November 2024 Volume 6

OPERATIONS & MANAGEMENT

Potential Challenges Complexity. Implementing zero trust cyber security involves every element of your IT environment and will take careful planning. For example, while implementing multi factor authentication is straight-forward, older network infrastructure and important legacy systems may be incompatible with current zero-trust security tools. As legacy systems are replaced, ensure that zero-trust principles are included in planning and implementation. Ease of Adoption. Change is difficult, and there will be a learning curve across your team when zero trust is implemented. Communication will be important to under stand how using new tools, such as allow listing that may require an extra verification step, will reduce the risk of cyberattack. People and technology must successfully work together for zero trust to be effective. Cost. Implementing and maintaining a zero-trust architecture can be expensive. It requires staff with specialized skills and secu rity tools such as ongoing threat detection and mitigation. Still, these costs are substan tially lower than your potential liability in the event of a major cybersecurity incident. Where to Start Successfully adopting a zero-trust mindset starts at the top. Create a culture where everyone understands that access to systems needs to be justified based on role and func tion. We suggest starting small and scaling slowly to ensure both technical reliability and buy-in from the team. To begin, identify systems with critical data that affect a smaller group of users. Apply zero-trust principles such as multi-factor authentication and access controls as a test while keeping your existing perimeter controls in place for everything else. When the time comes to replace legacy systems, employ zero-trust principles with the new systems. You can extend the concept from application access to physical access. For example, who has access to the computer at the reception desk? Consider ways to limit physical access if needed. If that isn’t possible, determine who really needs access and consider user

and applications on a regular basis. Consider implementing strong identity and access controls to ensure only the right people can access the right information. Limit Access. Misuse of privileged access is a common vulnerability that can be exploited by cybercriminals. Limiting access ensures that staff are granted only the access they need without affecting their day-to-day activities. Common security practices that organiza tions have adopted to limit access: • Principle of Least Privilege – Also called Just-Enough-Access (JEA). People, devices, or applications are granted the least access or permissions needed to perform their functions. You may also put limits in place that stop staff from uploading/exporting files to the internet or external storage devices such as USB drives. • Block by Default – People can only access applications that are explic itly approved (also known as applica tion whitelisting). This helps prevent any malicious access to the network through an unrecognized program, installer, malware, or ransomware. • Temporary Access – Also called Just In-Time (JIT). People, devices, or applications are granted access only for a predetermined period. This helps limit the time one has access to critical systems. Limit Application Interactions. Another option is to control what the applications themselves can do once they’re running, including how they interact with other appli cations. By limiting what software can do, you can reduce the “blast radius” of an attack - the likelihood of an exploit spreading if it does breach the network. Communicate, Communicate, Commu nicate. Implementing verifications and access limits does not mean you don’t trust your people or you’re trying to make it more difficult for them to do their jobs. To avoid misunderstandings, it’s important to communicate with everyone about the value of shifting to zero trust and how the changes will affect them.

ID/password controls to prevent access from unauthorized people. Another example is deciding if users should be permitted to install new software on their own. From our perspective, the answer is no. An application allowlisting solution will allow only approved applications to run which will help secure your network. Don’t go at it alone. Evaluate the skills of your current IT team and consider outside help for implementation and ongoing administration (especially if you require 24x7 threat detection and response). Consult with your IT team to help assess your needs and develop a plan for implementation based on your environment and budget. No cybersecurity approach will keep your business 100% safe from attackers. However, the zero-trust approach will create a robust security posture and help reduce risks.

Jim Kerr is President of CRU Solutions, a leading Cleveland-based managed IT services firm he founded in 1982. CRU Solutions has been serving the team at FIA for over 10 years. www. crusolutions.com Email: jim.kerr@crusolutions.com

FIA MAGAZINE | NOVEMBER 2024 41