Zero trust is not a standalone solution but rather a comprehensive strategy that combines people, processes, and technologies to enhance the security of small and medium-sized businesses (SMBs). This approach involves a proactive mindset towards security, emphasizing continuous verification and least-privilege access to mitigate risks effectively.
Zero Trust Is a Strategy, Not a Solution
There is no such thing as zero trust in a box. Rather, zero trust is a strategy achieved through the right combination of people, processes and technologies. They’re all related and work together to make SMBs more secure.
People
“When a request looks plausible enough, staff may default to trust rather than protocol, and that’s when things can go wrong,” writes Eric Marchewitz, a field solution architect at CDW. “This constitutes the opposite of zero trust.”
Regardless of how many safeguards a company institutes, there will always be the risk of a person unwittingly trusting a bad actor. The best way to avoid this, Marchewitz writes, is with user awareness training.
“Everyone from the finance department to marketing should know the red flags to watch out for and what steps to take if something feels off,” he writes. “Combine that with regular training, and you create not just cybersecurity awareness, but true cyber resilience.”
Particularly in very small businesses, it’s not unusual for new zero-trust initiatives to be met with some resistance. As part of the training, it’s important to educate users on the benefit of zero trust.
EXPLORE: SMBs are in nation-state hackers’ crosshairs.
Process and Policy
Process ultimately refers to how people go about their business, and policy is key in governing that activity.
“It’s not unusual for a 100-person company to have just a few folks in the finance office who receive and process most, if not all, invoices,” Marchewitz writes. “If those people are targeted with a convincing fake invoice or a spoofed email from a vendor or customer, the odds of an error are high, especially if there’s no policy requiring a second verification step.”
Defining the attack surface is a key first step in architecting policies, according to Fortinet. It will help you identify the systems that are most important to your business operations. You will also walk away with a clearer understanding of the risks to those systems. Zero-trust principles such as least-privilege access, user verification, continuous monitoring and assuming you’ve been branched can all be baked into the process. Policies can be created around defining zero-trust within processes.
Technology
For all of this to work, an SMB will need to implement technologies that enforce zero-trust principles across an IT environment. The list of tools can add up quickly, leading to what Jeremy Weiss, an executive security strategist at CDW, calls “zero-trust tool fatigue.” The key is to make sure the tools are in service to your people and your processes.
“It’s important to ensure that your zero-trust strategy is aligned to your company goals, priorities, risks and culture before selecting or installing additional zero-trust tools,” Weiss writes. The exact tools will therefore vary somewhat based on your ability to define your goals and identify your risks.
For the vast majority of SMBs, some combination of the following resources will suffice:
- Identity and access management: IAM is key to provisioning user identities, granting access and enforcing the principle of least privilege.
- Multifactor authentication: MFA, which is offered as a feature in popular IAM tools including Okta’s, verifies user identities through multiple independent factors. This is critical to helping foil phishing attacks and other attempts to falsify trustworthiness.
- Zero-Trust Networking Architecture: ZTNA, or alternatively, secure access security edge (SASE), help enforce conditional access. In other words, they enable network access based on predefined policies and continuous verification.
- Endpoint detection and response: EDR, which is sometimes a feature of mobile device management offerings, monitors actual endpoints for suspicious or anomalous activity.
- Managed detection and response: MDR or a similar service can analyze data in more advanced ways to detect even subtle anomalies.
Click the banner below to keep reading stories from our new publication, BizTech: Small Business.
