Cyber security in a Zero Trust world: the importance of educating users

The same study from IBM found that the average cost of a data breach in the United States was $3.86 million — the root causes of which were destructive malware and ransomware — and without an incident response team, that amount almost doubled.

With the stakes for cyber security higher than ever before, companies are adopting zero-trust policies to ensure safety.

"Zero trust has gained a lot of traction lately. It's actually been around for a while, but it's essentially an approach to the design and implementation of technology systems in that every device on your network — your computers, your phones, your firewalls, your servers, all your network infrastructure — should be treated and approached as if they are not trusted, secure devices," said Brian Baker, senior cloud solutions consultant at RapidScale, a managed cloud services provider.

Through tools like Geocenter, companies like RapidScale are able to identify login locations in order to verify authenticity. They also encourage companies they work with to use multifactor authentication.

As more people work from home or use their cell phones to access work accounts, the number of devices on a network — and therefore potential entry points for hackers — increases.

"Many people have had to transition to working from home in the last year and a half. Now, I'm not using my corporate network, I'm using my home network cable connection or a fiber connection. That's an additional security point that we've got to address," said Baker. "We've got another point of risk there if I'm traveling or if I'm at the coffee shop and on WiFi. We've got so many different access points that could potentially infect the business network from a user perspective, that they have to be treated as zero trust. If you implement this policy, it mitigates a lot of that risk."

While many people may assume only large companies are the targets of cyber attacks, small companies are just as much, if not more, at risk — especially since they don't typically have the same caliber of IT as their larger counterparts.

In order to protect their data and users, enlisting the help of a managed cloud services provider can help.

"An awful lot of what we do is asking companies about their business — what their risk tolerance is, what their infrastructure looks like, etc. From there, we take on a consultative role and help them build a roadmap to get from point A to point B," said Johnson Cauthen, director of solutions engineering at RapidScale. "One of my coworkers put it this way: these companies are flying a biplane, and they're trying to jump right into a learjet. We take them from the biplane to the learjet, but we do it a bit more gracefully than just throwing in a bunch of dials and controls that they don't understand."

According to Cauthen, this approach is key for applying the proper amount of cyber security. In fact, some businesses can overdo their cyber security measures, spending more money and more time on measures that may not even be helping. Cauthen recommends simple strategies like single sign-on and multi-factor authentication to get started.

Additionally, employee education and awareness training is another cost-effective method to help increase your security.

"One of the things that we recommend to our customers — and it's really inexpensive per user — is to put user awareness training in place,'" said Cauthen. "That's huge not just for practice, but also for our customers that have a compliance requirement. Those that need to have a framework in place can meet this requirement using our awareness training."

"We are by default a zero-trust service provider, meaning that everything we deploy meets a protocol and a procedure for a zero-trust environment across every device that comes under our management," said Baker. "The biggest thing is having those conversations around best practices, how you should back up your data, and how you should be using mobile multi-factor authentication — your leadership team needs to get educated, having these conversations and trying to react and protect the company."