Northeast IS, a leading managed technology services provider (MTSP), announced today that they are helping small to mid-sized businesses (SMBs) implement a “Zero Trust” security framework in order to keep pace with the shifting strategies of today’s cybercriminals. As cybercriminals continue to outpace enforcement agencies, many small businesses have sought to fortify their own defenses so they can resist the widely-popularized ransomware attacks and minimize downtime in the event of an attack. However, as cybersecurity continues to grow in popularity and many businesses have invested into various IT tools, apps and procedures to create a “secure cyberperimeter” around their IT network, Northeast IS implores business owners to question that underlying IT security model. In fact, they are urging businesses to understand why that model may be antiquated and is no longer is sufficient as the world shifts more permanently to a remote workforce.
In years past, most businesses could simply hire a Managed IT services firm to secure their IT network. Those firms would craft a customized “technology stack” to essentially build a strong exterior IT “wall” to repel attacks and would integrate it. However, in the event of a breach, hackers who were sophisticated enough to bypass the “secure perimeter” would gain unparalleled lateral access to damage other critical systems, by which they could inflict more unnecessary damage, costly downtime and recovery costs. In the past, many Managed IT services providers responded to this by protecting their clients’ networks much like how a king would protect his castle. Essentially, they would rely heavily on having tall, impenetrable IT “walls” protecting the kingdom. As long as nobody could penetrate the walls, everyone would remain safe. However, as COVID-19 and the huge shift to a remote workplace became commonplace, this fragmented IT networks, so it became difficult even identify what the perimeter of the IT network was. For example, if your employee occasionally works from alocal coffee shop, do you need to also secure that IT network? What if they constantly shift between different devices, like their smartphone and computer? What if their battery is dead and they borrow their wife’s phone to remotely access the network?
As hybrid cloud has become the predominant model for most businesses, this method of IT security quickly found its obsolescence because it allowed cybercriminals to take advantage of the vulnerabilities that a remote workforce has exposed. The central problem is that once a hacker penetrated the “walls,” they would have carte blanche to inflict maximum damage on the rest of the organization because they could move horizontally to access other critical systems with relative ease.
The solution for this problem lies in the “Zero Trust” model which differs because it turns your IT network defense system into a model more similar to how a airport security works. For example, if you wanted to access your seat on the airplane, first you must purchase a ticket, then you must confirm your identity at check-in, then you must disclose personal information, then you must pass a security checkpoint with strict regulations that’s being actively monitored, then you’re conditionally given access to the gate until your identity is verified one last time to ensure you are reaching the precise seat on the plane that was reserved for you. The entire process is surveilled, controlled and has multiple opportunities to prevent a breach. The entire process requires you to verify your identity, the purpose of your travel and forces you to adhere to strict regulations, repeatedly. When a businesses blindly trusts random apps or third parties to access their infrastructure, it would be like giving someone unlimited access to the entire airport, as long as they verified their identity on their smartphone on the drive to the airport. It’s a ridiculous visual, but is alarmingly fitting to how many businesses are running their IT departments. C.G. Frink, President of Northeast IS, stated, “We firmly believe that every cybersecurity defense plan should include a layered approach to security. We endorse the ‘Zero Trust’ model because it closes so many of the loopholes which cybercriminals rely on.”
While most business owners typically delegate this type of IT responsibility to an in-house expert or an external IT firm that’s hard to manage (unless the CEO is also an IT expert), there are three main identifiers which business owners can check for to verify that their network presently adheres to the “Zero Trust” model. The three primary differentiators are that their network should 1) require extensive identity authentication, 2) offer minimal “as-necessary” access to employees and 3) assume that breaches are occurring on a regular basis. This approach is necessary in order for businesses to remain secure while the future of work inevitably progresses into a direction where businesses must be able to handle the technological demands to support flexible, remote, distributed teams.
“While we’ve operated with this type of philosophy for a very long time, it’s important that the mainstream understands what’s shifting in cybersecurity,” stated C.G. Frink, President of Northeast IS. “Just because cybercriminals have grown sophistication, does not mean that a business needs to recede into simply hoping they don’t get attacked. Our job is to educate, prepare and secure our clients’ assets so they can remain focused on higher priorities than IT. It’s challenging enough to build a business without becoming an IT expert in the process and if we can create the peace of mind for our clients that allows them to get back to growing their organizations to new heights, everyone wins.”