Business cyberattacks have surged 47% since 2024, primarily exploiting a single flaw: trust.
Statistics like this are mentioned so often in the news that they’re no longer staggering. But looking at the following chart, you can better visualize the impact. Every login; every device; and every file within the business sector far exceeds those in other areas like education, government, and healthcare.
These threats underscore a major change in cybersecurity protection, and zero-trust security emerges as the modern answer. The principle of zero-trust emphasizes “least-privilege” access and assumes nothing (and no one) is safe. It reduces breach attacks through constant verification of users and devices, and rechecks them throughout the session.
The First Rule of Zero-Trust
I think most people, at some point, have used the cultural analogy from the 1999 film Fight Club to express some critical and unbreakable rule—”The first rule of Fight Club is: you do not talk about Fight Club!“
The way I see it, this is the same key principle of zero-trust (and my opportunity to incorporate a great movie line):
The first rule of zero-trust is: you do not forget to verify!
The second rule of zero-trust is: you DO NOT forget to verify!
This zero-trust architecture, developed in 2010 by cybersecurity expert John Kindervag, is a proven way for organizations to protect themselves by assuming no one inside or outside the company network is trustworthy. It sounds harsh, I know, but everyone (and everything) must constantly prove they’re allowed access to sensitive information.
Traditional security models generally trust people and devices once they’re inside a company’s network. However, with remote work, cloud computing, and more devices connecting from everywhere in the world, these old models need a good knockout punch.
The Mother of Invention
The entire zero-trust concept was created with the prerequisite idea that breaches are assumed and attackers can compromise assets from both inside and outside an organization.
A recent 2025 study by NIST (National Institute of Standards and Technology) examined what top cybersecurity leaders are doing to bring zero-trust architecture from buzzword to business-as-usual. These experts prioritize a handful of controls that work in concert to protect resources across in-house and cloud environments. This means closing the gaps, reducing the noise, and letting people work securely from anywhere—while keeping tabs on everyone.
Identity serves as the new security perimeter, with multi-factor authentication as the new normal. It’s the practice of demanding proof—most often explained as “something you know, and something you have”. It’s not just a password anymore; it’s a second screen tap, a biometric scan, or a PIN. Every device that connects, whether it belongs to the company or is someone’s personal phone, is a potential front door for an attack. Devices must be enrolled, checked, and managed.
Access is not automatic; a device’s health is verified again and again, with threats detected early, and responses triggered quickly.
In addition, applications within a network are often treated with a healthy suspicion. Even after a person logs in, what they’re able to do is often limited, and any unusual activity—like a late-night data export—raises a flag for immediate review. Several research links for this article were blocked until I verified their source. For me, that’s the way I like it. I’d rather be covered by several blankets of protection than be left out in the cold.
The New Rules of Access
There is a well-known “castle-and-moat” security analogy where everything inside the castle walls (the network) is trusted, meaning once you make it across the moat and are allowed inside, you’re free to roam. Network security is no longer about one big murky moat surrounding a castle, but more about dividing up the castle into secure rooms. This makes it harder for an attacker to move through your environment (and do as they please with the Lords and Ladies). Even if someone finds a way in, access continues to be strictly limited.
Zero-trust, with all of its automation, intelligence, and real-time analytics is now the name of the game, and adopting this security model isn’t a matter of opening a box and flipping a switch. In the end, it is common sense—not paranoia or foolishness. It is being realistic about how risk has changed, even within the past year. This is an approach that recognizes what’s at stake and puts continuous, thoughtful verification at the center of the ring. In a time when trust is highly fragile, the critical, unbreakable rule is do not forget to verify.
Additional reading:
The Challenge of VPN Security: (Atlantic Data Security) Learn why VPNs have become critical for modern business, some of their inherent risks, and upcoming trends and developments that will impact the role of VPNs.
Beyond Passwords: The Revolution of Passkeys: (Atlantic Data Security) Passkeys offer a more secure and user-friendly alternative to passwords for accessing online accounts.
The Three Tenets of Zero-Trust Security: With the Zero Trust model, authentication and authorization are functions that cybersecurity teams perform before allowing access to network environments, and other uncertain sources.
NIST 2020 Report: An introductory guide (NIST Special Publication 800-207) to zero-trust for enterprise security teams. It is a roadmap for bringing zero-trust principles into real-world IT environments. This 2020 report is referenced in the 2025 study by NIST mentioned in the above article.
Graphic: (Mooney, R. 2025) Ransomware Roundup: H1 2025 Stats on Attacks, Ransoms, and Active Gangs.
Michael Civisca is a freelance contributor for Atlantic Data Security. ADS has established itself as a pioneer in the cybersecurity industry with customized solutions for its clients for over thirty years. Talk to an advisor and learn more about managed security services, endpoint security, and cybersecurity trainings at Atlantic Data Security. Follow us on LinkedIn, and read more on our resource blog.