By François Amigorena, CEO, IS Decisions
Analysts everywhere are fretting about the lack of cybersecurity professionals across the world. The Cybersecurity Jobs Report believes the global shortfall of cybersecurity workers will reach 1.5 million by 2019. (ISC)2 believes the shortfall will reach 1.8 million in five years.
These figures are having an intense effect on businesses, who are very much starting to feel the pinch. A recent report by the Intel Security and the Centre for Strategic and International Studies (CSIS) found that 15% of cybersecurity positions in companies will go unfilled by 2020 — with most businesses saying the skills shortage is worse than talent deficits in other IT professions.
The reason, according to many of the respondents in the CSIS study, is the education system within each country, which doesn’t prepare students for the industry. As with any ‘security’ role, education is key, but why does the emphasis lie on cybersecurity professionals alone?
The weakest point in any organization’s cyber defenses is the people, ergo, education should be a part of everybody’s working life — not just the lives of the experts. In fact, education is arguably more important when it comes to the average employee than an IT-savvy administrator because the average employee is the one who needs it the most. In the same way that those who need to go to the doctor for help are the sick, not the healthy.
Every employee, from the intern to the CEO, needs to be aware of the cybersecurity risk they pose to their own company. If they’re not, the consequences can be disastrous. Just look at the recent cyberattacks on companies like Anthem, Sony, eBay, Dropbox and Sage. With Anthem, 78.8 million customers’ details were leaked. With Sony, 100 terabytes of sensitive data were stolen. Dropbox suffered to the tune of 68 million customer account details being stolen. 233 million customer account details were hacked with eBay, and 280 UK clients were compromised in the Sage attack. What was the common factor underpinning each of these attacks? A compromised login from an average-level employee that fell into the wrong hands.
Hackers love exploiting the naivety of employees because it’s so easy. All it takes is one successful phishing email to persuade just one employee to hand over their corporate login details. Then a hacker effectively has a company key into a safe house of valuable information. And once that hacker gains entry to your systems, you’re not going to find out until it’s too late — your anti-virus and perimeter systems aren’t programmed to pick up on access using legitimate login details, giving snoopers all the time in the world to, well, snoop.
The key to protecting against these types of security breaches is a mix of education and technology.
In terms of education, companies must do more to formalize the security training they give employees from the day they join the company, right through to when they leave. It doesn’t matter what job level someone joins at. Everyone’s a risk, so everyone needs training.
And while training is hugely effective, humans are always human and will be prone to making mistakes. Technology, therefore, is essential in mopping up any errors that happen and can provide protection in two parts — restricting access (prevention) and networking monitoring (cure).
And as prevention is always better than cure, companies need to do more to protect their networks from hackers using compromised credentials. By restricting access to certain workstations, geographies, times of day, or IT-approved employee-owned devices, a hacker can’t gain entry using a legitimate login because they’d be logging in from the wrong device, the wrong location or at the wrong time of day. Restricting access in this way narrows the window of opportunity for hackers.
But for those attackers who do end up logging in to a corporate network — perhaps they stole an employee’s device or broke into your office — effective network monitoring and file monitoring can mitigate any damage. Autonomous monitoring can pick up on suspicious network activity quickly, and alert an administrator before a hacker has a chance to steal any information or snoop around. To use an analogy, it’s akin to catching a burglar mid-act and tying them up before the police arrive.
Crucially, both of these kinds of technologies would’ve prevented the high-profile attacks on Anthem, Sony, eBay, Dropbox and Sage — and both would help small businesses to keep their sensitive data safe. And in a world where cybersecurity skills are lacking, it’s the least companies can do to get through troubled times.
About the Author
François Amigorena is the founder and CEO of IS Decisions and an expert commentator on insider threat issues.
IS Decision is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies, and save time and money for the IT department.