If you visualize cybercriminals as archers, their gallery of targets became much more crowded at the beginning of the pandemic and is showing no signs of thinning. With the proliferation of remote work, the sheer volume of a small business’s endpoints has grown drastically. And with the dramatic increase in cyberattack targets, many of them poorly protected, cybercriminals are having a field day.
Small and midsize business (SMB) IT professionals and managed service providers (MSPs) are scrambling to avoid a near-constant barrage of cyberattack attempts. According to recent research, small businesses (fewer than 100 employees) experience 350% more social engineering attacks than an enterprise. That same research revealed that one in five companies had at least one compromised account in 2021.
Why are SMBs so vulnerable? And how can MSPs employ a zero-trust solution to help protect them?
Why SMBs Are Particularly Vulnerable
SMBs are oftentimes more vulnerable to cyberattacks than their larger counterparts because they lack the resources to protect themselves from every angle. IT teams at SMBs—and in some cases, just a single IT person or an MSP—are tasked with implementing the best technology to cover as many vulnerabilities as possible. However, cybercriminals are launching more sophisticated attacks beyond malware and spam. Their new phishing lures often sidestep email filtering systems, and as an SMB attack surface expands through new work devices and accounts, there are simply too many openings left in their armor.
Additionally, phishing attempts often zero in on high-value accounts, such as those belonging to CEOs, CFOs, and executive assistants. Unlike large corporations that often shield their C-suite from unsolicited emails, small business leaders are more visible in their community and may distribute their business email addresses more freely.
Understanding Zero Trust as the Solution
Zero trust is an excellent solution for SMBs that are bogged down by cyberthreats and have limited resources to allocate to company cybersecurity. Zero trust upsets the traditional “castle and moat” model of cybersecurity, wherein all you need is a password to cross the moat and gain entry to the castle full of valuable company secrets. The castle-and-moat approach is easily breached, as credential stuffing and phishing attempts are common and low-effort cyberattacks.
A better metaphor is to think of zero-trust architecture as a type of internal law enforcement agency, representing many different validation points, barriers around sensitive content, and strict controls even on verified users. An individual user may be a citizen in good standing in her virtual city with valid credentials. However, according to zero trust, that still doesn’t give her free rein around the city or allow her to access any information she wants without showing an ID or proof she belongs there.
Thus, a zero-trust architecture is much more secure because it assumes that every internal system is either breached or at risk of breach. Business accounts are fiercely guarded by IT and credentials are only distributed to team members who absolutely need them. Through this approach, if a user’s account is hacked, the damage is isolated to as few sensitive accounts as possible.
Technology Is Here to Help
While SMBs could mandate security training for end users every day, cyber arrows are still bound to strike. Employees are often too busy and laser-focused on business tasks to catch every potential threat. SMBs must go beyond user education and acquire the right tools, including secure remote support technology, with a built-in zero-trust architecture and security features that don’t impede usability. It’s critical that businesses understand the delicate balance they must achieve to provide convenient, scalable, and secure technology solutions that minimize cyberattack risks.
PADDY SRINIVASAN serves as chief product and technology officer for GoTo (formerly known as LogMeIn) and has previously held the role of senior vice president and general manager for the company’s customer engagement and support business and vice president of products and engineering for Xively (acquired by Google).
