ZTNA Is Possible for Small Businesses

When you see the letters ZTNA, you may not immediately think cybersecurity, but you should, as those letters stand for zero-trust network access. This article explains what ZTNA is and why it is advisable for securing remote access.

Globally, work environments are re-opening to employees. Yet remote work is here to stay. The consulting firm McKinsey suggests that “the virus has broken through cultural and technological barriers that prevented remote work in the past, setting in motion a structural shift in where work takes place.”

That probably means a shift at your business, too. One obvious change is the need to provide remote access to systems and software. You may have provided employees with business laptops for use away from the office. Perhaps you added a virtual private network (VPN) to secure application access. Many businesses turned to cloud-based solutions as another answer.

Yet all this digital business transformation increases business cybersecurity risk. Remote workers want access from anywhere, anytime, from any device. While this supports convenient connections and collaborations online, the attack surface also grows.

Traditional methods verify users relying on IP addresses and network location, but security and risk-management leaders suggest this approach involves “excessive implicit trust.” That’s why ZTNA’s identity- and context-based verification is the latest trend for businesses.

What Is ZTNA?

ZTNA is an adaptive, context-based way to offer remote-worker access. Developed in 2010, zero trust security sees trust as a vulnerability. Trust undermines vigilance, according to ZTNA’s creator. Instead ZTNA has three key ideas:

Act as if you’ve been breached already.

Verify explicitly.

Limit user access to just enough access and just-in-time access.

If you assume everything is a potential threat, you will verify each access attempt. ZTNA doesn’t have to replace VPN completely, but it often will, especially as ZTNA addresses hardware and bandwidth limitations of traditional VPN access.

Some businesses add multifactor authentication (MFA), too. The old model that establishes a safety perimeter based on device location is broken. Mobile and remote work have rendered it unreliable.

Why ZTNA for Remote Work?

Remote workers connect via unsecured public networks or inadequately protected home networks. They use personal devices. So, ZTNA makes sense.

ZTNA grants access based on the identity of the humans and their devices, but that’s not all. It adaptively considers contextual clues (such as time/date, geolocation, and device posture).

Adding MFA moves the verification of trust beyond single factor. For example, a hacker with stolen access credentials might get past a single-factor check, but with MFA, the hacker would also need to have access to the individual’s physical device.

A strong zero-trust strategy verifies identities across all devices and users. No individual or device earns trust simply because it is within the network. The ZTNA approach gains visibility of all devices trying to access the network. This wariness also helps the business discover malicious applications or inappropriate user actions.

ZTNA uses the least-privilege-access principle. That means people access only what they need to do their work, no more. Plus, communications are encrypted, too.

All this makes the business system more resilient. Remote workers and partners enjoy a more flexible, responsive way of gaining access. Meanwhile, the business reduces its surface attack area. Only what is needed at that moment by that particular person is exposed to the internet, and the underlying network remains protected. Hackers are prevented from being able to move through the systems and wreak more havoc.

Everyone Plays a Role in Cybersecurity

Hollywood would have us believe that cyberattacks are elaborately planned and use expensive, sophisticated tools developed by James Bond’s tech guru, Q. Yet in real life, most hacks are nothing like that. The cybercriminals often simply fool a human to gain access.

Phishing remains a primary way to attack. A scammer sends an email that looks legitimate, and an unsuspecting victim clicks on a malicious link. They might download malware or end up on a webpage that looks credible but is set up to gather their personal data.

Social engineering targets the human desire to help. A hacker might drop an infected thumb drive in the office parking lot of the target business – they need only one well-intentioned person to pick it up and plug it into the office system – or they call, saying they represent a contractor and urgently need important credentials.

Your cybersecurity is only as strong as its weakest link. In many cases, your employees are that weakest link. They are busy working hard, so they don’t stop to question things, or they can be too trusting. A supply-chain attack compromises your vendor. The hackers change the details on the vendor’s invoice so that the money ends up in their bank account. Your people don’t notice, because they usually trust the vendor.

Educate Employees about Their Cybersecurity Role

Every business needs to educate employees about the part they play in cybersecurity. They need to care, but they may feel that it’s not their concern. They’ll expect IT or someone else at work to handle malware and prevent cyberattacks, but each individual has a role.

It can help to put the potential threat in personal terms. Help them to understand that they are not only protecting work data on the network, and it’s not just client personal details: it’s their names, addresses, and tax numbers, too. Plus, it’s how much they get paid, healthcare records, resumes, and more, which is exactly the kind of information hackers exploit in identity theft. That one hack can have a huge ripple effect.

There’s also the argument that if your business suffers a breach or downtime, everyone could be out of the job. Particularly bad data breaches or hacks can destroy a business. Of course, the individual didn’t mean to do anything wrong, but their ill-advised action costs your company, which can mean downtime, lost productivity, damaged brand reputation, compliance issues, and more. Recovery is difficult.

Cybersecurity Is an Ongoing Concern

It’s also important that you don’t treat cybersecurity training as a one-off. Running through a list of “do nots” in employee onboarding and then moving on is not going to work. Build cybersecurity literacy into your workplace culture.

Remind employees about strong passwords and thinking twice before sharing any sensitive data. Require them to use protected networks for remote access and to encrypt files.

Your business can also show the importance of employees taking responsibility by:

  • discussing cybersecurity in hiring processes;
  • outlining policies and procedures in the handbook;
  • reminding employees to regularly update and upgrade technology;
  • monitoring applications downloaded onto work devices;
  • having a clear policy for people bringing in their own devices;
  • adding multi-factor authentication to remote access.

