The massive Australian data breach in late September inspires me to share a personal twist on Zero Trust Security.
What makes this incident colossal? BBC News Australia reports, “Australian telecommunications giant Optus revealed about 10 million customers – about 40% of the population – had personal data stolen in what it calls a cyberattack.”
I have empathy for the victims and the company. Kelly Bayer Rosmarin, Optus Chief Executive, noted, “It was a ‘sophisticated attack,’ saying the company has robust cybersecurity.”
I’m not sure if Optus follows Zero Trust Security, a next-level framework for corporate security and compliance.
Zscaler defines Zero Trust Security as “…a framework for securing organizations in the cloud and mobile world that asserts that no user or application receives trust by default. Following a key zero trust principle, least-privileged access, trust is established based on context (e.g., user identity and location, the endpoint’s security posture, the app or service requests) with policy checks at each step.”
My little twist is a variation from the standard corporate definition. In honor of this October’s International Cyber Security Awareness Month, we’ll illuminate Zero Trust Security for individuals.
Here’s your three-part personal cybersecurity manifesto.
#1 – Zero Trust Security: Don’t extend trust to any organization.
Adopting Zero Trust Security means you don’t extend trust to any organization. Put everyone who contacts you via phone, social media, the front door of your house, or email through the paces.
This approach sounds extreme, but some healthy paranoia goes a long way.
A few weeks ago, my cellphone rang, and the caller ID indicated it was my HVAC company. I picked up the call, and the rep mentioned it was time to renew my annual service and maintenance agreement.
He offered to take my credit card number over the phone, and I almost complied. I rattled off the first digits, and then it hit me. I wonder if this is a spoofed cellphone number.
A little openness comes in handy.
I quickly and humbly stopped and said, “I apologize for pausing. I work for a managed IT services provider and spend most of my time researching and sharing cybersecurity best practices. And I’d feel like a total idiot if I got scammed with a spoofed number. Do you mind if I call you right back? I promise I’ll renew. And I want you to get credit for the sale, but I need to take one more step.”
The rep was very gracious and cracked up at my honesty. Five minutes later, we completed the transaction after I double-checked the number on their website and my iPhone contacts.
Learn More: Never Trust, Always Verify
#2 – Zero Trust Security: Assume big companies make mistakes on a bigger scale.
Embracing Zero Trust Security means you’re realistic about the scale of big company mistakes.
Although I am no longer a young man, I still fight naïve and idealistic notions that the monolithic brand names I grew up with are immune to data leaks and breaches. A few of the big names include:
- Capital One
- Home Depot
- Neiman Marcus
- Saks Fifth Avenue
Brand awareness goes a long way. Unfortunately, this halo effect sometimes leads to a false sense of security.
Large enterprises have larger security budgets than small and midsized businesses. However, a 10,000-person enterprise and a company with 100 people face the same threats and make the same mistakes, including but not limited to:
- Failing to implement and enforce Multi-Factor Authentication (internally and externally)
- Waiting to update critical security patches
- Postponing the replacement of aging IT infrastructure
- Neglecting to encrypt sensitive customer data
- Overlooking routine backup and disaster recovery weaknesses
Learn More: The 67 Biggest Data Breaches
Changing your address should be simple.
I tried changing my address with a large bank before closing the account. It was the opposite of simple.
First, a few embarrassing confessions. I should have closed my line of credit account when I paid it off the auto loan four years ago. Second, waiting four years to move my private mailbox from the UPS store near my old condo to the UPS store near my new townhouse, was a little slack.
I finally got motivated and submitted a change of address form. I also sent the bank an official cancellation letter. However, it took a few hours to make these changes.
I visited their branch (and suffered Atlanta traffic) because I couldn’t get anyone on the phone. Plus, I didn’t want to create an online account with a company I was planning to leave. So I handled it in person.
How did they reward me?
The bank sent the address change confirmation to my old mailbox instead of the new one. On a positive note, they successfully canceled the credit card because it no longer appears on my credit report.
I am glad it worked out because I would flip if my line of credit statement landed in the wrong mailbox (and hands), along with $10,000 in fraudulent charges.
What happens to millions of people who don’t take extra steps and follow up with well-known American institutions? They become victims of simple and avoidable clerical mistakes.
I’ve received credit card statements and portfolio reports for the past four years from the two previous owners of my townhouse. I also received three 2020 mail-in ballots addressed to one of the previous owners. Good thing I’m not a crook or a voting fraudster!
Sadly, these errors have a cascading effect that opens doors for malicious incursions into IT systems, bank accounts, and user identities.
#3 – Zero Trust Security: Take personal responsibility to protect your private information and financial assets.
Zero Trust Security means exercising personal initiative because you can’t count on anyone else to protect your assets.
I recommend you adopt some or all of my Zero Trust Security policies.
My Integris work routine
- Log into Windows every morning at 7 AM
- Open my password manager on my browser and enter my corporate email address
- The MFA platform pop-up appears, and I enter my corporate email again
- MFA prompts me to enter my password
- The MFA app pops up on my cellphone with a red or green button to verify I am the one requesting access to M365
- Another pop-up asks me, “Do you trust this browser?”
- Then the Microsoft Online Login appears and inquires, “Stay signed in?”
- After clicking ‘yes,’ I go to my password manager to access various apps
These steps take less than a minute. And I practically follow them in my sleep – mainly because I’ve only had one cup of coffee by 7 AM, so I am still asleep.
My personal account routine
- Maintain Identity Theft Protection and Recovery Coverage
- Use my personal password manager
- Keep credit frozen and only unfreeze it for special situations
- Check credit scores monthly through my credit card provider and Identity Theft Protection and Recovery provider
- Conduct monthly Dark Web scans through my Identity Theft Protection and Recovery provider
- Set withdrawal alerts for every dollar amount on my checking account
I maintain rigid security controls in my personal and business life to lower financial risk, save time, and prevent a personal breach from becoming a corporate breach and vice versa.
Learn More: Identity Theft Protection & Recovery
Your Zero Trust Security Journey
The Aussie Telco breach will quickly fade from memory as new cyberattacks flood the news cycle.
The world faces an endless supply of cyber risk because threat actors continuously innovate their infiltration solutions.
I believe Optus when they claim to have sophisticated cyber security tools. But “sophisticated” only goes so far. Cyber gangs consistently invent new methods to evade the radar.
It’s time to take power back. Each of us should take small steps to change things we can control.
Although the exchange with my HVAC provider could have been awkward, I enjoyed building community, evangelizing cybersecurity best practices, and promoting my company’s philosophy.
Schedule a free consultation if you have questions about Zero Trust Security.