Experts recognise that a team trained in cybersecurity could be the strongest weapon in a business’s arsenal when it comes to resilience and protection

Your business cannot simply “buy in” security technology in the same way that a consumer purchases an antivirus package for a PC. Cybercrime is not just about software; with more and more cybercriminals targeting workers, through phishing emails and other ploys, making sure you have a security-savvy team in place is more important than ever.

“Worldwide spending on cyberdefence products and services is forecast to exceed $1trn until 2021,” says Oyku Isik, professor of information systems management at Vlerick Business School in Belgium. “Yet every year we hear a cyber-incident that is significantly worse than one in the previous year. This is a clear sign that all the investment in technology is necessary, but not enough. It is now time to invest in people.”

Always learning

Prof Isik says that companies should not only have specialist security employees but also provide on-the-job training for other staff: “A simple cybersecurity awareness session that you do once is not going to cut it anymore. We need not only cybersecurity expertise in our organisations, but also employees in all units who are well rounded in the basics of cybersecurity.”

Ensuring that all employees receive training can pay real dividends for companies, says Adenike Cosgrove, cybersecurity strategist at security company Proofpoint. She says: “Email phishing is consistently the top weapon of choice for cybercriminals. As an example, the Royal Bank of Scotland took what some might consider an unusual approach by launching simulated phishing attacks on its own employees.”

The bank’s security team launched fake phishing attacks on workers, based on actual fraudulent messages. “Through an ongoing programme of ethical phishing simulations, RBS determined their employees’ susceptibility to real-world attacks,” says Ms Cosgrove. “Users falling victim to these fake phishing messages on multiple occasions received comprehensive training, which led to a 78pc reduction in the likelihood of users clicking on nefarious campaigns.”

Inspiring leaders

Making sure you have trained experts in cybersecurity is still important too – and now, more than ever, these experts also need to be strong communicators. Ted Wagner, vice-president and chief information security officer at SAP National Security Services, says: “People working in the cyber field often need to communicate findings and results to the company board, so they need to both communicate and manage up to a group of people who don’t speak ‘cyber’ but instead speak ‘business’. They need to be able to effectively communicate cyber-risk into business risk and what it entails in a simplified manner.”

But recruiting talent for cybersecurity roles is increasingly difficult, with Britain facing a digital skills gap that could leave up to three million jobs unfilled by 2030. In cybersecurity, the problem is particularly intense, with a report from the UK Parliament’s Joint Committee on the National Security Strategy suggesting that even government departments struggle to recruit talent. Research by KPMG this year found that more than half of chief information security officers (52pc) said they struggled to recruit talent.

Prioritising skills

To address the skills gap, businesses need to rethink how they recruit and train cybersecurity professionals, says Ruth Davis, head of commercial strategy and public policy for BT Security. “The idea that people need to be qualified in a STEM [science, technology, engineering and mathematics] subject, have five years of experience and security qualifications is outdated,” she says. “One of BT’s best graduate cryptographers studied music.”

Instead, businesses should look for people with roughly similar skill sets and the right aptitude, and train them up, Ms Davis says. “The focus to date has been on building a future pipeline of talent via schools and universities. This was the right priority at the time, but we now need to broaden our focus to help those with transferable skills or aptitude move into the industry.

“We need to focus on mid-career transfer, getting people with similar skill sets and the right aptitude to come and work in our sector; because we need people now.”

The proportion of UK firms reporting a cyber-attack has jumped, despite most businesses admitting they are under-prepared for breaches, according to research from Hiscox.

The insurer found 55% had faced an attack in 2019, up from 40% last year.

But almost three quarters of firms were ranked as "novices" in terms of cyber readiness.

Hiscox said a lot of businesses "incorrectly felt that they weren't at risk".

The firm surveyed more than 5,400 small, medium and large businesses across seven countries, including the UK, Germany, the US, Belgium, France, the Netherlands and Spain.

It said there had been a "sharp increase" in the number of cyber-attacks this year, with more than 60% of firms having reported one or more attacks - up from 45% in 2018.

Average losses from breaches also soared from $229,000 (£176,000) to $369,000, an increase of 61%.

Despite this, the insurer said the percentage of firms scoring top marks on cyber security had fallen, with UK organisations doing particularly badly.

British firms had the lowest cyber security budgets, it said, spending less than $900,000 on average compared with $1.46m across the group.

They were also joint-least likely with US firms to have a "defined role for cyber security" on their staff. In France the proportion was closer to one in ten.

Gareth Wharton, head of Cyber at Hiscox, said the low UK spending could be driven by the large number of small businesses in Britain.

"They may feel like they won't be targeted, as we tend to only read about large breaches in the press. If they incorrectly feel that they won't be targeted, they may be less likely to spend on cyber security."

However, Hiscox also found the average cost of an attack in the UK was lower than average at $243,000, compared with $906,000 in Germany and $486,000 in Belgium.

New regulation has also prompted action, with eight in ten UK firms saying they had made changes since the introduction of tough new EU data protection rules last year.

