Despite everyone’s best intentions, too often, cyber incidents originate from what’s known as insider threat: action from an internal source that compromises the security of an organization’s data. By one estimate, insider threat incidents cost organizations an average of $4.58 million per year.
One way to reduce the risk of insider threat is by implementing a zero-trust approach to security. This method requires all internal and external users in the company’s network to continuously authenticate and validate their credentials to access company tools and data. Here’s how it works.
What is zero trust?
Traditional network security relied on the principle, “trust but verify.” Think of traditional network security as a locked house. If you have the key to the front door, you can walk around the interior of the house freely. The same is true digitally: Once a user is authorized on your company’s network (e.g., by logging into their employee account), they can access files and apps with minimal additional authentication steps.
[Read more: CO— Roadmap for Rebuilding: Protecting Business Data and Assets]
The zero-trust approach assumes that every connection and endpoint is a threat. In this approach, the front door is locked — and so is every room inside the house. Users need different keys to open each room, and not every user has the same set of keys.
Zero trust uses the principle of least privilege (PoLP). Essentially, a user or program should have the minimum privileges (or, to follow the metaphor, house keys) necessary to perform their job. For instance, only an employee whose job it is to transfer payment to your vendors should have access to the vendor’s bank account details.
[Read more: Protecting Your Business Data in a Hybrid World]
How does zero trust work?
At first, the zero-trust approach seems like an employee may spend their whole day logging into different programs just to access the information they need to work. And while there is a fair amount of oversight and set up required on behalf of your IT team, there are tools that make zero trust more accessible to small businesses.
Limiting the access of each user means a hacker can only infiltrate so far.
“Zero-trust security can work on various levels of a computer system (networking, program execution, storage, and more) to block unknown activity,” wrote The Fool. “The administrator specifies a set of rules to enumerate permitted activities, and the software will evaluate every activity against that set of rules to determine whether it's on the allowed list. If it’s not, the activity is blocked.”
In practice, zero trust security requires identity and access management practices such as:
- Requiring employees to set strong passwords that are updated regularly (and consider using a password manager).
- Implementing multifactor or two-factor authentication.
- Creating a policy for who can access company data on Google Workspace, Slack channels, cloud storage, and other shared platforms.
- Adding endpoint security tools that can protect the devices of those working remotely or in shared coworking spaces.
Zero-trust security can get quite technical. You may want to consider bringing in a consultant who can train your staff on the strategy underpinning a zero-trust approach. Since many threats originate from mistakes and poor security practices from within the organization, a zero-trust approach needs to be coupled with training and education.
[Read more: Protecting Your Business Data in a Hybrid World]
Why should you implement a zero-trust approach?
A zero-trust approach can help protect your company data from cyberattacks. Limiting the access of each user means a hacker can only infiltrate so far; if one account is compromised, you may still be able to lock down other systems.
Furthermore, a zero-trust approach provides a way to constantly monitor for insider threats. “It provides organizations with adaptive and continuous protection for users, data and assets, plus the ability to manage threats proactively,” wrote IBM. “In other words, this practice of never trust and always verify aims to wrap security around every user, device and connection for every single transaction.”
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.