5 Internal Policies You Need to Maintain a Zero Trust Security Framework

As cybersecurity incidents continue to rise, more businesses are moving to a Zero Trust framework.

13:22 30 June 2021

Zero Trust is a strict approach to cybersecurity that works on the principle of verification at every turn. 

 

For example, regardless of how many times a user accesses a network on a specific device, Zero Trust requires verifying the user every time they access the network.

 

Zero Trust is a powerful way to thwart cybercrime, but it won’t work unless a company’s internal security policies align with Zero trust and are strictly enforced. If you’re moving to a Zero Trust model for cybersecurity, make sure to implement the following five internal policies to make it work.

 

1. Require multi-factor authentication (MFA) connected to a cell phone

 

Multi-factor authentication is central to Zero Trust architecture. MFA is like an insurance policy that kicks in when someone steals login credentials. Someone can try to log in with valid credentials, but unless they have access to that user’s registered cell phone, they won’t be granted access.

 

Multi-factor authentication requires users to enter a one-time code to log into an account in addition to a valid username and password. Most MFA systems give users the option of receiving their one-time code via email or cellphone. However, codes should only be sent to cellphones.

 

Why emailing MFA codes is a bad idea

 

It’s not uncommon for employees to email login credentials to other employees. If that email account gets hacked, those login credentials can end up in the wrong hands. If your MFA allows the user to retrieve a code via email, the hacker can just snag the code from the hacked email account.

 

2. Require remote workers to use a VPN

 

Virtual Private Networks have a reputation for being the ultimate privacy tool, but that’s not entirely accurate. However, they do provide important features remote employees can leverage to protect your business. For example,a VPN encrypts traffic, making it impossible for someone monitoring the network to obtain your company’s login credentials.

 

Using a VPN on unsecured, public Wi-Fi is crucial, but remote employees should also use a VPN at home. A VPN is essential for remote workers whose home Wi-Fi network isn’t password-protected, or if other people know the network password. You can’t trust anyone, even your employees’ family members.

 

3. Prohibit password sharing

 

Your employees probably mean well when they loan out their login credentials to a co-worker who’s having trouble logging into their account. However, they might not know that the employee just got fired, had their account terminated, and wants to sabotage the company.

 

You need a policy against sharing account credentials regardless of the situation, even if it means falling behind on work. There will be times when an employee genuinely can’t access their account. However, they need to contact management for an alternative solution and not their co-workers.

 

Sometimes,ex-employees hack for revenge, but if they can obtain valid credentials, it’s easier for them to destroy a company.

 

4. Keep track of all accounts and passwords

 

Track all login credentials for company accounts, including network access and third-party software applications. This will give you a quick list of accounts to terminate when you have to fire someone. If you don’t keep a list, you might miss some accounts andend up being sabotaged.

 

Set the following requirements to keep tight security around employee accounts:

 

• Require all accounts to be associated with a company email address that you control with master controls. If an employee adds a personal email to a company account, they could easily hijack the account after their company email is terminated.

• Require all password changes to be updated with management to keep an accurate record.

• If you suspect an employee might be sketchy, test their login credentials periodically to make sure they’re following your policy. Also, check their account settings to ensure they haven’t inserted a personal email address into the account. If they have, it might indicate a plan for sabotage.
  
  

5. Require all business-related communications to take place via company email

 

When an employee leaves the company, you don’t want them to have a stash of company-related emails in their personal email account. Even if the former employee has integrity, their email account might get hacked.

 

Don’t allow employees to discuss business matters over personal email, even with other co-workers.

 

Zero Trust architecture is no longer optional

 

If your business hasn’t implemented a Zero Trust security architecture, your data security is at risk. To protect your business from preventable cyberattacks, connect with an IT specialist to integrate Zero Trust into your business environment.