Zero Trust security standard for most organizations, report shows

Financial services take the lead with most widespread implementation of Zero Trust security initiatives.

The Zero Trust model is growing stronger as a majority of all organizations (61%) surveyed have already implemented it, and 35% are planning to start in the next 18 months, Okta’s 2023 State of Zero Trust report shows. That’s a big increase over previous years – only 24% of organizations had adopted the initiative in 2021, and 55% last year.

The Zero Trust security initiative is a strategy to ‘never trust, always verify’, which requires all users from both inside and outside a network to use various types of verification to gain access to resources on a network.

The report surveyed 860 information security decision-makers from North America (United States, Canada); EMEA (Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden, United Kingdom); and APJ (Japan, Australia), and focused on the software industry (45%), retail (14%), financial services (12%), healthcare (10%), public sector (10%), education (7) and others (15%).

Financial services

Financial services, followed by the software industry, are the sectors with the strongest Zero Trust security initiative today. About 71% of financial organizations have already implemented an initiative, 22% are said to planning to start within the next 6-12 months, and 8% after that. The software industry follows closely, with 69% implementation, 21% planning to start within 6-12 months, and 6% after.

In 2021, only one-third of the financial service respondents and fewer than one in 10 had a defined Zero Trust initiative.


Graphic: Martina Lindberg

The trend is seen across all regions and organization sizes. Companies with 5,000-9,999 employees had the highest implementation rate – 75% had set an initiative and 23% were planning to. In companies with 500-999 employees, only 49% had implemented a Zero Trust security initiative – although 44% were planning to do so.

“In light of the continued explosive growth of breaches and data theft, as well as prescriptive guidance by NIST (National Institute of Standards and Technology) and CISA (Cybersecurity and Infrastructure Security Agency), none of this should be terribly surprising,” Okta says.

Security higher priority than usability

With rising threat factors and actors on the market, most surveyed – across all regions – said that security is a priority compared to usability. More than two in three companies either have set security as a top priority or opted for a mix of of 75% security – 25% usability.

That is a major change from 2021 – where usability was the priority in the middle of the pandemic and remote working. Then, organizations in EMEA were the least likely to put security as the top priority (21%), compared to 37% of North Americans.

Another critical factor is identity – which has empowered the Zero Trust initiative. Last year, 27% of all respondents said that identity was extremely important to their overall Zero Trust security strategy. This year, the identity factor has increased to 51%. And nearly two-thirds of North American organizations rated identity as extremely important. Only a small number of respondents called identity neither important or unimportant, or somewhat or extremely unimportant.

Looking at the actual safety measures, passwords remain the standard for authentication, and are used among more than half of all respondents.

North American organizations use security questions (a similar low-assurance factor) mostly, an option which is second most common globally and in EMEA and APJ.

Even though low-assurance factors can be easily compromised by hackers, many of the respondents are still using hardware OTP and SMS/Voice/Email OTPs, the report shows.

Medium-assurance factors (MFA), like physical token OTPs and push authenticators, are used less, (36% and 29%, respectively), and only 19% are using high-assurance factors like platform- based authenticators and biometrics.

“We expect to see MFA continue its march to the mainstream, while increasing regulations will likely push industries like financial services and the public sector toward passwordless and other high-assurance phishing-resistant authentication factors,” Okta says.

Increasing budgets

The report also shows that organizations are spending more money on Zero Trust. A fifth of all said they had a budget increase of 25% or more in the last 12-18 months, and 60% had between 1%-24%. NAM countries reported spending even more – 37% said that their budgets increased 25% or more, and more than one in seven between 1%-24%. Only 1% globally said that their budget decreased.

The highest increase was seen in the software industry, where 28% said that the budget had increased 25% or more, and more than half (56%) reported an increase of between 1%-24%. Almost one in five (19%) of both the financial services and healthcare sector’s organizations had their budget increased by 25% or more, and 60% vs 61% said between 1%-24%. Only 1% of both healthcare, financial, and the software organizations had their budgets decreased.

“To get to true Zero Trust, organizations need to address data security and privacy concerns (including regulatory guidelines) while keeping their workforces humming along productively,” Okta says. “Companies need solutions that integrate easily and quickly into their existing tech stacks and ecosystems to extract the greatest possible value from their investments.”