How bad is the human security weakness problem? Verizon’s 2022 Data Breaches Investigations Report says 82 percent of data breaches have human involvement. This involvement can mean misconfigurations, poor security policy implementation, negligence, and falling prey to social engineering schemes. Essentially, a vast majority of data breaches have penetrated cyber defenses because of human carelessness, inconsistencies, and gullibility.

However, with the rise of the zero trust security principle, some say that human security weaknesses are about to drop significantly or even be eliminated. By taking away all forms of trust or presumptions of regularity, the chances of bad actors exploiting undesirable human traits (when it comes to cybersecurity) can be significantly reduced. But will this actually be the case?

Adopting zero trust

The concept of zero trust is relatively new, introduced in 2010 by Forrester researcher John Kindervag. Since its introduction, it has gained traction and is now one of the aspirations of modern cybersecurity. A 2022 survey by a security firm shows that 100 percent of organizations believe that zero trust architecture is important in addressing cyber risks. However, the same survey also shows that only 21 percent of enterprises implement the zero trust architecture.

This sounds self-contradicting to some extent, which is quite reflective of the state of modern cybersecurity. Almost everyone has a sense of what works and what they should do to protect their IT assets and infrastructure. Unfortunately, only a few invest in the most effective solutions. This is not to say that not many are interested in implementing the best security strategies. After all, there are serious challenges in adopting the zero trust principle full-on.

Still, it has been more than a decade since zero trust was introduced, so expecting significant progress is not asking for too much. Even the current United States federal government is explicitly advocating for it (through a 2021 executive order), highlighting the zero trust model as the top strategy to improve cybersecurity in the country.

Zero trust security is certainly not an impossible goal. There are many ways to implement it, like building zero trust networks and ensuring zero trust in the handling of workloads, data, access permissions, and devices. Organizations can adopt most or even all of these implementations. Given the rapid evolution and increasing aggressiveness of cyber threats at present, aiming for zero trust security cannot be considered an ideal but a necessity.

Challenges of implementing zero trust security

To address the difficulties of adopting zero trust, it is important to know and understand the challenges facing it. As mentioned, organizations understand the benefits of this security model. However, they have to contend with inescapable realities.

Prevalence of legacy systems and devices – One of the biggest challenges in embracing zero trust is the prominence of legacy systems. Around 80 percent of enterprises continue using legacy IT tools. An overwhelming majority of businesses still use old, non-digital, and even obsolete devices and systems for IT monitoring and other related purposes. This does not bode well for zero trust, since most legacy systems are not compatible with zero trust mechanisms such as device certification, multi-factor authentication, next-gen endpoint security, encryption, and identity protection tools.

Complexity and resource requirement – Expect organizations that still use legacy systems to find newer technologies to be too complex for them. There is an unsurprising aversion to using new hardware, software, and other resources. It is also difficult to iterate zero trust methods and mechanisms with legacy systems and processes.

Data handling and classification – Organizations nowadays generate a deluge of data, which needs to be properly classified to ensure effective zero trust security implementation. There is a need for comprehensive data discovery and sorting, which is not going to be an easy task because of the complexity and multi-location operations of most organizations.

User experience changes and cultural resistance – Embracing zero trust means significant changes in the usual ways of doing things. This entails a considerable impact on user experiences not only among employees but also the customers of a business. Access to resources or user accounts would have to require additional authentication or verification procedures. Many hesitate to take on this challenge, so they prefer to defer attempts to adopt zero trust security.

Ultimately, adopting zero trust has major requirements, including capital outlay for new hardware and software, training for employees, and the pain points of changing experiences. These entail significant costs, which is something not many organizations have, especially with the current state of the global economy.

Can zero trust end human weaknesses in cybersecurity?

The challenges listed above are not meant to paint a grim picture of zero trust’s impact on human weaknesses in cybersecurity. On the contrary, they show that the difficulties are not without solutions. Legacy systems can be replaced. Processes can be changed. Workplace culture and user experiences are not unchangeable. However, it is important for organizations to have the solid determination to undertake all of these to achieve better security.

Zero trust does not promise to annihilate the inherent human weaknesses in cybersecurity. However, it takes away most of the exploitable opportunities associated with people that have plagued IT systems and networks for a long time.

For example, the institution of strict identity and access management for everyone, regardless of their position in the organization, prevents someone with administrative or high-level access to IT resources from spreading malware they have unwittingly obtained from a social engineering attack. It prevents anyone from mistakenly changing configurations to open loopholes for threat actors to exploit.

Additionally, zero trust security usually comes with the principle of least privilege, which dictates that users are granted only the minimum privilege or level of access they need to perform a specific task. This access may also be time-limited or subjected to a session timeout policy to make sure that users do not unknowingly create vulnerabilities or opportunities for attacks.

Zero trust may also employ multi-factor authentication, which creates layers of challenges for hackers. Cybercriminals may be able to obtain the username and password of a user, but they also have to obtain a session or transaction password before they can log in to an account. This additional password is usually sent via SMS or email, which can be quite difficult for hackers to get. In some cases, biometric data or answers to secret questions may also be required.

Moreover, zero trust security can also take advantage of micro-segmentation to isolate parts of a network into smaller, more manageable segments. These segments can then be subjected to specific security controls and policies depending on the nature of the processes and data they are handling. Continuous monitoring can also be implemented to ensure that vulnerabilities are remedied promptly, and threat actors find no opportunity to exploit them.

Zero trust is not seen to completely end human weaknesses in cybersecurity because security systems now and in the foreseeable future are still under human control overall. It may only do this once everything is AI-managed, which is quite a long shot. The prospect of AI having autonomy over cybersecurity does not appear too reassuring. It can pose new and unknown challenges, which can be more dangerous than the current cyber threat landscape.

The future of zero trust

Despite the challenges, the good news is that the forecasts for zero trust are trending upwards. A 2023 report shows that the global zero trust industry is set to reach a $142.6 billion market value by 2030, growing at a CAGR of 22.1 percent. This growth is among the highest in the tech sector, which includes cloud computing, which has an estimated CAGR of 23.4 percent.

Zero trust security is seen to be gaining ground. It may not promise to eliminate human cybersecurity weaknesses, but it can create significant barriers not possible with standard security approaches. This alone is a promising enough premise for anyone to consider zero trust as a formidable solution to the perennial problem of human vulnerability in cybersecurity.