The Zero Trust imperative for SMBs

Tarun Desikan at SonicWall explains the critical extra value of implementing Zero Trust

 

There’s no way around the fact that SMBs are now squarely in the crosshairs of cyber-criminals, partly because they make the easiest targets. That’s due to a combination of factors, including but not limited to SMBs holding sensitive customer information, having traditionally weaker “one man band” security infrastructure, and often being unprepared for modern cyber-threats. 

 

It’s not a matter of if, but when these organisations are attacked. And so companies must have robust security measures built on the assumption that they will be targeted. This is where Zero Trust comes in. 

 

What is Zero Trust?

At its core, it’s a security framework that by default assumes no user or device is trustworthy. Think of it as a reversal of the traditional “castle-and-moat” security model, continuously calling not just for identity verification, but also device posture, and context. 

 

While this may sound like an excessive response better suited to large enterprises, SMBs are actually the best beneficiaries of Zero Trust architecture. Smaller, less reliant on legacy infrastructure, more agile and not to mention increasingly cloud-native, Zero Trust is both easier to implement and provides more immediate benefits for SMBs. 

 

This is compounded by the work environment’s move toward remote and hybrid models. Users are accessing systems from home, the office, and on the move more than ever. Employing Zero Trust protocols can dramatically reduce the attack surface for threat actors. Now, this sounds like an awful lot of work to implement. In reality, decision-makers need to appreciate that the shift to Zero Trust doesn’t call for a disruptive rip-and-replace approach. 

 

In fact, it starts by modernising just the most basic parts of your setup: remote access. Zero Trust policies are incredibly quick to implement and set-up, whilst also priced by the user. This makes them scalable along with the growth of your SMB. 

 

If organisations buy into the myths of cost and difficulty, and stay relying on legacy VPNs, their networks will remain forever flat and too implicitly trusting. One user compromise could quickly result in a whole system at serious risk of major disruption.

 

Is Zero Trust relevant when businesses have MFA?

While multi-factor authentication is critical, it’s not bulletproof. Attackers now bypass MFA with phishing kits, hijacking, and more recently AI-generated deepfakes. By integrating MFA with Zero Trust, the security changes to the assumption that attackers will get in, placing guardrails that limit damage and exposure when they inevitably do. 

 

Attack vectors are constantly evolving and cyber-criminals are relentless in developing new tactics, techniques, and procedures. This necessitates a proactive and flexible approach to cyber-security, which includes adopting protocols and security architectures like Zero Trust. 

 

We only need to look at the recent spate of highly disruptive credential theft attacks to see the need for Zero Trust. Take the debilitating ransomware attack on M&S in April, resulting in an estimated £300 million loss for the company. This attack can be attributed to one single entry point through a third-party provider as a direct result of a SIM swap, which intercepts SMS codes to hoodwink MFA procedures. 

 

Zero Trust, though, goes beyond just basic MFA, looking at device posture and contextual signals. This kind of entry point would trigger alerts if the security procedures were correctly established in a Zero Trust system. It goes further though, with Zero Trust compartmenting and segmenting systems and networks, blocking lateral movement and limiting cyber-attacker access.

 

A mindset shift

Zero Trust is not just a technical solution but a mindset shift for SMBs. It’s not a magic shield, but by focusing on continuous verification, segmentation, and breach assumption, SMBs can contain threats before they escalate. Ultimately, Zero Trust empowers SMBs to build resilience, protect customer trust, and support growth in a threat-filled digital landscape.

 

The mandate is clear: assume your network will be penetrated, adopt Zero Trust, and work to minimise the disruption when it is.

 

---

 

Tarun Desikan is VP of Product Strategy at SonicWall

 

Main image courtesy of iStockPhoto.com and Supatman