Cyber crime is big and growing

Five steps to beginning the 'zero trust' journey

Brad Raiford

Brad Raiford

Director Advisory, Cyber Security Services, KPMG US

+1 832-527-5624

Opportunities for cyber breaches have expanded exponentially over the past several years.

By 2025, global cybercrime damage is expected to reach S10.5 trillion annually. And in the U.S. in 2020, the average data breach cost organizations SB.64 million.

For oil and gas companies, the stakes can be even higher. Considering the essential role they play, both nationally and globally, and depending on the nature and severity of a breach, a company's ability to survive as an ongoing entity can be called Into question.

That's why more companies are taking a zero trust approach to shore up its cyber defenses. Even the U.S government has strongly endorsed the zero trust concept. The Biden Administration recently rolled out a zero trust mandate for federal agencies and the fall out is expected to ultimately filter down to private industry.

Zero trust basics: The perimeter-less border/Trust no one

With zero trust, you establish what is often referred to as a “perimeter-less" defense system based on the principal of never trusting and always verifying individuals and devices, regardless of whether they are inside or outside of the organization. Before access to a system or app is granted, the person or device seeking access must be identified, assessed verified and authorized. And this authentication process takes place each and every step of the way.

With zero trust, whomever (or whatever) attempts to access your systems - along with the device they're using - is identified, assessed, authenticated and authorized in light of the system they are trying to access, and that session is continuously monitored. And when they seek to access another system, the process is done all over again.

This stands in marked contrast to the traditional “castle and moat” cyber security defense, where once a person (or device) manages to cross the moat and enter or breach the front door or wall of the castle, there's relatively easy access to the “crown jewels." That approach is no longer enough in this new world environment where cyber criminals are more cunning then ever and more employees - as well vendors, contractors, suppliers and even business partners - need Immediate access to data from enterprise apps and systems located anywhere in the world and from any device via the internet.

Key potential benefits of zero trust

Key potential benefits of a zero trust approach are that (1) it prevents bad actors from getting authorized and then accessing your system and (2) in the event of an initial breach. Your company would be able to detect and isolate the Intruding person, device or "bug" and tum off its access to the system, not allowing it to pivot or escalate the attack. For example, one of the world's leading shipping companies, was brought to a standstill by cybercriminals who installed ransomware on a local office server in the Ukraine. The virus then spread throughout the company's entire global network, causing an estimated $250- S300 million in damages. But a zero trust approach, with Its multiple reauthentication security and continuous session monitoring process, could have limited the damage to the Ukraine and not caused a company-wide shut down.

"If done correctly, a zero trust approach doesn't just block cyber criminals and bad actors from doing things they shouldn't be able to do; it enables people to do their jobs better - with less friction and a higher degree of security"

Brad Raiford
Director, Cyber Security Services,

Similarly, in 2021, a state-owned oil company was the victim of a cyber attack. The perpetrator accessed confidential data through the system of a third-party contractor with whom Aramco did business. Although its business operations weren't interrupted, the cybercriminal demanded $50 million from Aramco or threatened to sell the information to any other party for $5 million. Had been operating a zero trust strategy, it’s unlikely its systems would have been breached.

There are a host of other potential benefits to be gained by a zero trust approach. For example, it can:

  • Improve network visibility, breach detection, and risk vulnerability management
  • Break down interdepartmental siloes as IT, HR, marketing, operations compliance, and others need to work together to get it right
  • Reduces both capital and operational costs in the long-term
  • Enables and supports digital business transformation and improved business agility


"Perimeter-less" design — Connecting from a particular network must not determine which services you can access


Context-aware Access to services is granted based on what we know about you and your device


Dynamic access controls — All access to services must be authenticated, authorized, and encrypted


Continuous assessment — Shifts away from one-time binary decisions


Fine-grained segmentation — Uses granular policies and controls to segment network and access


Active risk analysis — Discovers, monitors, assesses and prioritizes risk, both reactively and proactively


Establish and review trust — Performs risk and trust assessments early and often


Real-time monitoring — Continuous feedback and anomaly detection

How KPMG can help

KPMG can help organizations implement zero trust models starting with strategic business case orientation, helping create roadmaps leading all the way up to technology integrations and implementations.

Our professionals understand oil and gas systems, processes, and complete cyber challenges. Our first-hand experience with industry operations and cultures can help determine the best method and technology options to solve the most complex and urgent cyber security challenges while strengthening your organization's ability to handle emerging and evolving threats.

Cyber security regulation, malicious actors, acts of nature, and accidents will not slow down while organization's leaders are thinking about their next cyber security steps.

Start planning or continuing your zero trust model implementation now so your organization is more prepared for what might happen next.

Do please get in touch if it stimulates any thoughts or questions that you would like to discuss.

Please reach out to Brad Raiford with questions or to discuss how KPMG can help your business.