by: Meghan Behse
In 2014, an iCloud breach, later coined “Celebgate” by some, took the world by storm as A-list celebrities’ most compromising personal photos were leaked on the web after their cloud-storage accounts were hacked. Just about everyone with a smart phone was talking about security and privacy. And changing their passwords.
But as individual consumers we can only do so much to protect ourselves from cyber criminals. In many cases, we rely on the businesses we interact with to protect us – our information, our money, even our identity.
The Increase in Cyber Attacks
Those working in the cybersecurity world have been fighting a war against cyber criminals for as long as the Internet’s been around. And attacks on businesses and online services continue to become more frequent and more ingenious. In fact, 2016 studies by cybersecurity professionals say that cyber attacks are no longer just a potential threat to businesses and organizations, they are inevitable. The question is no longer “Will they happen?” but “When will they happen?” and “How bad will the damage be?”
In the 2016 survey report “The State of Cybersecurity,” published by ISACA, 75 percent of the 461 cybersecurity professionals surveyed around the globe responded that they expect their organization will be attacked within the next year. These respondents indicated that the businesses they work for have fallen prey to such attacks as online identity theft, hacking, malicious code, loss of intellectual property, damage to computer systems, phishing, and denial of service–some reporting these attacks can occur daily.
But these startling statistics do not mean companies are defenceless. As attacks get more advanced, so do defence strategies. There are now internationally accepted protocols and a plethora of software that businesses can implement to protect themselves. The trouble is that these policies and programs are not always being used.
For instance, Home Depot hit the news the same year as Celebgate. Its point-of-sale systems throughout Canada and the United States were breached, and over the course of four months (April to September 2014), 56 million customer credit and debit cards were compromised, affecting more people and costing the company more money–$62 million and counting–than the infamous Target breach the year before.
Home Depot’s cyber thieves used malware disguised as antivirus software to infiltrate the POS systems. And while Home Depot is certainly a victim, according to Reuters some security professionals argue this attack could have been prevented had Home Depot been more focused on security. Home Depot, at the time, was defending itself against existing malware. If its security personnel and software had been looking for malware behaviour using more advanced software, they may have detected the custom malware and avoided the breach.
The Current State of Cybersecurity
The good news coming out of the ISACA survey report is that businesses are now, finally, realizing the impact cyber attacks can have on their enterprises, including financial and customer confidence loss. Eighty-two percent of the survey’s respondents stated that the top executives of the business they are employed by are now “concerned” or “very concerned” about cybersecurity. As a result, they are allocating more resources and budget to address the threat – historically the best way to bolster the success of cybersecurity efforts. Cybersecurity Ventures’s 2016 market report projects $1 trillion will be spent globally on cybersecurity between 2017 and 2020.
However, throwing money at the issue of cybersecurity is not a turnkey solution. In most businesses, cybersecurity is still seen as a technical issue and not part of an overall strategic plan, leading to a lack of understanding and accountability.
“What we are seeing is the lack of skillset. When we walk into any public sector organization, we see that there is no strategy,” reports Markham-based Cybersecurity Umbrella’s expert panel. “They don’t even know what to monitor. They have so many threats in the organization.”
A good cyber defence involves far more than just antivirus software and malware protection. The 2016 report by (ISC)2, “The State of Cybersecurity from the Federal Cyber Executive Perspective,” states that people (employees) are actually the greatest threat to a business’s security. They often bring threats into the office with them through their own laptops and phones, and they are susceptible to phishing (such as fraudulent emails designed to get the recipient to disclose personal information, usually passwords or financial details) because they don’t know how to detect and identify fraud.
Strong cybersecurity therefore must begin with top executives incorporating it into the business’s main objectives and then stream down to employees through robust policies.
The Lack of Workforce
Clearly, cybersecurity is not just the job of a business’s IT specialist anymore. Skilled security experts are now required on the executive level as well as on the ground floor. This need for technical expertise coupled with the urgency being generated from the rising volume of attacks has resulted in an exponential increase in cybersecurity jobs across the globe. The problem is that there isn’t currently a qualified workforce to fill all of these positions. And therein lies the greatest threat to cybersecurity in today’s climate.
ISACA’s survey reported that 54% of respondents estimate that it takes three to six months to fill a cybersecurity position at their business, and 10% said they can’t fill the positions at all. Perhaps even more concerning is that 60% believe that less than half of their applicants are qualified for these positions upon hire.
In the three years since its inception as a security service firm, Markham’s Cybersecurity Umbrella has adapted its company’s focus to include security training in order to address this growing concern.
Cybersecurity Umbrella has partnered with EC-Council, the largest cybersecurity technical certification body in the world. As EC-Council’s Canadian partner, they’ve begun working with universities to revise and design curriculum for students based on EC-Council’s certificates, including the Certified Ethical Hacker (CEH), the Computer Hacking Forensics Investigator (C|HFI), and the Certified Security Analyst (ECSA).
Cybersecurity Umbrella is also scheduled to begin its own training sessions for EC-Council’s certifications. “We have trained six or seven people in the last few months and they have already gotten six-figure salaries,” says Mohammed Ahmed, Cybersecurity Umbrella’s program manager.
EC-Council’s highest certification is the Certified Chief Information Security Officer (CCISO). The CCISO program combines strategic planning and financial expertise with information security and governance skills, and its degree of difficulty is such that educational waivers for the certification include a PhD in information security and an MBA, a CPA or a Masters in Finance.
This certification is often required in order to lead the security operations of large enterprises and public sectors. The extensive knowledge required for CCISO certification only adds to the difficulty of filling these positions. Many security budgets now allocate for salary increases and skills development training as incentives.
But Cybersecurity Umbrella is not only focused on training cybersecurity leaders. When asked who their sessions will target, Ahmed responds, “It’s for everybody!”
“What we are trying to do includes three major divisions,” he continues, “the technical part, the governance part, and the solutions part – so, how everything integrates. And they can work at any position – at the director level or the team-lead level, even the implemental level. The objective is to create a combined skillset.”
While cyber threats may never be eradicated, by equipping employees at all levels of an organization with cybersecurity skills and awareness, businesses can tip the scale in their favour and do their best to keep their employees, their customers, and their bottom lines safe.