If you visualize cybercriminals as archers, their gallery of targets became much more crowded at the beginning of the pandemic and is showing no signs of thinning. With the proliferation of remote work, the sheer volume of a small business’s endpoints has grown drastically. And with the dramatic increase in cyberattack targets, many of them poorly protected, cybercriminals are having a field day.
Small and midsize business (SMB) IT professionals and managed service providers (MSPs) are scrambling to avoid a near-constant barrage of cyberattack attempts. According to recent research, small businesses (fewer than 100 employees) experience 350% more social engineering attacks than an enterprise. That same research revealed that one in five companies had at least one compromised account in 2021.
Why are SMBs so vulnerable? And how can MSPs employ a zero-trust solution to help protect them?
Why SMBs Are Particularly Vulnerable
SMBs are oftentimes more vulnerable to cyberattacks than their larger counterparts because they lack the resources to protect themselves from every angle. IT teams at SMBs—and in some cases, just a single IT person or an MSP—are tasked with implementing the best technology to cover as many vulnerabilities as possible. However, cybercriminals are launching more sophisticated attacks beyond malware and spam. Their new phishing lures often sidestep email filtering systems, and as an SMB attack surface expands through new work devices and accounts, there are simply too many openings left in their armor.
Additionally, phishing attempts often zero in on high-value accounts, such as those belonging to CEOs, CFOs, and executive assistants. Unlike large corporations that often shield their C-suite from unsolicited emails, small business leaders are more visible in their community and may distribute their business email addresses more freely.
Understanding Zero Trust as the Solution
Zero trust is an excellent solution for SMBs that are bogged down by cyberthreats and have limited resources to allocate to company cybersecurity. Zero trust upsets the traditional “castle and moat” model of cybersecurity, wherein all you need is a password to cross the moat and gain entry to the castle full of valuable company secrets. The castle-and-moat approach is easily breached, as credential stuffing and phishing attempts are common and low-effort cyberattacks.
A better metaphor is to think of zero-trust architecture as a type of internal law enforcement agency, representing many different validation points, barriers around sensitive content, and strict controls even on verified users. An individual user may be a citizen in good standing in her virtual city with valid credentials. However, according to zero trust, that still doesn’t give her free rein around the city or allow her to access any information she wants without showing an ID or proof she belongs there.