Cybersecurity for SMEs: seven steps to a Zero Trust approach

Written by Denis Dorval, VP of EMEA, JumpCloud

Never trust, verify everything! This is the premise on which the “Zero Trust” approach was founded. This model of cybersecurity involves implementing controls designed to ensure that only verified users can access company resources, and from similarly approved devices.

This strategy is increasingly being adopted in response to the challenges faced by small and medium-sized enterprises (SMEs), such as the continued evolution of hybrid working, the use of Bring Your Own Device (BYOD) and the increase and sophistication in cyber-attacks. Whereas previously SMEs thought they weren’t a target, now they are seen as the weaker link from a hackers’ perspective and increasingly they are falling victims to cyber attacks.

Today, businesses operate in a complex digital environment, which poses increasing IT security challenges for companies of all sizes. For smaller businesses, without large IT resources or big security budgets, the risks can be even more daunting. Threats are constantly changing– and trying to identify and prevent them all can leave SMEs struggling to keep pace.

However, adopting a new paradigm can also seem insurmountable, especially when a single mistake can bring productivity to a screeching halt. Here JumpCloud offers seven key tips to help SMEs navigate the path to adopting a Zero Trust approach to security.

1. Draw up a digital inventory

It is important to list your digital assets: networks, data, devices, workflows and identities. Likewise, it is vital to understand where sensitive data is located, how it flows through the organisation, the users who access it and the devices they use to access it. This information will enable you to prioritise points of protection.

2. Establish identity and access management (IAM) based on the principle of least privilege

SMEs must guarantee that every employee has controlled access to the digital resources they need, while excluding those they don’t. Identity and access management (IAM) has become ever more important, especially in a hybrid working environment. When properly implemented, it prevents sensitive resources from falling into the wrong hands. For example, contracted administrative staff could gain access to company financial data if least privilege rights are not in place.

3. Adopt multi-factor authentication

Multi-factor authentication (MFA) is an essential element of identity and access management. This security solution requires additional verification factors beyond a basic username and password, and forces users to provide multiple verification methods before accessing any resources. According to Google, this process can stop all automated attacks, 96% of mass phishing attacks and 75% of targeted attacks.

4. Reinforce credentials

Passwords that are too simple, used systematically and changed too infrequently are a godsend for malicious individuals and hackers. It is therefore imperative to ensure that employees use strong passwords; the more difficult they are to decipher, the more effective they are at preventing breaches.

5. Implement mobile device management

With the popularity of hybrid working, managing the multitude of mobile devices is more complicated than ever before. For example, 70% of breaches originate on the endpoint, making it the number one target for attacks. Even more concerning, according to a recent study, 60% of breaches were linked to a vulnerability where a patch was available, but not applied.

Mobile Device Management (MDM) is a set of tools that enable organisations to secure, monitor, manage and enforce policies on employees’ mobile devices. It reinforces cybersecurity by allowing only conditional access and it protects against lost or stolen devices, while ensuring that devices are regularly updated and patched.

6. Reduce your attack surface

The attack surface is the total area of a system, device or network that is vulnerable to hacking. In other words the entire external-facing part of your system, such as company websites, employee portals, expired security certificates and stolen employee credentials. It consists of all the points of access that an unauthorised person could use to enter the system. The attack surface of an organisation can vary depending on use and configuration but the smaller the attack surface, the easier it is to protect.

7. Prioritise the installation of security patches

IT administrators constantly monitor devices, applications, and systems to identify and correct security flaws. That’s why patch management is an integral part of the Zero Trust model.

While this may seem daunting, it is important to remember that Rome wasn’t built in a day, and neither was the Zero Trust model. There is not a simple switch that can be turned on and off. On the contrary, it’s a combination of best practices, working together to strengthen network security, which can take years to fully implement. For example, it took Google around six years to move from its VPN and privileged network access model to its own Zero Trust network.

However, the threat landscape is continuously evolving, and your security measures should, too. The financial impact and disruption of a breach is undeniable with cybercrime costs projected to reach an astonishing $10.5 trillion annually by 2025. The old ways of doing cybersecurity are outdated and ineffective, as evidenced by the alarming rate of data breaches and compromised credentials. While implementing Zero Trust comes with its own challenges, the benefits far outweigh the risks. Zero Trust is an ongoing strategy that requires regular updates and adaptations. It demands a culture of continuous improvement and vigilance, making it not just a security model but a long-term commitment to safeguarding your organisation’s most valuable assets.