Data/Cyber

Bridging the cyber skills gap

BY Richard Summerfield

The current cyber security workforce must grow by 145 percent if the industry is to close the skills gap and better defend organisations worldwide, according to the 2019 (ISC)² Cybersecurity Workforce Study.

The report, which was designed to estimate the total current number of cyber security professionals in the US and 10 other major global economies, suggests that while most cyber security and IT professionals in the market are largely satisfied with their career and remain optimistic about their future in the industry, there is a substantial gap between the number of cyber security professionals working in the field and the number needed to keep organisations safe.

Understandably, the gap is not the same across all markets. In the US, for example, the current cyber security workforce estimate is 804,700 and the shortage of skilled professionals is 498,480, requiring an increase of 62 percent to better defend US organisations. The study is based on online survey data from 3237 individuals responsible for security or cyber security throughout North America, Europe, Latin America and Asia-Pacific.

“We’ve been evolving our research approach for 15 years to get to this point today, where we can confidently estimate the current workforce and better understand what it will take as an industry to add enough professionals to protect our critical assets,” said Wesley Simpson, chief operating officer at (ISC)². “Perhaps more importantly, the study provides actionable insights and strategies for building and growing strong cybersecurity teams. Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges.”

According to the report, 65 percent of organisations suffer from a shortage of cyber security staff and a lack of skilled or experienced cyber security personnel is the top job concern among respondents.

If organisations are to close the skills gap, they must not only look to train and develop existing employees, but also attempt to recruit individuals from outside the industry.

Report: 2019 (ISC)² Cybersecurity Workforce Study

No silver lining?

BY Richard Summerfield

There has been a lot of talk around the potential of cloud computing. The cloud is often heralded as the future of many organisations as it will fundamentally alter business strategies. Yet, maintaining security in the cloud is a challenging and contentious issue.

Indeed, many security professionals consider their existing tools to be inadequate for securing critical cloud data, even as their organisations invest heavily and with increasing speed in cloud applications, according to a new report from ESG.

The report, ‘Retooling CyberSecurity Programs for the Cloud-First Era’, based on surveys with responses ranging from approximately 392-600 senior IT decision makers and cyber security professionals, suggests that there is a security gap in cloud computing which is both wide and dangerous.

Though cloud-first strategies are becoming more common, 81 percent of respondents said their on-premises data security practices are more advanced than those intended to secure cloud-based data. Furthermore, 50 percent of respondents say that their organisation has lost cloud-resident data.

Ninety percent of respondents are concerned about not having visibility into misconfigured cloud services, server workloads, network security or privileged accounts. Eighty-three percent of respondents also stated they had concerns about the misuse of privileged accounts by insiders. Thirty-five percent say that the use of multiple cyber security controls has increased complexity and 66 percent say IT is more complex than it was two years ago.

Forty-three percent of respondents cited maintaining consistency across the disparate infrastructures of hybrid, multi-cloud environments where cloud-native apps are deployed as the biggest challenge in securing cloud-native apps, and 43 percent of respondents said that DevSecOps automation is the highest cloud security priority to address many of these concerns.

“The cloud is no longer merely a backup target – it’s now the center of computing gravity for many businesses,” said Doug Cahill, ESG’s Cybersecurity Group Director and Senior Analyst. “Cloud-first strategies are becoming more common, and yet security capabilities are lagging behind cloud adoption. The gap between the degree to which cloud services and cloud-native technologies have and will continue to be consumed and organizational readiness to secure that usage requires a retooling of cybersecurity programs to keep pace with the speed of the cloud era.”

Report: Retooling CyberSecurity Programs for the Cloud-First Era

Cloud container vulnerabilities increase – report

BY Richard Summerfield

Adoption of cloud technology has increased considerably in recent years, however vulnerabilities in cloud containers have also increased, according to a new report from Skybox Security.

Skybox’s ‘2019 Vulnerability and Threat Trends Report: Mid-Year Update’ notes that vulnerabilities in cloud containers have increased by 46 percent compared to the same period in 2018, and by 240 percent compared to 2017,. However, less than 1 percent of newly published vulnerabilities were exploited in the wild, with 9 percent having any functioning exploit developed at all.

