by Ridwaan Boda, an Executive in ENS' TMT practice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Priyanka Raath
Priyanka Raath
Person photo placeholder
Roscoe Petersen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More