US federal agencies appear to be moving on zero trust but where are small businesses?
The U.S. federal government is not always the last to get a memo. That is certainly true when it comes to creating zero trust architectures.
A brief article in GovernmentCIO notes that federal agencies have until fall 2024 to put in place prescribed zero trust components (a cornerstone of which is two-factor authentication).
The deadline was only set in January, so it is impossible right now to say if the bureaucracy is meeting expectations or lagging but it is ahead of small to midsize companies worldwide.
The Cyber Readiness Institute has published a survey indicating that owners of smaller businesses are ill-prepared for the growing risk of digital theft and fraud.
The five-year-old institute, comprised of multinational businesses, government officials and cybersecurity leaders, says 46 percent of small business owners have deployed recommended multi-factor authentication products, much less architectures. Only 13 percent of small to midsize firms require employees to use MFA, according to the institute.
More than half of those surveyed reported being more or less unaware of multi-factor authentication. The same share does not use MFA in their businesses.
Half of respondents (again) who have adopted multi-factor authentication to whatever degree are only “encouraging the use of MFA.”
By definition, these organizations are diminutive, but by economic weight they are enormous: Small businesses in 2019 were responsible for 44 percent of economic activity in the United States, for example.
That is a lot of cybersecurity exposure.
The U.S. federal government, on the other hand, has access to “really strong two-factor” ID authentication tools, according to Dan Chandler, information systems security officer with the Office of Management and Budget, the agency charged with herding the government cats toward their deadline.
Chandler was speaking during an online panel earlier this month sponsored by the Advanced Technology Academic Research Center.
Also on the panel, Brian Hermann, director of cybersecurity and analytics for the Defense Information Systems Agency, said they are deploying secure access service edge to consolidate and understand data about users.
Hermann said his organization has learned that it is not enough to moving from basing security assumptions by location, for example. Systems have to free to consider any data relevant to securely granting access.
That may not be a novel insight for security-cautious multinationals, but it is years ahead of small to midsize businesses, one of the world’s biggest economic drivers.