Zero Trust for MSEs

Author Avatar


Posted on June 9, 2021

Want to interview Chase?


Legend has it that the famous bank robber Willie Sutton was once asked why he robbed banks. “Because that’s where the money is,” he replied.

While banks are where the money is, liquor stores and convenience stores are held up much more frequently than banks for the simple reason that they’re easier targets.

Unfortunately, midsize enterprises (MSEs) and small businesses have become the cyber-target equivalent of liquor stores and convenience stores. They may not be the big payday targets that large enterprises represent, but because their security infrastructure is typically not as robust, they are much easier targets to attack.

Security Threats Facing MSEs

Many MSE execs underestimate both the likelihood of their organizations’ being a victim of cyber-crime, and the costs to the business if they are successfully attacked.

IT managers at MSEs may assume that their organizations are too small to be of interest to cybercriminals. But that’s a mistake: It’s the cyber equivalent of a convenience store owner assuming that all robbers are interested only in banks.

In fact, a 2020 report indicated that 51% of MSEs surveyed had been hit by ransomware attacks in the previous year. Of the companies attacked, 27% paid the ransom. But that does not mean that the other 74% got off easy.

Shockingly, 60% of midsize enterprises and small businesses that are successfully attacked go out of business within six months. Most simply lack the financial strength to survive a large, unexpected hit. And for most MSEs, the average cost of a ransomware attack—ranging from $732,500 for organizations that don’t pay ransom to $1,448,000 for those that do–is a mighty big hit.

Are MSEs Cybersecurity Ready?

For the vast majority, the short answer is, “No” and MSE managers know it. According to a Cyber Readiness Institute survey, only 18% of leaders in small and midsize organizations are confident that their organization is prepared for a cyber incident.

Even more troubling from a security standpoint is that only 22% are confident that they have a designated employee or group of employees with clear responsibility for cybersecurity. If no one has clear responsibility for cybersecurity you can be pretty sure there will be gaps in the company’s cyber defenses.

The Need for a Zero Trust Approach to Cybersecurity

The conventional approach to cybersecurity involved establishing very strong perimeter defenses around a company’s network and servers and allowing free access for users within. In truth, this was always a flawed approach: there have always been “trusted insiders” who proved not to be trustworthy. It also allowed hackers who did manage to breach the defenses to have a field day ransacking corporate IT resources once they get through the gates.

In today’s world, of course, the concept of a perimeter no longer holds. Most businesses, including MSEs, are operating in an increasingly perimeterless world. Companies are rapidly adopting cloud computing as well as SaaS applications, so many important resources and apps no longer reside on internal networks. More workers are working remotely and are expected to continue to do so, to a significant extent, even after pandemic restrictions no longer hold. As a result, regardless of where they are located, fewer employees will be working primarily on the company’s physical network.

The past few months have seen some alarming cyberattacks: SolarWinds, which compromised many government websites; multiple zero-day exploits leveraged to simultaneously attack on-premises versions of Microsoft Exchange; and the Colonial Pipeline attack, which shut down a pipeline supplying much of the gasoline to the northeast of the United States for days. The White House recently issued an executive order mandating a move to a Zero Trust architecture for federal government networks. The White House fact sheet on the executive order mentioned the Colonial Pipeline attack as an example of why it’s not enough for the federal government to take action – they encourage the private sector to follow the same recommendations.

Zero Trust for MSEs

But even if MSE execs are convinced that they need to take action, few can afford the cutting edge Zero Trust solutions now on the market, and even fewer have a deep enough bench of IT resources to implement and manage these solutions, along with their many other responsibilities. If you think your organization is too small to be able to overhaul its cyber defenses to start on a Zero Trust path, think again.

John Kindervag, one of the world’s leading cybersecurity experts, the man who first characterized and promoted the Zero Trust approach, said he often hears similar objections.

“This [I’m too small for Zero Trust] is something I hear quite often,” Kindervag said. “But it’s not true. Zero Trust is a cybersecurity strategy that can be adopted by any organization, big or small. Your company has data and assets that need to be protected. Zero Trust focuses on that truth. It defines a strategy and framework that you can adopt to protect your sensitive data and assets from malicious actors. Another comment I frequently hear is ‘I live in a small (town, country, etc), no one wants to attack me.’ Again–not true! Everyone is directly connected to the world’s worst malicious actors via the internet. There are no suburbs on the internet. We all live in the same bad neighborhood. But luckily, Zero Trust will work for you, and you can find companies with the technology and expertise designed to fit the unique parameters of your organization.”

ZTEdge was founded specifically to provide a comprehensive Zero Trust cloud security solution for midsize enterprises. As cybersecurity specialists who have been helping midsize enterprises start on their Zero Trust journey for years, we came to see that what stopped many of these organizations from fully adopting Zero Trust was the cost and complexity of making the switch.

The ZTEdge Platform is our response. It delivers a comprehensive, integrated Zero Trust cloud security solution, yet its modular approach enables MSEs to choose among the various capabilities if they are not ready to fully switch.

To minimize the burden on already-stretched IT resources, the solution is delivered by MSSPs as a service. And to make it affordable, it is priced at half the cost of competitive solutions. Check out the demo now to see just how simple Zero Trust can be.

Share this on:

Author Avatar

About Dr. Chase Cunningham

Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.