Protecting small and medium-sized enterprises (SMEs) from cyber threats goes beyond traditional firewalls. A zero-trust approach is now essential, offering enhanced security against insider threats and risks associated with remote work. Despite the initial investment, transitioning to zero trust is highly recommended for SMEs, writes Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa.
The traditional approach to cybersecurity resembled a castle’s defences. Threats were assumed to come from outside, with firewalls and other tools protecting the organisation’s perimeter. This model presumed that users and systems within the network could be trusted.
However, this approach no longer works. Why? Because, in many cases, the danger lurks from within. A perimeter-based model doesn’t account for threats from within the organisation, such as employees with malicious intent or compromised accounts. Secondly, the shift towards remote work, accelerated by the Covid-19 pandemic, has led to employees working from various locations using personal devices and unsecured networks. This makes maintaining a secure perimeter increasingly challenging. Thirdly, many businesses now depend on cloud services, blurring the boundaries of the traditional network perimeter. Lastly, cybercriminals have honed their skills, particularly in phishing attacks. They can now bypass traditional defences and exploit weak credentials and vulnerabilities within the network.
What is zero trust?
In cybersecurity, the zero-trust approach means not trusting anything by default and, instead, verifying everything. This means that all users, inside or outside the organisation’s network, must be authenticated, authorised, and validated before accessing applications and data.
Unlike the traditional model that assumes trust once inside the network, zero trust continuously verifies and monitors all access attempts and network activities. This fundamental shift in approach addresses the limitations of perimeter-based security by treating every access request as if it originates from an untrusted network.
Zero-trust architecture prioritises secure access to resources, independent of network location, user, or device, by implementing strict access controls and continually inspecting, monitoring and logging network activity. This approach demands data-level protection, a robust identity framework and careful micro-segmentation to establish granular trust zones around an organisation’s digital assets. The core principle is “never trust, always verify”.
Although zero trust usually refers to IT architecture, I love taking this principle further to the human domain. I call it the zero-trust mindset. When applied to individuals consuming information online, it calls for a healthy dose of scepticism and constant verification.
Benefits and how to implement zero trust
For SMEs, there are myriad advantages to having a robust zero-trust approach in place:
- Protection against insider threats: Zero trust minimises the potential damage that an insider can cause both intentionally or unintentionally, by limiting access based on user identity, role, and behaviour.
- Enhanced security for remote workers: Employees can securely access resources regardless of location, ensuring secure collaboration without compromising security.
- Least-privilege access: This approach enables businesses to apply least-privilege access, which means users only have access to the data and resources they need.
- Reduced impact of breaches: In the event of a breach, zero trust minimises the attacker’s ability to move laterally within the network, reducing the scope and impact of the attack.
SMEs are notoriously cash-strapped. How can they afford to implement zero trust? My response would be: It is risk based and companies need to weigh up investments versus potential impacts. The damage caused by a data breach extends beyond the material to reputational damage. Also, a zero-trust approach can be phased in. It doesn’t have to happen all at once. Businesses can choose which elements to incorporate first. I suggest leveraging cloud solutions, as many cloud providers offer built-in zero-trust tools, which can simplify the process for businesses that already use cloud services. Secondly, by implementing phishing-resistant multi-factor authentication (MFA), you can ensure that users are who they claim to be. This adds an extra layer of security, especially for remote access.
Lastly, remember your employees. If not implemented carefully, zero trust can impact their productivity by adding too many authentication steps or access restrictions. Business owners must lead a cultural shift when adapting to a security model that assumes no trust. Employees need to be trained on the benefits of zero trust and how to work with the new model to reduce resistance and improve overall adoption.
By gradually implementing these measures and focusing on employee education, SMEs can significantly enhance their security posture without overwhelming resources or disrupting operations.