Over the last two years, the total number of new vulnerabilities has outpaced any other previous year. However, the number of vulnerability reports in the first half of 2019 declined by 13 percent compared to the same period last year. Still, the current figures are historically high, and it seems annual totals of around 15,000 new common vulnerabilities and exposures (CVEs) will be the new norm.

“More than 7000 new vulnerabilities were discovered in the first half of 2019 — that’s still significantly more than figures we’d see for an entire year pre-2017. So, organisations are likely still going to be drowning in the vulnerability flood for some time,” said Ron Davidson, chief technology officer and vice president of research and development at Skybox. “Roughly a tenth of these have an exploit available and just one percent are exploited in the wild. That’s why it’s so critical to weave in threat intelligence into prioritization methods, and of course consider which vulnerable assets are exposed and unprotected by security controls.”

To better protect themselves against attack, the report suggests that companies “assess occurrences against the latest threat intelligence, as well as the relationship of vulnerable assets to the security controls that could protect them. This way, action will be focused on the small subset of vulnerabilities posing a critical risk to your business.”

Organisations should ensure that they have reliable coverage to assess and prioritise vulnerabilities in public and private clouds and operational technology systems to truly understand the risks they face.

The report also noted that cryptocurrency ransomware, botnets, and backdoors appear to have substituted cryptocurrency mining malware as a tool of choice for cyber criminals. The use of these methods increased by 10 percent, 8 percent and 18 percent respectively.

Report: 2019 Vulnerability and Threat Trends Report: Mid-Year Update

British Airways faces record GDPR fine

BY Richard Summerfield

British Airways is to be fined £183.39m by the UK’s Information Commissioner’s Office (ICO) for data protection breaches.

The fine, as set forth by the ICO, will be the largest penalty handed down since the implementation of the European Union’s (EU’s) General Data Protection Regulation (GDPR). The regulator said the company will have a chance to contest the proposed fine, which is roughly 1.5 percent of airline’s annual revenue of £11.6bn worldwide in 2018, well below the maximum rate of 4 percent that can be applied under the GDPR.

According to the ICO, weak security on the airline’s website allowed users to be diverted away to a fraudulent page, starting in June 2018. The ICO’s investigation found that the incident involved customer details including login, payment card, name, address and travel booking information of around 500,000 users had been harvested.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways, which has subsequently improved its security protocols, has said it will fight the ruling. The airline can appeal against the findings and scale of the fine before a final decision by the ICO. “We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The ICO noted: “British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”

News: British Airways faces record 183.4 million pounds fine over data theft

Frequency of cyber attacks increases amid defence deficit

BY Richard Summerfield

The number of cyber attacks, and the cost of those attacks, increased markedly in 2018, according to a study commissioned by insurer Hiscox.

The Hiscox Cyber Readiness Report 2019 surveyed nearly 5400 professionals from the US, UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cyber security.

According to the report, 61 percent of the firms surveyed experienced one or more cyber attacks in the past year, compared to 45 percent in the previous year. However, the proportion of those firms achieving top scores for their cyber security readiness fell year-on-year. The median cost for losses associated with cyber incidents increased significantly, from $229,000 to $369,000.

The report, now in its third year of publication, noted that while hackers previously focused mainly on larger companies, small- and medium-sized firms are now equally vulnerable. Around 47 percent of small firms – companies with less than 50 employees – reported attacks, up from 33 percent last year. Sixty-three percent of medium-sized businesses, those with 50 to 249 employees, were targeted, up from 36 percent the previous year.

“The cyber threat has become the unavoidable cost of doing business today,” said Gareth Wharton, cyber chief executive at Hiscox. “The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.”

“The message that cyber risk is a real threat to businesses of all sizes is sinking in,” said Meghan Hannes, cyber product head for Hiscox in the US. “Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defence. Many believe that increasing cyber-related spending fully protects a business, but it isn’t enough. Businesses must take a holistic approach, ensuring they can properly maximise their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defence.”

The average spend on cyber security is now $1.45m, up 24 percent on the previous year, and the pace of spending is accelerating. The total spend by the firms in the survey comes to $7.9bn. Two-thirds of respondents (67 percent of firms) plan to increase their cyber security budgets by 5 percent or more in the year ahead.

Report: The Hiscox Cyber Readiness Report 2019

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.