By DR. MARK SAM

If you feel like your business is struggling to keep pace with cybersecurity, you’re not alone. In its recent “State of Cybersecurity” annual report, global tech trade association CompTIA reported that when the issue is cybersecurity, the business world’s “capacity for innovation exceeds the capacity for adaptation.” And yet, there’s no other option but to adapt to the rapidly changing threat environment. The report underscored just how critical cybersecurity is today.

“Cybersecurity has become a business imperative, something as important to the long-term success of an organization as finances or legal practices,” according to the report. “Given this high priority, a quick response seems appropriate, but instead, companies appear to be stuck.” Especially the small to medium-size market. CompTIA analysts offered two pieces of data as evidence of this impasse in cybersecurity evolution:

•  In 2020, 80 percent of individuals surveyed reported feeling as though the state of cybersecurity was improving. In 2021, just 69 percent reported this feeling.
• In 2020, 82 percent of employees polled felt satisfied with their company’s approach to cybersecurity. Last year, that number fell to 70 percent.

 “Prolonged pandemic uncertainty, ransomware attacks on critical infrastructure, and supply chain attacks rippling through the business landscape were all likely contributors to a more pessimistic sentiment,” researchers explained. “Given everything happening on the world stage, practices that were previously considered good enough, might not be cutting it anymore.” A survey reported on by ITProPortal found that more than half (51 percent) of tech leaders polled lack confidence in their organization’s ability to defend itself against cyberattacks. Analysts cite three major trends for this waning certainty:

• The rigors of continuing digital transformation for businesses of all kinds
• The challenges of securing networks for an expanding remote workforce
• A general shortage of technicians with cybersecurity skills

Moreover, “One of the biggest complications is that modern security requires a completely different mindset,” the report noted.  Critical to a mindset change is one in which we stop thinking of technology as “a necessary evil” and instead start thinking of technology as a critical element of our success thus not only deserving but requiring the same level of attention as finances or regulatory requirements.  The challenge rises above IT departments, said MJ Shoer, who directs CompTIA’s Information Sharing and Analysis Organization (ISAO): “Cybersecurity is a threat to our global economy. It’s a threat to our global societies.” In fact, Shoer goes so far as to call cybersecurity “a moral imperative.”

Confronted by such a sweeping, intimidating challenge, how can individual leaders make a significant difference? I suggest by building a cyber-resilient business culture atop these three pillars:

1. Education: Persistent programming that teaches users not just the latest threats, but vigilance, self- sufficiency and, most importantly, diligence.
2. Transparency: Every employee at every level should be comfortable reporting attacks and incursions. Otherwise, your team cannot learn how to recover from current breaches and deflect the next.
3. Collaboration: Threats at global scale require cooperation across traditional boundaries. Users must work together. Departments must work cross- functionally to defend against threats, and businesses must work with one another and with regulatory agencies to mount a better collective defense.

A more prescriptive approach is the “Zero Trust” concept.  The “Zero Trust” cybersecurity concept has been gathering speed for nearly a decade, but core elements of the framework are not always clear to business leaders. That’s why the National Institute for Standards and Technology (NIST) published new guidance last year on Zero Trust architecture.

Seven key points from NIST to keep top of mind are:

1. Consider everything a computing resource, from mobile phones/tablets to servers on premises
2. Secure all communications regardless of network location, on-premises, or off-premises
3. Grant access on a need-to-know and per-session basis only
   4. Make access policy dynamic, taking behavioral and environmental factors into account
4. Monitor and measure the integrity and security posture of all connected assets
5. Strictly enforce authentication and authorization before allowing access
6. Collect as much information as possible for continual security improvements

Additionally, these seven basic principles can be built on by taking additional measure such as:

• Emulating external standards—Follow guidance from authorities like NIST, HIPAA, or PCI-DSS but seek the wisdom of leading industry peers too. How are they developing and implementing cybersecurity policies and practices such as Zero Trust?
• Extending principles to your supply and/or service chains—Ask partners, vendors and suppliers tough questions about their cybersecurity posture. How are they securing data and networks? Enforcing access? Complying with disclosure regulations?

Predictions and market trends all point to the same theme – the increase in digital transformation and remote/hybrid work has changed the attack landscape and the way businesses can reduce their attack surface. Businesses that continue to take the same cybersecurity approaches and tools will likely struggle to stay operational.  By proactively moving to a model such as Zero Trust, businesses can build a cyber resilience strategy that works for whatever 2022 and the future holds.

Dr. Mark Sam is Chief Technical Officer for TeamLogic IT, Maitland. Visit www.TeamLogicIT.com/MaitlandFL  or email Support1115@teamlogicit.com