A Florida town has decided to pay malicious hackers $600,000 (£475,000) to get its computers working again.

Municipal computers for Riviera Beach, a suburb of Palm Beach, were rendered unusable by the ransomware attack.

The virus disabled email, hit emergency response systems and forced staff to use paper-based admin systems.

The local council for the community of 35,000 people voted to pay off the hackers after employing cyber-security consultants to investigate.

"We're relying on their advice," Rose Anne Brown, a spokeswoman for the council told the AP news wire.

Ms Brown said there was no guarantee that the hackers would restore the town's computers to working order once they had been paid.

The ransom is being paid in the bitcoin crypto-currency and the payment is being covered by the town's insurance policy.

The computers were struck by the ransomware in late May after an employee clicked on a booby-trapped attachment in an email. The crippling attack also led to water pump stations being turned off and required pay cheques to be signed and issued by hand.

"Cyber-criminals always try to get maximum profit doing the least effort, that's why targeting city technology is a good business opportunity to them," said Cesar Cerrudo, chief technology officer at security firm IOActive.

Larger organisations had become much harder to catch out, he said, as many had tightened up their digital defences. By contrast, said Mr Cerrudo, local government networks were much easier to penetrate.

The FBI, which is believed to be investigating the incident, had no comment on the Riviera Beach attack or the decision to pay. It told AP that it had seen 1,493 ransomware attacks in 2018 netting an estimated $3.6m for attackers.

Source - BBC News available here

Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20% from 1.5 million in 2015, according to the Center for Cyber Safety and Education. The cybersecurity skills gap isn’t going anywhere.

Yet, lack of formal education isn’t slowing down new recruits to the cybersecurity talent pool. There is an army of ethical hackers all over the world that won’t be hired into traditional full-time roles. In the years to come, I predict there will be over a 1,000,000 ethical hackers.

A global study from ESG and ISSA confirmed “that the cybersecurity skills shortage is exacerbating the number of data breaches,” with the top two contributing factors to security incidents being “a lack of adequate training of non-technical employees” (31%) first and “a lack of adequate cybersecurity staff (22%)” second.

Cybersecurity can be a thankless job. Security professionals are on the front lines protecting our digital society, yet they rarely get called out for effectively defending and always get called out when something goes wrong. We need security teams and they need resources. Thus, the skills gap is widening, education is lagging, and society is paying the price with data breach after data breach.

Computer science programs struggle to offer adequate cybersecurity courses for the next generation of technologists. Of the top 50 computer science programs in the U.S., only 42% offer three or more information security-specific courses for undergraduates. Yet, we must acknowledge that this is progress. I’m sure this is far more than what was available five or 10 years ago. Today, the University of Maryland College Park, among the top computer science programs in the U.S., offers a cybersecurity concentration for computer science majors. University of California Berkeley also offered a Cyberwar class in 2017 teaching 80 students how to hack for good. Northeastern University offers 11 courses that cover some aspect of security, including a class covering laws, ethics and policy related to digital technologies.

Fortunately for us, a formal cybersecurity education is not stunting the talent pool. Today we know that more than 80% of ethical hackers are self-taught. Despite 33.3% of hackers having studied computer science at the undergraduate level, and 23.3% having studied computer science in high school or before, less than 6% have actually learned hacking skills in a classroom.  

Security must permeate everything we do in the digital realm. It's not the responsibility of the few but rather the responsibility of the entire connected society. Considering how rapidly the technology and cybersecurity landscapes are evolving, it is impossible for one person, one team and even one organization to keep up with every change.

The lack of information security-focused courses available is just one piece of a much larger puzzle. Security cannot be solved alone and therefore education should not be confined to computer science programs and graduates. The broader connected society must prioritize security because the cybersecurity skills gap will never be solved in a classroom.

There are new education tools cropping up outside of the traditional classroom, offering free coursework designed by ethical hackers for the growing cybersecurity talent pool: Cyber Aces, Hacker101, Google Gruyere, Cybrary, and more. Capture the Flag exercises (CTFs) are also a popular way to hone one’s cybersecurity skills beyond the classroom. To illustrate, approximately 26,300 hackers on the HackerOne platform have learned how to hack using Hacker101’s CTFs.

These tools all encourage collaboration within the cybersecurity community. Collaboration and transparency is the only way education will be able to keep up with the rapidly evolving threat landscape. When we can learn from each other, we can progress faster. The cybersecurity community has been working unilaterally for decades. We must shift the culture of the industry to change that. Companies ranging from industry giants like Google, General Motors, Starbucks, and Nintendo, to startups like Mapbox, Coinbase, and NextCloud are leading by example by collaborating with the hacker community to supplement the work their security teams are already doing.

As an industry, we need to rally together to embrace the emerging cybersecurity talent, creativity, and curiosity that isn’t necessarily hireable or comes with a college degree. The culture of resume-based cybersecurity industry hiring needs to change, for the sake of the protection of our data. Vulnerability reports are the new resume.

Source - Forbes available here