- “Zero trust” refers to a new type of security architecture focused on users, assets, and resources, as opposed to static network perimeter defense.
- Zero-trust architecture (ZTA) was created as a response to changes in working conditions, such as an increase in remote work and use of cloud environments.
- ZTA can limit the impact and severity of cyberattacks, as well as mitigate some of the most concerning cybersecurity challenges, like ransomware.
- This article is for business owners and IT employees who want to learn about ZTA and how to implement it to increase cybersecurity.
Even as businesses and individuals seek a return to something like normalcy following the COVID-19 pandemic, ripple effects of the pandemic are here to stay. One major trend has been the accelerated pace of technology adoption by businesses. In fact, a McKinsey & Co. report found the pandemic has caused businesses to bring their digital transformations forward by seven years or more.
Changes like the normalization of hybrid workforces and work-from-anywhere arrangements have drastically shifted office culture and security practices. Simultaneously, technologies that further these practices, such as workplace virtualization and cloud computing, have expanded in popularity. These shifts have enabled greater flexibility for employees and a wider talent pool for companies, but they have also increased security concerns.
IBM’s most recent report on the topic found the average cost of a data breach for a small or midsize business in 2021 was $2.98 million, a 26.8% increase from 2020. However, IBM also found that one of the most effective methods for mitigating a breach, or at least reducing the impact and cost of one, was a zero-trust security model. [Related article: Worried About a Cyberattack? What It Could Cost Your Small Business]
With that in mind, we’ve put together this guide to explain exactly what zero trust is, the benefits of using it, and why SMBs need to focus more on their security.
What is zero trust?
The U.S. National Institute of Standards and Technology (NIST) defines zero-trust architecture as a security practice focused on users, assets, and resources as opposed to a more static practice of network-based perimeter defense. Essentially, ZTA assumes that any network is already breached and that administrators should focus on authenticating and validating users.
ZTA focuses less on defending a network through older cybersecurity tools like firewalls (although this is still good practice) than on encouraging business owners and IT administrators to find ways to protect data within a network. It achieves this by continuously authenticating, authorizing, and validating user identity before granting access to any data, resources, or networks.
This shift in thinking is largely due to the way working conditions have changed. ZTA allows a business to craft more effective security policies and procedures for remote users, cloud-based systems not within a business’s own network, BYOD (bring your own device) policies, and employees or third parties potentially using other devices to access workplace resources.
Key takeaway: ZTA is an updated security framework focusing on user authentication, authorization, and validation, whether or not that user is within the business’s network. Unlike earlier security concepts, it does not assume a traditional network edge; networks can now extend into the cloud, so cybersecurity systems must as well.
What are the basics of zero trust?
As ZTA assumes any user account within a network – or the network itself – is already breached, the security model requires some changes in thinking from past security modes. Per IBM’s Cost of a Data Breach Report 2021, ZTA requires rigorous use of analytics and AI systems to continuously authorize and validate user connections. This authorization and validation relies on established behavioral and environmental baselines, which security tools can use to compare against any dubious activity.
For example, a network following a ZTA system establishes baselines for when an employee typically tries to access work data (behavioral) and from what locations they work (environmental). Knowing this information, a network using ZTA would be able to flag and potentially deny access attempts outside of the employee’s normal work hours or from a different state or country. This sort of continuous authorization and validation, even for resources an employee routinely has access to, can help prevent data breaches and other cyberattacks.
While setting baselines is one of the key principles of ZTA, you’ll need to follow other critical tenets:
- Secure all communication and resources. For instance, encrypt all your network data, and require measures like multifactor authentication.
- Grant only the minimum permissions. All employees should have the least number of privileges necessary to carry out their work responsibilities.
- Employ real-time monitoring. Constantly collect information such as when your employees are active on the network and where connections are coming from and going.
- Set defaults to “deny” for access controls. The majority of tech hacks are due to poor access management. All users and devices should automatically be blocked from your business’s network and data unless otherwise specified.
- Constantly measure the security of all devices. You can measure your business’s security with tools like a Continuous Diagnostics & Mitigation system. CDM tools constantly check for known malware infections and determine if approved devices on the network are up to date on security patches. They may also block access to data or network resources for devices that aren’t in their most secure states.
Why SMBs should use a zero-trust model
A zero-trust model is one of the easiest and most efficient ways to improve your business’s overall security.
