Security

Why Zero-Trust Security Is the Best Defense for Small Businesses

Cybercriminals focus on identity-based attack strategies because they work. Here’s how to foil them.

Norm Lillis is vice president of small business at CDW.

As the battle between businesses and professional cybercriminals rages on, it’s clear that identity has become the front line. That’s certainly the conclusion that X-Force — a team of hackers, researchers and security responders employed by IBM — came to in its recently released X-Force Threat Intelligence Index 2024.

In the past year alone, “a pronounced surge in cyberthreats targeting identities” represents the “biggest shift,” the report notes.

“In this era, the focus has shifted toward logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns,” the group says.

If that doesn’t persuade you to embrace a zero-trust security architecture, then I don’t know what will.

Click the banner to gain expert advice on improving your zero-trust security model.

More Organizations Are Undertaking Zero-Trust Initiatives

The good news is that most organizations do seem convinced. In fact, 61 percent of organizations had a defined zero-trust security initiative in place last year, up from just 24 percent in 2021, according to a survey by Okta. Organizations are investing more in their security as well, with 89 percent of North American businesses reporting budget increases, and more than a third claiming increases of 25 percent or more.

That’s good progress. But it still leaves nearly 4 in 10 organizations -without a real strategy to defend against cyberattackers’ favorite and most -successful tactics. Smaller businesses are the least secure: Less than half of organizations with fewer than 1,000 employees report having a zero-trust initiative in place. That scares me.

AI Will Enable More Custom-Built Cyberattacks

Zero trust is a “never trust, always verify” approach to security management. It’s not a solution or even a set of solutions, but rather a security mindset that includes solutions, policies, tactics and training. It requires all users to verify their identities whenever they seek access to network resources, regardless of the devices they’re using or the networks they’re logging in from.

Attackers love identity-oriented attack strategies because they work. It’s easier to fool people into giving up their credentials or to click on a corrupt link than it is to hack into networks.

One reason for that is the scalability of sending mass phishing emails. Another is that social engineering exploits people’s natural inclinations to be trustful and helpful: Click rates on phishing emails are nearly 18 percent.

And in the age of generative artificial intelligence, the problem is only going to get worse.

AI systems can easily be trained to communicate in real time, fooling people into thinking they’re texting or emailing another human. They can also quickly scan social media to gather personal details, which can then be leveraged to create attacks -custom-built for individual targets.

“It’s going to get a lot harder in the future as you have attacks that get much more bespoke and far more personalized,” Jeetu Patel, executive vice-president and general manager of security and collaboration for Cisco, told BizTech last year. “Instead of an email from a fake prince offering you $10 million, it’s going to say, ‘Hey, Bob. Nice to see you last night at the game. Here’s a link to some pictures you might want to download.’”

As I said, it’s scary. A zero-trust approach to security, while not foolproof, is any organization’s best chance to avoid and mitigate attacks and to recover quickly from the few that do happen.

To start the process of deploying a zero-trust security model, reach out to a trusted partner.

Getty Images/Nimito