You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

Zero Trust: The New Cybersecurity Paradigm

by | Oct 4, 2021

By: Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

Cybersecurity technologies and methods used to protect a company’s data have significantly evolved over the last two decades. Unfortunately, so have the cyber criminals (hackers) who relentlessly pursue the riches to be made from stealing personal information and other sensitive data. As a result, gone are the days when a standard “Castle and Moat” cybersecurity approach could provide a reliable security tool.

Companies using this strategy would typically throw up a series of firewalls and switches to keep anyone outside of a network out and enable everyone inside to access everything, considering them safe and verified. With the proliferation of the cloud and the blurred lines formed by this newest technology focus, today’s cybersecurity requires a hybrid approach based on “never trust, always verify.” Continual authentication and authorization of any device or user in your organization must become an integral part of a never trust, always verify cybersecurity strategy.

Companies can no longer afford to have the mindset that everything inside its networks is trusted and verified. Instead, they must shift the old-school paradigm from trying to shield the “attack surface” to safeguarding your “protect surfaces.” The attack surface consists of the points where an attacker can try to enter a system to extract data or compromise the environment. Protect surfaces include the data, applications, assets, and other surfaces that can actually be stolen or compromised in a cyber-attack. Protect surfaces are typically smaller than the attack surface, and therefore easier to protect.

This “Zero Trust” approach does not involve throwing out all the firewalls and standard technologies you currently have in place around your network security infrastructure. Instead, those in charge of cybersecurity need to implement a hybrid approach of old and new. Continue to layer your security approach, but understand that “Zero Trust” mechanisms like Multi-Factor Authentication (MFA) need to be a focus in your evolving asset protection strategies.

Zero Trust: The New Cybersecurity Moat

The old cybersecurity paradigm made stopping or preventing attacks the primary goal. Now the focus needs to be on protecting attack surfaces – any specific data, application or asset hackers will attack. Instead of focusing on stopping attacks, Zero Trust focuses on identifying your protect surfaces, which are typically defined by at least one of four criteria:

  • What are your most sensitive assets?
  • Which data do you need to protect?
  • Which applications use sensitive information?
  • Which services, such as DNS – the system that automatically translates internet addresses to the numeric machine addresses computers use – can hackers exploit to disrupt normal IT operations?

When organizations fail to define their attack surface (as many do), hackers can get inside. Zero Trust allows you to identify and define your company’s protect surfaces so you can establish micro-perimeters to keep the bad guys out.

Three Cybersecurity Mistakes Hackers Love

Approximately 90 percent of all cyber breaches fall into three categories:

1. Lack of security awareness by the user
2. Poor or nonexistent system security patching processes
3. System misconfigurations

Cybercriminals always choose the path of least resistance when infiltrating a company to steal data. Allowing these three mistakes to occur in your company is like leaving the door wide open and inviting hackers into your environment. No company can guarantee 100 percent protection from a breach, but plugging these three holes can go a long way toward protecting your company and its physical and electronic assets.
Here’s how to eliminate these invitations to outside intruders:


Start by maintaining a complete, up-to-date list of all your physical assets, including laptops, workstations, servers (virtual and physical), firewalls, switches, wireless access points, etc. If you don’t have a complete list of all your assets, you will miss something. Also, create a checklist to guide monthly reviews of updated firmware, etc., and develop processes for implementing all new devices. For example, if you install a new switch into an environment, a smart move would be to reset the default admin password and make sure you have installed the latest firmware. At the very least, you should conduct monthly patch updates to all operating systems.


Breaches often occur due to system misconfigurations. For example, the CapitalOne breach via Amazon Web Services in 2019 resulted from a misconfigured open-source Web Application Firewall. A former Amazon employee used an “insider” attack to steal more than 100 million consumer credit applications from Capital One when her access was not deleted after ending her employment with Amazon. Fortunately, misconfigurations can be prevented with a regular process that scans or tests for them.

Security Awareness Training:

The unaware user is a company’s weakest cybersecurity link. Many companies have an audit checklist and conduct annual security awareness training, but it often falls short for most multitasking users. Security awareness needs to be ingrained in every user’s psyche to prevent random and distracting link clicking that can lead to a devastating data breach. To engrain a sense of security awareness akin to muscle memory, make weekly, monthly and random reminders a part of your awareness training.

Data backups and redundancy also play a crucial role in your company’s longevity and survival in an ever-changing, globally accessible environment. In addition to backing up daily, weekly, and monthly, make sure your backups work by restoring and testing them at least monthly. Back up to multiple locations in different geographic locations, and “air gap” backup copies of your sensitive data offline so they will be disconnected and inaccessible from the internet.

Do Your Part. #BeCyberSmart!

Cybersecurity Awareness Month is a collaborative effort between government and industry that offers a treasure trove of ideas and techniques for improving cybersecurity in your business. Led by the National Cyber Security Alliance (NCSA) and Cybersecurity and Infrastructure Security Agency (CISA), the goal is to raise awareness about the importance of cybersecurity and ensure everyone has the information and tools they need to be safer online.

Throughout the month of October, NCSA and CISA will conduct outreach on a variety of cybersecurity topics. Keep in mind that cybersecurity is an individual as well as a shared responsibility. If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences, and training employees – we will be able to leverage the wonders of interconnected technology and cloud resources in a world that will be safer and more secure for everyone.

Get involved with Cybersecurity Awareness Month!

PenChecks Trust Find out More button

About the Author

Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology, as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.



Did you find this content helpful?

Related Insights


Submit a Comment

Your email address will not be published.

3 × five =


Why You Need Cyber Security Insurance and How to Get It

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA.

How to Fight Back Against Social Engineering Hackers

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

Recent Posts

New PenChecks, Inc. COO Aims For Operational Excellence

PenChecks, Inc., parent company of PenChecks Trust®, a leader in innovative retirement plan distribution solutions, is pleased to announce the addition of Alexandra Gerritsen as the company’s new Chief Operating Officer (COO).

Five Things You Need to Know When Switching Recordkeepers

One of the challenges of administering a retirement plan is the timely and proper payment of distributions to plan participants. This responsibility occurs in more than one context, and can have a number of “facts and circumstances” variations.

Did you know that industry estimates indicate that approximately 10% of retirement plans change recordkeepers every year? The COVID-19 pandemic may have reduced that number temporarily.

Why You Need Cyber Security Insurance and How to Get It

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA.


Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.


Follow Us
Send this to a friend
I saw this on the PenChecks Trust® website and thought you may be interested in this: