This article was inspired by a JumpCloud webinar featuring cybersecurity experts Fred Wilmot and Chris Castaldo. Wilmot is JumpCloud’s CISO and Castaldo is the author of “Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit.” Watch the full webinar recording here.
That’s the average cost small to medium-sized enterprises (SMEs) pay in damages after one data breach.
The worst part? The majority of organizational leaders underestimate how much the setback will cost them… significantly.
As reported within AppRiver’s Q3 Cyberthreat Index for Business Survey, 70 percent of surveyed decision-makers expected to pay nearly 15 times less than the abysmal reality. The good news is organizations can substantially decrease their risk of data breaches by implementing a few simple policies guided by the security framework known as Zero Trust security.
This article will outline some simple tips IT department leaders can implement to safeguard user data, streamline identity and access management (IAM), and enhance stakeholder compliance. After reading, you will know which tasks to focus on first to receive the most bang for your buck.
What Exactly is “Zero Trust?”
As cybersecurity author Chris Castaldo emphasizes, it’s helpful to recognize that the Zero Trust Security model isn’t actually anything new:
“IT folks have been relying upon the methodology for decades; back when they were managing mainframes—even before cybersecurity existed,” he says. “An easy way to understand Zero Trust today is to think about the verification stages for physical entrance to an office or building.”
Castaldo calls usernames and passwords the “remote badges of identification.” Today’s technology users may not need to swipe a badge on-premise, but they still need to prove they are who they say they are.
Zero Trust is an IT security framework that aims to protect users, devices, and private data through the implementation of additional verification steps that users must pass in order to access IT resources, and reduced privileges within IT resources aligned with their explicit needs. Essentially, Zero Trust Security aims to establish trust every time access is requested; not just upon the first transaction.
The assumption behind Zero Trust security is simple: organizations that trust the validity of their users, devices, and networks at face value are prone to security risks.
Why? Because hackers can (and will) take advantage of organizational trust by compromising, mimicking, and falsifying identities. This is why the mantra of Zero Trust states: the only way to successfully mitigate cyber-attacks is to “trust nothing, verify everything.”
Zero Trust security recognizes that users, devices, and services are all vulnerable entry points for cyber attacks. For this reason, unlike legacy methodologies, modern Zero Trust incorporates an additional layer of identity, authorization, and access management via IAM protocols (more on that in a moment).
Zero Trust is Crucial in 2022
Due to the recent global surge of remote work and cloud-based application usage, securing hybrid work environments is now more essential than ever before.
As reported by NPR, Internet traffic spiked to record levels in 2020 as employers encouraged employees to work from home. Many organizations found themselves scrambling to upgrade outdated security models to accommodate the “new normal.”
“People are now working in Starbucks, working in hotel rooms, working in home office spaces,” says JumpCloud CISO Fred Wilmot. “Thus, organizations need standardized methods to validate that people are who they say they are from any location. This is why you want to apply the Zero Trust principle to the device, not the person.”
According to the Verizon 2021 Data Breach Investigations Report (DBIR), data breaches increased 33 percent worldwide from 2020 to 2021. A whopping 86 percent of the 5,258 incidents were financially motivated.
Cybercriminal rings are increasingly using botnets—automated groups of compromised, internet-connected devices—to invade targets via distributed denial of service (DDoS) attacks or enhance the effectiveness of nefarious activities (e.g., sending large volumes of spam, stealing organizational credentials, spying on users).
And 61 percent of data breaches occur via swiped credentials, including passwords. For these reasons, savvy IT managers and startup founders are becoming increasingly vigilant about applying Zero Trust controls to safeguard data.
6 Tips to Implement Zero Trust Policies (for Startups)
Consider the neverending to-do lists of startup leaders: product engineering, MVP pivoting, fundraising, and more. Is it any wonder founders procrastinate when it comes to cybersecurity? Fortunately, it doesn’t have to be complicated.
“I think it is very achievable regardless of the size of the organization, whether you’re the first security hire or the founder,” Castaldo says. “The key is to ask yourself what you can focus your time on to [achieve the biggest return].”
Below is a summary of Castaldo and Wilmot’s top tips for startups wanting to enforce Zero Trust:
Tip 1: Think in Layers
Both experts recommend approaching initial security efforts by first considering your organization’s most important data and working backward.
“When I joined Crosby, I asked myself, ‘Where do I need to apply security first?’” Castaldo says. “I started by asking myself questions about customer data: where does that data live? Is it just in the RBS database? Who has access to that data? And so on.”
Continue drilling down your questions to uncover data layers. Start by safeguarding what data would be most valuable to an attacker and work your way out. Such prioritization will ensure you’re making the best use of limited resources.
When you’re ready, take the process a step further by applying controls to endpoints—your last position of defense.
For instance, is there a cryptographic match or some type of system key you could authenticate? Does it have your MDM installed? Does the device have antivirus protection installed?
Ultimately, cybersecurity requires thinking in layers and applying zero-trust principles to those layers. We recommend investing in endpoint protection software like CASB that organizes data that helps determine irregular activity in networks and devices.