Ransomware threats are on the rise globally, cybercrime gangs are targeting any weakness, regardless of business size or industry. Enlist your employees in the ongoing fight against hackers.

Beware These Social Media Scams

Huntington Volvo? Rowe Subaru? What will your hilarious quiz results be when you enter your fourth-grade teacher’s name and first model of car? You may think it’s silly entertainment … until it isn’t. Many fun social media questionnaires are set up by hackers to steal your identity.

It seems like a harmless collection of random facts from your past. These quizzes might ask for details such as:

  • What was your first job?
  • What was the name of your first-grade teacher?
  • What car did you learn to drive in?
  • What was your first concert?

These popular quizzes promise to tell your “rock star” name or your “silent film villain” name. You know it’s as reliable as the Magic Eight ball, but you play along anyway. We all need a laugh, right?

Except that the people really laughing are hackers. Many of the questions posed are also security prompts used to verify your identity online.

Cybersecurity experts agree: don’t take these quizzes. It’s not as if there is any real value in filling out the social questionnaire. You’re simply taking the bait and risking having your personal data stolen.

Avoiding Social Media Scams

Here are some tips to help keep you safe from social media hackers:

  • Don’t get hooked by clicking on that post that seems too good to be true, especially shocking, or scandalous.
  • Be wary of any quiz that asks for information that could be relevant to your online password.
  • If you must quiz, fill out questionnaires on reputable websites only.
  • Avoid quizzes that ask you to provide your email address.
  • Contact companies through trusted channels only.
  • Make sure that you are dealing with the proper entity’s real website and not a look-alike site created by a scammer.

Also, think twice about apps that change your face into a cartoon character or a painting. Facial recognition is a more common security tool. Be cautious about letting unknown apps collect your photos and facial details.

What to Do If Your Online Accounts Are Hacked

Cry. Curse. Panic. Any of these may seem like a reasonable response in the moment. Still, there are better things to do for long-term recovery.

#1 Have your devices inspected by trusted IT experts. This is one more area to be wary. Scam artists will set up sites that appear to be affiliated to the manufacturer or phone numbers that appear to go to technical support specialists. It’s best to take your devices to a physical repair shop with a real human doing the work.

#2 Change your passwords. When your account is hacked, you’ll want to change that password immediately. Plus, as annoying as it is, change passwords for all accounts accessed on the compromised device. The hackers may have installed a malware that tracked all data transmitted on the device.

#3 Set up credit monitoring. Notify any financial institutions or credit card companies if those accounts are hacked. You’ll likely need to have them issue you new cards with fresh account numbers. You can also ask them to monitor your accounts for fraudulent transactions. You might also set up credit monitoring with your region’s credit reporting agencies.

Keep in mind that criminals can be patient and may not use your information right away. So, don’t think you’re in the clear because nothing happens in the first month.

What You Need to Know about Web App Security

There’s an app for that! Even for business purposes, you can bet this is the case. Yet a small business may be using online applications without understanding the risks. Here’s help.

Most businesses no longer have all their technology and software solutions on-site. The old cybersecurity perimeter around the IT premises is no longer going to be enough, not with so many applications available to you online and in the cloud.

Think of it this way: a firewall perimeter is like a moat around your business castle. No one could get in without crossing the drawbridge. That worked well before to secure your locally hosted server and desktop computers. Now, though, companies are relying more on cloud vendors and Software as a Service (SaaS), which means hackers could get in without using the drawbridge or crossing the moat. It’s like an alien invasion: cybercriminals teleport in without you even knowing it.

This is a big challenge for cybersecurity. Web apps are different from what you host in your secure company environment. Information is transmitted online. The solution itself is often hosted in the public cloud.

The big breaches so far of 2021 are examples of this threat:

In Ubiquiti’s cloud service for networking equipment and IoT device vendors, a data breach risked untold numbers of usernames, emails, phone numbers, and passwords.

A Microsoft Exchange server breach left more than 30,000 American companies scrambling. The computer giant had to hurry to patch an exploit believed to have originated in China.

An exploit of SolarWinds’s network management platform, Orion, is attributed to Russia. The breach targeted the U.S. Secretary of State and the government departments of Homeland Security and Commerce, plus the Treasury. Microsoft, Intel, Cisco, and Deloitte were also affected.

How to Amp Up Your Web App Security

Step 1: Inventory Your Web Apps

You need to know what you are using to fortify your defenses. This can also mean surveying employees about their use of unauthorized apps (known as Shadow IT). They likely mean no harm, but by downloading third-party apps IT doesn’t know about, they put your protection at risk.

The size or type of Web app doesn’t matter. IT needs to know every application the company and its employees are using.

Step 2: Enhance Security Measures

Turn on multi-factor authentication (MFA). Two-factor authentication (2FA) or similar provides an added barrier for the bad actor. Done right, you can cut the user experience friction and stymy the cybercriminal.

Step 3: Backup Your Data

If the worst does happen, you want immediate access to a backup of your important systems, as it can reduce your downtime. A current backup can also reduce the risk of your having to give in to a ransomware demand.

With cloud-based apps, business owners forget to backup data that was generated in the cloud. You will either want a third-party service to back up the data on your cloud services or to download a copy to a local computer.

Step 4: Track Third-Party Vendor and Cybersecurity News

With the inventory you completed in step 1, you’ll know what apps to follow. You might set an alert for announcements about those brands and “breach.” Also, make sure that your contact information with the third-party vendor is current. That way, you are sure to get any notifications they might make. Plus, immediately install any patches and security updates they provide.

Working with an IT company can help you beef up your security measures. Consider us the brave knights on the barricades helping to keep an eye out for attackers. A managed service provider can inventory your apps and make sure you are working safely.