Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, according to new research from CompTIA.
While a majority of respondents in each of seven geographic regions feels that their company’s cybersecurity is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.
“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, VP of industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cybersecurity. Risk mitigation is the key, the filter through which everything should be viewed.”
Two of the top three issues driving cybersecurity considerations are the growing volume of cybercriminals, cited by 48% of respondents, and the growing variety of cyberattacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.
“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cybersecurity.”
As cybersecurity is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognizing a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy.
Multifactor authentication is in place at 46% of companies and cloud workload governance at 41%. Among other changes in organizations’ approach to cybersecurity:
- 43% of companies have placed a higher priority on incident response
- 39% are deploying a more diverse set of technology tools, with SaaS monitoring and management tools making a substantial jump in adoption
- 38% are increasing their focus on process improvements
- 37% are shifting to more proactive measures
- 36% are expanding employee education.
Adopting a total zero-trust philosophy, including setting specific, strategic objectives will address many problems companies face. But there are substantial hurdles to overcome, such as closing the communications gap that exists between the technology and business sides of organizations.
The overall rate of business staff participation is too low for a business-critical function. 47% of small businesses have the CEO or owner as part of the cybersecurity chain compared to 37% of mid-sized firms and 27% of large enterprises. In addition, companies are struggling to address technical skill needs, such as threat knowledge, network security and data analysis.