Employees are now accessing ‘the office’ from different locations and from a range of devices and that has left traditional domain-based security exposed. Especially when you consider the mix of private and public clouds and servers they are using, leaving the door open for cyberattacks. And cybercriminals have happily made the most of the opportunity - last year in the UK, 39% of small businesses reported having a cyber security breach and 65% of medium-sized businesses identified breaches, which was significantly higher than the year before (46%).
Using a Zero Trust approach means you can support your people to work from anywhere, on any device, securely, while still protecting them and your business against threats.
What is Zero Trust?
Brought to the fore by then-Forrester analyst John Kindervag, Zero Trust is based on the old Russian proverb “never trust, always verify”. It is important to note early on here that it does not mean businesses stop trusting their employees. But Zero Trust does lessen the burden on them.
In a basic sense, Zero Trust means everything is considered suspicious until proven otherwise via authentication processes placed across a business’ IT portfolio. For example, one of your people usually uses their laptop in the office but today they are out visiting a potential customer and need to access the company SharePoint off-site. With a Zero Trust policy, a Multi-Factor Authentication (MFA) will kick in automatically when they try to access SharePoint, asking them to verify their identity and sign in securely mitigating the risk of malicious domains and unauthorised sites.
Alongside device usage policies and the encouragement of regular cyber hygiene, there is still a responsibility on the employee but with additional policies and extra layers of security provided by MFA, they are considerably supported in making the right choices.
So how can you implement it?
Thankfully, taking the steps to introduce a Zero Trust framework is straightforward. Here are the steps to take:
Know your data and assets: What devices are your people using? What software do they use? Talking to them and listening to what they use, what data they store where and what they need is vital and allows you to identify weaknesses.
Identify your users and partners: Once you have accessed your assets, it’s time to find out who uses them. A user directory allows businesses to uniquely identify each individual and device to assess if they should be given access.
Write the rules: Your people control whether they install the latest updates, know what a secure password looks like or remain knowledgeable about the plethora of risks out there. Help them and encourage an environment where they can be honest about what they use without recrimination.
When looking at partners and suppliers, you are also perfectly within your right to audit your supply chain and understand their own security capabilities. Don’t be afraid to set the standards you expect.
Put identity and access controls in place: It’s here where you can introduce Multi-Factor Authentication (MFA), adding a layer of security on top of passwords like biometrics or fingerprint recognition to combat human error or credential abuse.
Zero Trust is not about becoming suspicious of everyone including your people. It’s about accepting that an attack is imminent and planning accordingly, alongside making it easier for your workforce to play their part.
Learn more about Zero Trust and how we can help you with your cybersecurity.
