A ‘zero-trust’ checklist for SMBs

Home
What we do

Technology
Powering the future of wealth with enterprise platform solutions that address complex business challenges.

Operations
Achieving operational excellence with business process outsourcing and data management that help clients improve efficiency and performance.

Asset management
Connecting investors to what matters most, so they can achieve their goals and make confident decisions.

Featured
Who we serve

RIAs and financial advisors

Wealth and asset managers

Banks and broker-dealer advisors

Institutional investors

Families and individuals

Featured
Insights

Insights
Perspectives and happenings from our leaders and experts

Newsroom
The latest news and announcements

Featured
Investor relations

Overview
The latest financial information for shareholders

Events and webcasts
Timely shareholder announcements and event information

Governance

Reports and filings

Stock information

Board diversity matrix

Featured
About us

Our story
Who we are, what we do, and how we do it.

Our commitment
Building brave futures through the power of connection.

Our leadership team

Newsroom

Locations

Careers

March 19, 2024

3 MIN READ

Zero trust may be daunting for SMBs, but it isn’t impossible. Learn the recommended steps to building a zero-trust network and what to prioritize for maximum efficacy.

The uphill battle for SMBs

Most companies see the value in moving to a zero-trust model, and many large organizations and government agencies have either already begun the process or are well-practiced in enforcing the approach.

For smaller companies, however, there are significant barriers to moving to a zero-trust model, including cost, infrastructure, and skilled staff who can implement and enforce a feasible zero-trust plan. As a result, SMBs have been slower to get on board despite the cybersecurity benefits.

Daunting, but doable

These barriers might make building a zero-trust architecture more daunting, but it isn’t impossible. A number of the tools and processes needed to begin building a zero-trust foundation may already be in place as a result of compliance with data regulations and other fundamental cybersecurity best practices.

John Kindervag, the founder of Zero Trust, offers five steps¹ to building a zero-trust network, recognizing that the framework will be a long journey for some:

Define your protect surface. Start with building microperimeters around the smallest and least sensitive units (a single asset or application, for example) to learn and practice; then, move to larger, more critical assets.
Map the transaction flows. A map can be a powerful weapon in cyber warfare—you’d rather be wrong than lost.
Architect a zero-trust network.
Create a zero-trust policy.
Monitor and maintain the network.

The White House released a memo² with guidelines for a zero-trust strategy, which uses CISA’s Zero Trust Maturity Model.³Although the strategy is designed for government agencies, it still offers a North Star for SMBs to see what types of tools they’ll need to begin their zero-trust implementation. For example:

Identity. Identity is at the center of zero trust. Whether human or nonhuman, identity is how data is accessed and controlled. Verifying identities and restricting access through authentication is key to successful zero trust. Therefore, multi-factor authentication (MFA) should be at the top of your zero-trust action plan.
Devices. You can’t protect what you can’t see. As a final state, your action plan should include inventory and monitoring of every device that touches your company’s network and data.
Networks. As a goal, your organization’s best practices should include:
- Encrypting all traffic across your environment
- Setting up microperimeters around sensitive data
- Isolating the most sensitive information

Detection and response capabilities are still crucial

In an ideal world, an airtight zero-trust strategy would have no need for detection and response. But in the real world, zero trust cannot and should not replace the need for detection and response controls. In fact, detection and response should be factored into the zero-trust methodology for maximum effectiveness. Your zero-trust strategy should also include:

Regular testing across applications and workloads to check for vulnerabilities
Constant traffic monitoring of sensitive data through logging

SMBs may not have the in-house staffing for these tasks. Working with managed service providers can fill in the missing parts of cybersecurity hygiene that are needed to implement zero trust.

Prioritize hygiene and the right partner

Let’s be clear: Zero trust is tough to implement—even in large enterprise environments with bigger security budgets and security teams. But simplicity remains at the heart of this framework; overhauling the management of what’s trusted versus untrusted can be freeing in the long run. As a starting point, SMBs should keep the scope small. Have policies and security tools in place to practice good cybersecurity hygiene, especially MFA and data encryption. Then, find the right partners to help build and maintain your zero-trust architecture.

Looking for help implementing your zero-trust strategy?

As a managed service provider, SEI Sphere® partners with leading technologies for IAM, network monitoring, and endpoint protection.

¹Charlie Bedell, “John Kindervag’s Five Steps for Zero Trust,” illumio, February 2, 2024.

²Shalanda D. Young, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” Memorandum for the Heads of Executive Departments and Agencies, January 26, 2022.

³ Cybersecurity and Infrastructure Security Agency, “Zero Trust Maturity Model,” April 2023.