Security

Tech Tips: 4 Ways SMBs Can Achieve Cyber Resilience

As the security perimeters of business become more vulnerable to cyberattacks, adopting a zero-trust policy is the best way to prevent breaches.

Joel Keller

Joel Keller spent more than a decade in IT before becoming a full-time journalist. He has written for The New York Times, Parade and others.

A recent report issued by Microsoft, in conjunction with the research firm Bredin, found that 1 in 3 small-to-medium businesses experienced a cyberattack in the past year; 94% of respondents said that cybersecurity was critical to their business.

With a sharp increase in devices accessing SMB networks, it's become nearly impossible for IT administrators to keep track of where an attack starts. So far, methods like multifactor authentication and end-user training have been only partially effective.

However, experts say that establishing zero-trust policies, which require devices and apps on a network to continually verify themselves before getting access, is the best protection. Here are a few ways IT leaders at small businesses can establish a zero-trust framework:

Click the banner below to discover a new cyber resilience strategy that supports success.

x-cyberresillience1-static-2024-na-desktop

x-cyberresillience1-static-2024-na-mobile

1. Implement Network Segmentation and Microsegmentation

Network segmentation is exactly as it sounds: portioning a network to give only certain users and devices access to a particular segment. Administrators can also use segmentation to restrict the flow of data. The idea, according to Deloitte, is to "limit the blast radius of potential attacks."

For best results, implement segmentation in phases. First, traffic should be segmented on a coarse level; for example, specifying production versus nonproduction traffic. Then, administrators can perform microsegmentation, which is segmenting traffic using more fine-grained criteria, such as application-layer information.

FIND OUT: How next-gen AI is changing the cybersecurity game.

2. Enforce Privilege Policies for All Accounts, Including Employees

The principle of least privilege is a concept where network administrators give users — employees, service accounts, third party accounts and customer accounts — only the access needed to get their jobs done. What Deloitte recommends is challenging each user through continuous modeling and detection of anomalous activity.

Another useful method is dynamic access control. This is when administrators can authorize access based on rules that are well established and defined. Criteria may range from the data’s sensitivity to its location on the network or the user’s role. For instance, a user may get different access to the network when logging in on a device at home rather than a trusted device inside the network.

Click the banner below to read the 2024 CDW Cybersecurity report.

3. Enhance Data Classification and Governance Capabilities

It’s important to understand where data resides, how critical it is to the business, who (or what) has access to it and how it should be protected.

Classifying data starts with figuring out what data categories a company has, then defining classification levels. Next, the data is tagged and labeled, then access to that data can be assigned. This will also put businesses in a better position to handle data according to any regulatory and compliance requirements the company may have.

4. Increase Regulatory Oversight

Ideally, security controls for data, including guardrails that determine how the data is used, should be in place before migrating workloads to a cloud environment. Guardrails are more enforceable than guidelines, and include checking on documentation, enforcing data protection methods and making sure compliance checks are being performed.

SUBSCRIBE: Keep reading more small business IT stories in our newsletter.

Delmaine Donson/Getty Images