woman winning business service agreement and shaking hands

Zero Trust Security 101

Data security conscious companies are on the rise.

More then ever before we are seeing companies require their potential partners and vendors to pass Information Security Questionnaires before doing business together. Lucrative contracts are going to SME's who can demonstrate IT security systems that meet or exceed best practices outlined in these screenings.

These Information Security Screenings are based on foundations for IT security and risk management. One of these frameworks is known as Zero Trust Security.

Here at TUCU Managed IT Services in Toronto, we help small business build strong security foundations. This is a simple primer on Zero Trust Security.

Skip primer and book a consult call with us. →

How well are you controlling access to your company data, email and accounts?

SMB's today need secure cloud solutions, secure methods to onboard and offboard staff, centralized, standard methods to manage permissions, information protection policies, visibility into IT systems and more in addition to the basics like antivirus and EDR.

Without the right support, it's easy to fall behind and be vulnerable to unmitigated risk.

Let's take a look at our Zero Trust Security 101 primer below. It can help you understand what type of experienced IT administrator you will need to hire in house, or as is common with SMB's, the type of Managed IT Services Provider you will outsource to.

new employee computer setup and orientation

Why Adopt Zero Trust Security?

Today's IT Security best practices begin by assuming breach, and being prepared for that scenario. This is known as Zero Trust Security.

The Zero Trust Security framework outlines best practices for controlling access to data and reducing risk of breach and data loss.

If your technology is compromised, your business goes in to a tailspin trying to recover and do damage control.

That's why it's important to assess your IT security, and implement good practices to protect your company.

Hire an IT administrator or company who will configure and manage your IT security posture based on proven modern frameworks.

We are leaders in SMB IT Security and will help you level up your IT.

Book A Consultation

The first tenet of Zero Trust Security - user & device security.

The first tenet of Zero Trust Security is to authenticate and authorize users connecting to your company data (and deny all others). This includes email accounts, user accounts and devices.

Azure Active Directory, Microsoft Conditional Access, and Microsoft Mobile Device Management tools are leaders in IAM and MDM for small and medium business.

The second tenet of Zero Trust Security - control access to data.

The second tenet of Zero Trust Security is to apply least privilege access.

Your IT security services providers can use Azure Active Directory and InTune with conditional access policies and permissions to help you establish User Groups that make sense for your business.

Each employee will have access to folders and files you determine to be suitable, and nothing more than is needed for them to perform their job roles.

These are best practices to protect your business.

The final tenet of Zero Trust Security - assume the worst.

The final tenet of Zero Trust Security is to assume a breach and preemptively minimize the damage radius and loss by having the right controls and recovery processes in place.

One effective method includes removing administrative controls from your staff computers and granting it only to your IT team. This limits accidental installations of malware from bad clicks, accidental deletion of system software, installation of readily available but insecure software that seems safe - but isn't - and other common user created problems that can bring your business to a standstill.

You can't stop what you can't see. IT visibility in most small businesses is non existent. Make it a priority to add threat detection tools that can flag suspicious behaviour such as mass file deletions or encryption.  Implementing a full Security Incident & Event Management solution can be a bit costly for your first IT security budget, however there are many Endpoint Management tools that you can get started with.

5% of a small business budget should go to IT security. As you grow, that figure should rise to 7%-10%. 

Finally, having disaster recovery in place is a smart investment. Aside from cyber threats, a fire, flood or theft can negatively impact your operations. With a disaster recovery plan in place, you can be up and running again with minimal downtime.

3 tenets = hundreds of tools & settings to manage

Below is a list of the types of tools you should be looking to add to your IT plan.

Patch Management - to automate the patching of all your operating systems and the common third party applications you use. Research consistently shows that end users ignore prompts to update their computers, which leaves your company at risk. Research also shows automating patches reduces risk.

Endpoint Protection – to monitor for and detect fileless threats which can easily bypass antivirus before they can gain a foothold in your systems.

Mobile Device Management – to limit data sprawl on staff personal devices. Email and document access should be limited and easy to revoke should the staff member leave the organization or lose the device.

Network Security – for physical networks, explore a network firewall, WiFi security, hardening and monitoring of any servers, and server based tools to authenticate users signing in to access email or data.

Cloud Security & Access Management – where no firewall or server exists, the security functions must be replaced with their modern cloud based counterparts. This might include Azure Active Directory, InTune, and data loss prevention policies to authenticate who is logging in and controlling what data they can access or share.

Document Storage – where are your files? Who can access them? How are they protected from unauthorized access? Where are they backed up? Cloud storage and cloud backup are two separate services. To cover all contingencies, we recommend you have both.

Security Awareness Training – to help your staff understand risky behaviour, common phishing tactics and common psychological truths hackers will attempt to exploit. Refreshing awareness on an annual basis (or more frequently) is strongly recommended, and is required by some IT Compliance frameworks.

The above tools will help you get started on creating holistic IT security solutions. These layers of tools work interdependently to keep your company safe. Where one layer may fail, another will hold the line. No single layer is effective on its own against modern cyber threats.

Remember the three tenets of Zero Trust Security when creating your strategic IT plan and be sure to review everything annually. Technology is constantly changing and requires continuous management.

Outsourcing Option

Outsourcing IT security management is common for small business because it is cost effective and more effective than managing in house.  For outsourced IT management and support in Toronto, TUCU will help you understand your needs, make necessary changes, and support your team, business success and growth.  Let's talk.

Transform your business with TUCU.

Schedule your Discovery Call with us today.