Aug 10, 2022
4 min read

Lagging Zero Trust Adoption Places Critical Infrastructure at Risk

The recent publication of the annual Cost of a Data Breach report from IBM and Ponemon Institute offers valuable insights into the impacts of security solutions on corporate cybersecurity risk. Among the findings of the 2022 report is that the lack of zero trust adoption in critical infrastructure has a significant influence on both the risk and the cost of a data breach in this sector.

The Importance of Zero Trust for Operational Technology

Until recently, corporate security strategies were largely if not exclusively perimeter-based.  Security solutions deployed on the network perimeter are designed to keep external threats out, while allowing trusted insiders unrestricted access to corporate IT assets and resources.

This security model has several significant weaknesses, including its vulnerability to insider threats or attackers who manage to breach the secure perimeter. The fact that many traditional remote access solutions — such as virtual private networks (VPNs) and the Remote Desktop Protocol (RDP) — operate under this model is a major reason why they are a common target of attack by cyber threat actors.

The zero trust security framework was created to address the limitations of the perimeter-focused strategy. Instead of trusting insiders by default, access in the zero trust model is granted by continuous verification of identities. Moreover, all access decisions are informed by least privilege access controls supported by strong authentication.

The 2021 hack of a water treatment facility in Oldsmar Florida and similar incidents underscore the importance of implementing zero trust security controls for operational technology (OT) as well as information technology (IT). Cyberattacks against OT systems and environments can have real-world impacts and can significantly disrupt critical processes.

How Zero Trust Impacts a Data Breach

The latest Cost of a Data Breach report reveals how various security solutions can impact the cost of a breach. While the average breach costs $4.35 million, this amount can vary dramatically by industry and also based on which security tools are in place at the affected organization. Data breaches in the industrial and energy sectors typically fall slightly above the average — with a $4.47 and $4.72 million average breach cost respectively.

For the last two years, the Cost of a Data Breach report has examined the impact of a zero trust security policy on the cost of a breach. This year, companies with a zero trust security architecture in place paid an average of $950,000 less for a data breach than those relying on a more traditional security framework. Even more significantly, companies with a mature zero trust program had data breach costs $1.51 million lower than those just starting their zero trust journey.

The report also calls out critical infrastructure for lagging far behind other sectors when it comes to zero trust adoption. While 41% of organizations overall have implemented some degree of zero trust access, only 21% of critical infrastructure organizations have done so. As a result, the 79% that lack a zero trust deployment experienced an average data breach cost of $5.40 million, compared to an average of $4.82 million for the sector as a whole.

Reducing OT Security Risks with Cyolo

Remote access is especially vital for critical infrastructure, as operators regularly manage geographically distributed OT systems.  Third-party vendors, who are at the root of many data breaches, also frequently need access to critical infrastructure systems in order to perform health checks, carry out maintenance procedures, and complete other crucial tasks. By replacing legacy remote access solutions — such as VPNs and RDP — with zero trust network access (ZTNA), organizations can secure remote and third-party users and dramatically reduce both the risk and the potential cost of a data breach.

Cyolo offers the only identity-centric remote access solution designed to meet the unique needs of critical infrastructure and OT systems. Learn more about overcoming the security challenges of OT by signing up for a free 1:1 demo.

Jennifer Tullman-Botzer


Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.

Subscribe to Our Newsletter