Benefits of a zero-trust model
According to cloud security company Zscaler, one of the largest benefits of adopting zero trust is limiting the impact and severity of cyberattacks. It mitigates your business’s overall risk of various cyberattacks and incidents, like supply chain attacks, ransomware attacks, and insider threats. [Brush up on common attacks and the best defenses in our guide to small business cybersecurity.]
If a cyberattack still happens, ZTA reduces the associated cost to your business. IBM’s report found that businesses with mature ZTA paid 42.3% less per breach on average than businesses that hadn’t started employing ZTA. [Has your business suffered a data breach? Learn how to mitigate the damage.]
Besides reducing your business’s potential attack area, ZTA can help you closely adhere to compliance initiatives. Zscaler noted that ZTA supports initiatives like PCI DSS for businesses that accept credit cards and NIST’s SP 800-207, which makes it easier to prove your business’s compliance during security audits.
Cybersecurity company CrowdStrike also noted that ZTA can improve visibility on a network for administrators while helping to contain potential breaches. Both of these benefits come from ZTA only allowing access to approved users after proper authentication and validation. By implementing ZTA, you can see exactly who is on your network and why, and limit them to certain resources or segments of the network.
Did you know?: Business data encryption is a key component of ZTA. According to IBM’s Cost of a Data Breach Report, strong encryption (at least AES-256) was the third most efficient means of lowering the cost of a breach in 2021. Businesses that encrypted their data had 29.4% lower data breach costs than businesses that used low-standard or no encryption.
Additional security for SMBs
ZTA is a critical tool for small businesses’ security, as SMBs face an overall worsening cybersecurity environment. According to the Cyber Readiness Report 2022 compiled by the insurance company Hiscox, SMBs with annual revenues of just $100,000 to $500,000 can now expect as many cyberattacks per year as businesses earning $1 million to $9 million.
These cyberattacks can have long-term implications for business. In Hiscox’s survey of IT professionals, 21% said their company’s solvency was threatened after an attack. Additionally, 22% of these businesses recorded a loss of customers, as well as greater difficulty attracting new customers. Approximately 27% of respondents also noted a negative impact on their brand and company reputation following a cyberattack.
Unfortunately, SMBs are likely to be targeted repeatedly. In Fortinet’s survey for The State of Small Business Security 2022, 71% of businesses with fewer than 500 employees confirmed or believed they’d been a victim of a cyberattack in the past year. Among companies with fewer than 25 employees, almost a quarter experienced at least four cyberattacks throughout 2021.
All sizes of SMBs reported social engineering as their top security concern, as well as the top reason they believed a security incident affected them in 2021. Fortunately, as Fortinet noted, implementation of ZTA limits the chances of success and the ultimate impact of a social engineering attack. Tools like multifactor authentication – a pillar of ZTA – can also mitigate credential theft and potential attacks.
Key takeaway: According to Hiscox, the most common point of entry for a cyberattack in 2021 was a cloud server. ZTA can help prevent this sort of attack.
How to implement zero trust for your SMB
Whole-cloth implementation of ZTA can be difficult if your business lacks technical expertise or dedicated IT staff. In this case, it may be easiest to hire an outside IT department, like a managed service provider. Qualified MSPs should be able to install the necessary tools and configurations for ZTA within your business.
If you do have a dedicated IT team capable of establishing ZTA, the best method is to break down the transition to zero trust into small action items. Different security vendors and cybersecurity companies break down the ZTA journey into different numbers of steps. RSI Security, a leader in cybersecurity compliance, lays out seven steps businesses can take to establish ZTA, while network security company Palo Alto Networks breaks down the creation of ZTA into a five-step method.
Whichever methodology your SMB follows, you need to take a few fundamental steps for ZTA to work:
- Establish a system that lets you know exactly who is on your network, why they are there, and what they are accessing at any given time.
- Decide what security tools you need, such as intrusion detection systems or next-generation firewalls.
- Build out an in-depth policy of who should be able to access what resources, and from where and when.
- Implement network monitoring software that logs all internal and external traffic. Review these logs regularly against your established baselines to identify any suspicious activity.
What else SMBs can do to protect against attacks
While ZTA can mitigate various security incidents, it is not foolproof and should be just one measure in your defense-in-depth strategy. Fortunately, ZTA works well with other security best practices that are easy to implement at a low cost:
- Educate your employees on common attack types and their warning signs. Training should focus on specifics, such as not clicking on links or opening attachments from unknown or untrusted senders.
- Require employees to use unique, strong passwords whenever possible. Also consider storing passwords securely with password managers.
- Follow our guide on how to improve your SMB’s cybersecurity in an hour via simple security changes and updates.