Experts recognise that a team trained in cybersecurity could be the strongest weapon in a business’s arsenal when it comes to resilience and protection
Your business cannot simply “buy in” security technology in the same way that a consumer purchases an antivirus package for a PC. Cybercrime is not just about software; with more and more cybercriminals targeting workers, through phishing emails and other ploys, making sure you have a security-savvy team in place is more important than ever.
“Worldwide spending on cyberdefence products and services is forecast to exceed $1trn until 2021,” says Oyku Isik, professor of information systems management at Vlerick Business School in Belgium. “Yet every year we hear a cyber-incident that is significantly worse than one in the previous year. This is a clear sign that all the investment in technology is necessary, but not enough. It is now time to invest in people.”
Prof Isik says that companies should not only have specialist security employees but also provide on-the-job training for other staff: “A simple cybersecurity awareness session that you do once is not going to cut it anymore. We need not only cybersecurity expertise in our organisations, but also employees in all units who are well rounded in the basics of cybersecurity.”
Ensuring that all employees receive training can pay real dividends for companies, says Adenike Cosgrove, cybersecurity strategist at security company Proofpoint. She says: “Email phishing is consistently the top weapon of choice for cybercriminals. As an example, the Royal Bank of Scotland took what some might consider an unusual approach by launching simulated phishing attacks on its own employees.”
The bank’s security team launched fake phishing attacks on workers, based on actual fraudulent messages. “Through an ongoing programme of ethical phishing simulations, RBS determined their employees’ susceptibility to real-world attacks,” says Ms Cosgrove. “Users falling victim to these fake phishing messages on multiple occasions received comprehensive training, which led to a 78pc reduction in the likelihood of users clicking on nefarious campaigns.”
Making sure you have trained experts in cybersecurity is still important too – and now, more than ever, these experts also need to be strong communicators. Ted Wagner, vice-president and chief information security officer at SAP National Security Services, says: “People working in the cyber field often need to communicate findings and results to the company board, so they need to both communicate and manage up to a group of people who don’t speak ‘cyber’ but instead speak ‘business’. They need to be able to effectively communicate cyber-risk into business risk and what it entails in a simplified manner.”
But recruiting talent for cybersecurity roles is increasingly difficult, with Britain facing a digital skills gap that could leave up to three million jobs unfilled by 2030. In cybersecurity, the problem is particularly intense, with a report from the UK Parliament’s Joint Committee on the National Security Strategy suggesting that even government departments struggle to recruit talent. Research by KPMG this year found that more than half of chief information security officers (52pc) said they struggled to recruit talent.
To address the skills gap, businesses need to rethink how they recruit and train cybersecurity professionals, says Ruth Davis, head of commercial strategy and public policy for BT Security. “The idea that people need to be qualified in a STEM [science, technology, engineering and mathematics] subject, have five years of experience and security qualifications is outdated,” she says. “One of BT’s best graduate cryptographers studied music.”
Instead, businesses should look for people with roughly similar skill sets and the right aptitude, and train them up, Ms Davis says. “The focus to date has been on building a future pipeline of talent via schools and universities. This was the right priority at the time, but we now need to broaden our focus to help those with transferable skills or aptitude move into the industry.
“We need to focus on mid-career transfer, getting people with similar skill sets and the right aptitude to come and work in our sector; because we need people now.”