Most people believe that when your company is a small business, then it would be having scarcity of productive capacity, resources and budgets, even if it desires to tighten its information security. My opinion is that it does not have to be...
I think that if such businesses adopt the right Zero Trust approach, they still can protect their data, avoid data breaches.
Idea is simple that your databases, IoT devices, and other network devices ask for a correct security implementation.
All successful small businesses usually move and grow rapidly. If your company is one of them, the you would be seeing that they’re bringing on new contractors and employees, experimenting with new technologies and ideas, expanding to new locations, and doing this all in a matter of days.
You also might be seeing that such company is frequently engaging with experts in cutting edge technologies like app development, AI, ML, etc. These companies keep doing all such things in order to give the company its competitive edge. Smart companies are in pursuit of growth, and bring new employees and contractors on the board at a frenetic rate. It is quite common to see that they also granted access to their cloud to get involved with the work, but in doing so, the security vulnerabilities begin to get their foothold in the information systems.
-
The speed that successful startups and small businesses experience can be addictive, but such companies tend to believe that putting more work into information security will cause them to slow down. It is something they don't want and perhaps cannot afford too.
Yet, such companies are witnessing that their sensitive information/data will find themselves in hacker's crosshairs more and more frequently.
I would like to suggest that they MUST adopt ZERO TRUST approach without any delay. It would allow them not to sacrifice their speed. Instead, it would ensure that their security will be in right shape... All small businesses can secure their systems, time, and intellectual property by reducing their risk of falling prey to a massive data breach.
-
HOW SMALL COMPANIES CAN IMPLEMENT ZERO TRUST?
Step 1: Management of Privileged Accounts
You should start tracking, monitoring and auditing all your privileged account access in real-time, including metadata. If you do that, it will ensure that you have a full picture of each user's intentions and actions within privileged accounts. You would know that-- who is using your company’s network.
You will have a full chronology of the user's actions within accounts and it is highly invaluable when it comes to cybersecurity. It gives you a much stronger chance of preventing malicious use of such accounts as and when it happens. It will also help you to discover how these incidents happen in the first place.
Furthermore, it allows you to meet the many regulatory requirements - such as HIPAA, SOX, and PCI-DSS, etc.
Step 2: Intelligent Use a Password Manager
A good password manager is worth its weight in gold when it comes to cybersecurity. If you have accounts that have access to valuable intellectual property or customer data, then securing them behind a solid password is essential. A password vault is also highly recommended, making sure that access is only granted to users who are thoroughly identified before any login credentials are released. Smart usage of password manager will also allow you to regularly update the passwords of your users on a predefined time periods.
Step 3: Mandatory Use of Multi-Factor Authentication
Individually, we all understand the importance of MFA in security of our accounts over the internet. But when it comes to using the same for all and every employee, contractor, partner, or admin account. There has been numerous incidents when the admins themselves lost access to their accounts just before the breach or data-exfiltration. MFA would have warned them before them that something sinister is about to happen.
That's why you must ensure that multi-factor authentication is used compulsorily. It is one of the most important cybersecurity precautions you can take. It significantly reduces the chances that a bad agent will gain access to privileged accounts.
In fact, one recent study found that over 70% of all breaches involved access to a privileged account. The study also found that over 50% of companies had not implemented multi-factor authentication, leaving their most valuable accounts inadequately protected.
Step 4: Securing The Credentials Of Network Devices
It is having the same importance as the Step-1. You must diligently manage and monitor the privileged access credentials of your ALL network devices as part of your Zero Trust approach. Small businesses are continually pressed for time, and in their effort to achieve many of their goals, they often forget basic security best practices.
For example, any manufacturer preset passwords or login credentials need to be changed immediately. As these are often easy to crack and/or well known to bad agents, they are often the cause of data breaches or malware infections. All devices and accounts must be documented and their passwords must be noted in your password vault. Small business are no exception!
Step 5: Remote Access Management
You should make sure that every time when your employees, vendors, contractors are accessing your information systems REMOTELY, all remote access is 100% secure across all the platforms you have allowed them to use.
In fact, it is more important that the remote access you grant them is only limited to the job critical resources. Remote access is a minefield for cybersecurity issues.
Remember that unsecured Wi-Fi can become gateways for bad agents to access your systems. So it is important that such remote access is given using a prescribed VPN channel...
-
Likewise, if you have open IoT networks, securing them behind SSL certificates is a must. For everything, though, businesses must take a Zero Trust approach of always verifying accounts, never taking anything on trust alone, and always making sure privileges are double-checked.
By implementing these five Zero Trust factors, you can ensure that you are building a secure, scalable business that is capable of tackling the most common causes of data breaches.
-
Palo Alto recommends that you must begin all of your Zero Trust efforts by mapping your 'Protect Surface' instead of mapping the attack surface. The protect surface encompasses the critical data, application, assets and services——most valuable for your company to protect.
You must be willing to identify the followings in your protect surface:
• Data: Credit card information (PCI), protected health information (PHI), personally identifiable information (PII) and intellectual property (IP)
• Applications: Off-the-shelf or custom software
• Assets: SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets and IoT devices
• Services: DNS, DHCP and Active Directory
Once you do that properly, all of your subsequent decisions and implementation would be well orchestrated...
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM