Improving security knowledge, skills and safety

By: Simon Kouttis

First published in http://www.elsevierscitech.com/nl/cfs/home.asp

For a long time, cybercrime wasn’t as serious as it was made it out to be on TV and in the cinema. In films like Hackers, computer-savvy children crash entire stock exchanges and people walk around with names like ‘Acid Burn’; in Tron, the main character is able to violate a mainframe by being digitised with lasers; in The Matrix, manipulating code can make you an instant kung-fu master.

It was ridiculous, and especially when compared to the reality. No cyber-criminal ever sat in front of a bunch of glowing green CGI numbers before clicking ‘OK’ on an ‘Upload Virus’ prompt; wanted ‘master hackers’ such as Kevin Mitnick typically succeeded because they’d ring people up, pretend to be tech support and ask for a password. On the rare occasions someone did successfully penetrate a network, it would still be reasonably harmless: when Gary McKinnon hacked the Pentagon, for example, he was looking for evidence of UFOs and antigravity technology.

Cybercrime today

Today, little has changed in this respect – shows such as CSI: Cyber routinely feature people saying things like, “I’ll create a GUI interface using Visual Basic to track the killer’s IP address”. But cybercrime is not a laughing matter anymore, as the abilities of hackers gradually catch up to their on-screen counterparts. Among others, we’ve seen organisations as disparate as Ashley Madison, Sony Pictures and Mumsnet fall prey to security breaches in recent months; in many cases, these high-profile attacks have caused millions of pounds’ worth of damage (and led to high-profile resignations as well).

At this point, it’s tempting to ask two crucial questions: ‘Why?’ and ‘Why now?’. Both have essentially the same answer. In the past couple of decades, tech has evolved and expanded at an unprecedented pace: Netflix has replaced home video; electronic stock exchanges have largely replaced old-style trading floors; and if you have a smartphone, there’s a good chance you’re carrying several times the storage capacity and processing power of a 90s-era desktop PC around in your pocket.

Unfortunately, every silver lining has a cloud, and as the Internet and computing have occupied more and more space at the centre of our personal and professional lives, so have opportunities to exploit their vulnerabilities. Cyber protection (never a minor matter, but neither at the forefront of public interest) is suddenly a major issue, and the network security industry appears to have not caught up. For business owners and IT departments alike, this poses a genuine, if not existential threat: new guidelines introduced by the Government in 2015 mean that executives who fail to protect their company’s data adequately could face prison time.

Cyber-security skills shortage

Note that we said the network security industry only appears to have not caught up. This has less to do with poor base-line competence among cyber-security professionals and more to do with good old-fashioned supply and demand.

When it became clear that Norton Antivirus combined with the awesome power of Windows Firewall wasn’t going to do it anymore, the majority of the best talent in an already pretty shallow pool of professionals was drained quickly. Currently, cyber-security professionals actively looking for work can almost name their price, and passive candidates are well-compensated enough that they’re effectively impossible to dislodge from their current roles.

Why are there so few cyber-security professionals? In 2014, a Confederation for British Industry (CBI) survey indicated that Science, Technology, Engineering and Maths (STEM) skills were in perilously short supply, to the point that over 40% of firms are looking for employees with these skills. This has had a knock-on effect on computing and cyber-security, to the point where those qualified – and up-to-date with the latest malicious hacker tricks – are prized assets. And without the right cyber-security professionals, a business is leaving itself open to catastrophic damages and loss. In 2014 alone, network attacks cost companies across the world $445bn in revenue – costing over 150,000 employees their jobs due to related downsizing. Cyber-security protocols aren’t just essential to protecting a company: they now have a direct impact on its profits and losses.

Fixing a hole

When it comes to skills shortages, the temptation is usually to approach it first at the university level. This is where students will receive the qualifications they need to work in cyber-security, after all, and a growing number of graduates with these skills certainly won’t hurt. To encourage governments and institutions to provide more resources in this area seems like a sensible course of action.

The reality, unfortunately, is complicated by the fact that STEM subjects are already very well-funded. In 2015-16, 73 universities will receive £200m in STEM grants from the Higher Education Funding Council of England – matched on a one-to-one basis by each institution. Even when they are subject to funding cuts (and they frequently dodge this particular axe) they’re typically less substantial than cuts for courses in similar areas. Accordingly, STEM enrolment has been on the rise in recent years, and hit an all-time high in 2014. The awkward truth appears to be that, even with STEM enthusiasm at its peak, it’s still not producing enough competent graduates to satisfy the rapidly ballooning demand.

One suggestion is that governments and schools should do more to approach this problem for younger learners: from the earlier Key Stages right through to college and A-Level. To treat STEM – and computer science in particular – as the sole province of higher education is fundamentally a mistake: more needs to be done to get pupils interested at an early age. At present, the only cyber-security qualifications offered by UK universities are at MSc level: any other exploration of the subject at undergraduate level tends to be offered as part of a wider Computer Science BA alongside programming, testing and multiple other subjects.

With laptops, PCs and mobile devices a part of the vast majority of contemporary classes, the rudiments of good cyber-security should be emphasised to young people from the moment they receive a computer: a secure password, how to detect (and avoid) innocuous-seeming malware, the importance of a solid antivirus program. If they are trusted with a PC, they should be expected to keep it safe. With this solid foundation in place, they will then have the opportunity to explore the subject in more depth in ICT classes dedicated to cyber-security. Extracurricular computer clubs should also be offered; if pupils are willing to spend their spare time on a subject, they should be given the chance. With these measures – and more – implemented, interest in cyber-security should rise closer to demand.

What to do in the meantime

Of course, I’m well aware that that isn’t much use to companies that can’t afford to wait for more robust cyber-security. Whether you’re an entrepreneur launching a new business or the CEO of a multi-million pound company, cyber-security needs to be treated as a priority now. That the potential fallout from an attack can be devastating has already been established – so what can a company do to prevent cybercrime today?

The first decision a company has to make is to outsource its cyber-security or take it in-house. This is, effectively, the difference between putting it ‘out of sight, out of mind’ or assuming all responsibility for network protection. The attractions of the former are obvious: in small-to-medium organisations, the expense of building a Security Operations Centre seems intimidating, so paying a managed services provider (MSP) a flat, monthly fee to take care of it can appear more immediately cost-effective.

Often, however, this can turn out to be a case of ‘buy cheap, buy twice’: 63% of data breaches occur because of bad outsourcing decisions. If an organisation does decide to go in-house, it has to be done properly: the cyber-security team can’t be an appendage to the IT department – it needs to be fully integrated, with leadership that understands both network safety and business goals. Any chief information security officer (CISO) hired should have a good knowledge of how to enact protective measures that align with corporate strategy. As a member of the C-suite, he should be able to communicate the importance of cyber-security to senior management – who, in turn, should help him install a safety culture throughout the entire organisation.

Smarter hiring

When a company is looking to fill a cyber-security position, the natural thing to do is to look for cyber-security professionals. But it’s already been established that, with cyber-security skills in worryingly short supply, this is easier said than done.

However, if the organisation is willing to think a little differently, it’s still possible to make a solid hire – and potentially an even better one than it would have made in better circumstances. Rather than looking for a general safety specialist, it’s smart to look for IT experts who have decent experience with the network technology that the business is using: over time, they’ll have become well acquainted with the various quirks of the system, and will have developed a number of preventive strategies – and coping mechanisms – to counteract them. If a crucial cyber-security hire is proving elusive, the first thing to do is expand the search area.

Another option is to begin a partnership with an educational institution, like the one Hewlett-Packard, Microsoft, and Vodafone recently forged with the University of East Anglia, creating a “country-wide…hub” for the “safe and secure sharing of information”. Computer science academics will typically be in the vanguard of any leading-edge developments in their field, so collaborating with them on projects and course programmes can give a company access to cyber-security information that its competitors won’t have – allowing it to formulate a better recruitment strategy and help mould the course’s students into a shape that could perfectly suit its business goals. This will, if nothing else, certainly give the company an advantage when it comes to catching a cyber-security graduate’s eye at the careers fair.

Make it a priority

For all that hackers’ powers have increased in recent years, the fact remains: these are not criminal masterminds. While we might not freely offer our password recovery details to people claiming to be from tech support anymore, these criminals are still taking advantage of widespread technological naivety.

The only way to counteract this is through education. The Government – and its schools – must do its part to foster large-scale awareness about cyber-security, and integrate it into the core curriculum as soon as students are using computing devices. This will mitigate the damage that cybercrime can cause in future – and breed the next generation of cyber-security specialists at the same time. In the meantime, however, it’s imperative that those running a business or leading an IT department educate themselves properly – and ensure that cyber-security remains at the forefront of their concerns.

About the author

Simon Kouttis is the cyber-security practice manager at Stott and May, an international executive recruitment business specialising in technology, business and finance. He specialises in permanent placements with a global footprint, and senior executive appointments across the IT sector. Kouttis also heads up Stott and May’s Cyber Security Centre of Excellence, a training facility designed to produce recruitment specialists.