Zero Trust now the norm for most companies

Globally 62% of organisations (61% in EMEA) have a Zero Trust strategy in place, up from 24% in 2021.

  • Wednesday, 18th October 2023 Posted 1 year ago in by Phil Alsop

Zero Trust (ZT) has become the default cybersecurity strategy for global business, according to the 2023 State of Zero Trust Report, released today by identity leader Okta. For the first time since Okta started issuing the State of Zero Trust Report in 2019, the number of organisations that already have a defined Zero Trust strategy in place, far exceeds those still in planning stages (or without such a strategy).

“We now live in a Zero Trust world,” said Stephen McDermid, EMEA CSO for Okta. “The global figures suggest that within 18 months, nine in every 10 businesses will ‘be ZT’. And businesses are putting their cybersecurity money where their Zero Trust mouth is. Despite widespread cost-cutting, 60% of organisations have seen an increase of up to 24% in their ZT budgets since last year.”

In 2021, fewer than one in four of the organisations surveyed had a ZT strategy in place. By 2023, this number has grown to 61%. In addition, a further 28% plan to implement Zero Trust within the next year and a half.

The report suggests that leaders recognise the primary importance of Zero Trust in enabling today’s digital business. The research shows 93% of the global C-Suite now believe that Identity is important to their business strategy.

The strategy in practice: are passwordless technologies set to explode?

The report demonstrates that, despite growing knowledge of the low assurance value, passwords remain the standard for authentication - and are in use at more than half (55%) of our respondent’s organisations, across all regions.

Security questions were the second most commonly used practice, with just 19% (less than 1 in 5) of businesses) using high-assurance factors like platform-based authenticators and biometrics.

“In a world where businesses must never trust and always verify, the method of verification is critical,” continued McDermid. “The uncomfortable truth behind recent attacks is that verification based on passwords and simple questions is not enough. Social engineering has evolved dramatically and as such, so should the front line of identity verification. In practice, this will mean passwordless technologies.”

The “People” Factor: security trumps usability – for now

As an insight into the drivers behind this need to address social engineering, respondents to the research cited “People” as the biggest security concern for businesses with “Network” and “Data” coming in a distant second and third, respectively. While the user has always been rated a top priority, this year it’s an unusual outlier, reflecting an increasing understanding of the critical function of identity, in Zero Trust security initiatives.

In the face of this perception that the user remains the weakest link, more than two in three companies either say security is the unquestioned top priority or that their current priority balance is three-quarters security, one-quarter usability.

However, the research also reveals that holes still remain. Only 1 in 5 (20%) of respondents have automated provisioning/deprovisioning for external users such as partners and contractors. This suggests that companies remain especially vulnerable to attacks from within the supply chain.

McDermid added: “Companies have long since recognised that either through malice or simple poor practice, their people represent the single biggest security threat, but these figures suggest that businesses may have been too narrow in the definition of ‘their people’. Suppliers and partners are – from a security perspective – just as risky as an employee. But there seems to be a lag in addressing this.”

Is regulation creating early innovators?

Within this incredibly active global market, there are some clear leaders when it comes to embracing ZT. Companies in financial services and software are more likely to have an initiative in place today (at 71% and 68%, respectively).

58% of public sector organisations have a ZT strategy, with almost another third planning to implement one in the next 12 months.

“It is easy to see the impact of regulation on these figures,” concluded McDermid. “Some industries will face tighter demands that necessitate Zero Trust and drive the market in the short term. We welcome this catalyst for innovation and look forward to seeing what early adopters can show the wider industry.

“The past two years have seen a huge jump in the number of businesses that say identity is a critical part of their Zero Trust strategy. Now that Zero Trust is set to define how business is done, it follows that getting identity right will be a major factor in making that business easier, faster, and better.”