Tip 2: Turn on Multi-Factor Authentication
Your quickest “win” will be turning on Multi-Factor Authentication (MFA). MFA is a software security method that requires users to enter a minimum of two login factors to verify their identities.
“Start with your organization’s authentication system, whatever that directory service might be,” Castaldo says. “If it’s not turned on, turn on MFA. Yes, there are 20-odd MFA apps you can install on your phone. But that’s a really easy, quick step to verify someone is who they say they are.
Think of MFA factors as pieces of evidence constructed from “something users have” or “something they are.” The most common MFA factor is knowledge verification, which can take the form of passwords, passphrases, PINs, and personal questions.
Other MFA factors include possession, inherence, location, and behavior. Since most engineers are familiar with MFA, taking the time to add this additional layer of sign-on security is a no-brainer.
Tip 3: Adopt Single-Sign-On (SSO)
Another essential safeguard to consider is single sign-on (SSO). Prioritizing security and compliance means enforcing a bunch of IAM and AWS policies. How will you tie such measures into the responsibilities associated with individual roles?
In addition, the average employee is charged with remembering dozens of unique username and password combinations to sign into multiple applications every day. The easiest way to enforce compliance is to utilize single-sign-on technology.
JumpCloud is a cloud directory platform that provides SSO capabilities among many other features which enable remote and traditional work while solving common identity and access management (IAM) problems that IT teams and organizations face. Even more, JumpCloud’s single sign-on capabilities extend beyond traditional web app connections, supporting SSO for devices, networks, on-prem file shares, infrastructure, and more.
Tip 4: Treat External Users Like Employees
One often overlooked aspect of cybersecurity management is onboarding and offboarding third-party contractors. If you’re like most startups, you’re probably working with a handful of contractors to fulfill various marketing, administrative, and technical needs at any given moment.
Wilmot says he treats vendors, contractors, and third parties like employees:
“I’m a bit draconian in my perspective, but they’re going to have a JumpCloud agent installed on their device (whether it’s their own personal device or one we have provided),” he says. “They will have policies on it around whatever device requirements we have mandated, and they will have their firewall turned on.”
Understandably, requiring third parties to navigate a procurement process may not always be possible. Ultimately, startups must balance the inherent risks of running a business with the desire for security.
“It’s our job to help organizations take the right [risks] at the right times [as IT managers],” Castaldo says. “There will always be exceptions where providing a device is too costly or installing something is non-negotiable for an essential third-party.”
Make sure to properly offboard contractors and vendors when the business agreement is over. No one should have access to organizational data longer than absolutely necessary!
Tip 5: Get Executive Leadership On Board
Clearly translate the connection between Zero Trust security measures and organizational goals. Security is a method for doing business securely. If startup founders want team members to work remotely they must prioritize it.
The best way to communicate the value of Zero Trust is to avoid technical jargon and focus on the WHY behind the protocols. Furthermore, put yourself in the shoes of executive leadership. Ask yourself questions like:
- How might these security measures increase deal velocity?
- How might they increase trust with existing customers?
- Will these changes increase prospects in the pipeline?
The more easily you can articulate the connection between cybersecurity and customer growth, the more enthusiastic support you will receive from leadership.
Don’t underestimate the value of “digital curb appeal.” Similar to how home buyers frown upon lots with overgrown grass, savvy B2B consumers will feel hesitant to do business alongside poor SSL ratings. The executive team doesn’t need to know the definition of SSL scoring, but they should understand its correlation with trust.
Ultimately, implementing Zero Trust requires a cultural shift of prioritizing cybersecurity. Again, organizational stakeholders don’t need to become IT experts—that’s your job—but they need to be aware of its relevance.
Tip 6: Pay Attention to Details
Velocity is a huge indicator in the early days of startups.
For example, sales reps customize demos for important prospects all the time. But what happens if they can’t log into their account the night before a walk-through? How might that lack of customization impact the likelihood of closing the deal?
For these reasons, it’s essential that IT administrators fully understand how various backend settings impact the environment. Just ask our resident expert Chris Castaldo about one of his previous experiences managing a fledgling IT department:
“We were a fast-growing startup, and we unintentionally created a race condition,” he says. “If a newly created account had not already turned on MFA, they couldn’t log in. But they couldn’t set up MFA without logging in!”
In this instance, Castaldo should have set up a grace period for implementing MFA. It’s details like these that can make or break Zero Trust. Put the right guardrails in place from the beginning and expect smoother sailing as your customer base grows!
Simplify Zero Trust Security with JumpCloud
Organizations that wish to protect stakeholders from increasingly frequent data breaches owe it to themselves to establish “Zero Trust” security environments. Translation: prioritize verification before trust—no matter what!
JumpCloud provides a centralized cloud platform for identity, access, and device management. Admins can now enjoy a bird’s eye view of IT environments, security controls, and MFA settings from one convenient location.
Ready to take your IT resource security to the next level? Test drive the premium version of our platform for up to 10 users and 10 devices for an unlimited amount of time.