6 CYBERSECURITYINFO.CO.UKAN INDEPENDENT SUPPLEMENT BY MEDIAPLANETINSPIRATIONTacklingthe cybersecurityskills gapLieutenant GeneralSir Edmund Burton KBEChairman of the Information AssuranceAdvisory Council (IAAC)PHOTO: THINKSTOCKHands on learning. Awareness training is becoming essential for organisationsCompanies are falling shorton awareness trainingClicking on a web link in an email is a common and often harmlesstask that we all do every day both at home and work.Yet, as we have been told, andhave seen, it can actuallybe very dangerous and canlead to massive problemsfor individuals and companies.Cybersecurity professionals callthese sorts of attacks, for that is whatthey are, phishing attacks. These attacksrefer to a multitude of clever scams thataim to lure people into launching malwareor offering information that an attackercan use to compromise systems,steal data, or mimic identities. They canrange from fraudulent phone calls frompeople pretending to be from your bank,utility, or helpful service desk, to emailsthat invite you to hold money for peopletrapped in warzones or confirm yourbank details. And they can be very clever.People who have long understoodthe concept of a phishing attack are atrisk of being duped as these attacks becomemore targeted, even personalisedwithin email invitations, in texts and onsocial media sites.These cyber security scams have becomeheadline news and many companiesrecognise the need to invest in programmesto help their employees be moreaware of the risks. It comes as a worryingsurprise therefore when phishingscams top our list of tactics that securityprofessionals are facing today.Our <strong>2015</strong> Global Information SecurityWorkforce Study conducted by industryanalysts Frost & Sullivan surveyed nearly14,000 information security professionalsaround the world to reveal, predictably,that the threat techniques employedby attackers and hackers todayare diverse. Phishing attacks featuredAdrian Davis, CISSPManaging Director EMEA, (ISC)2prominently as a top concern identifiedby 54 per cent of respondents, wayahead of other concerns such as networkmalware (36 per cent). Accordingto the study report “the realism and targetedapproach of today’s phishing campaignsappear to rival the informationsecurity professional’s efforts to elevateemployees’ ability to recognise, report,and leave untouched suspected phishingmessages.” This is worrying givenhow just one mistake can lead to a virulentpropagation of malware across theorganisation’s network and systems.A rising threatData Breach Research from Verizon confirmsa rising trend, with phishing beingin the top 20 varieties of threat actions ineach of the past five years, rising to tenthplace in 2013 and then third last year. Therise of such threat actions is also drivenby the sophistication of attacks, with theinformation gained in phishing scamsoften used to compromise systems utilisingother techniques, in what are known“These cybersecurityscams havebecomeheadlinenews andmanycompaniesrecognisethe needto invest inprogrammesto help theiremployeesbe moreaware of therisks”Learn more atcybersecurityinfo.co.ukas Advanced Persistent Threats (APTs).What are companies doing to copewith this risk? Investments are beingmade in tools and technology. However,creeping levels of complacency aroundawareness training may well be a contributingfactor in making phishingattacks effective. Our survey, whichhas been conducted for over ten years,shows a declining trend in respondentsindicating demand for end-user educationand training over the past threesurveys (2011 - 39 per cent, 2013 – 38 percent, and <strong>2015</strong> – 32 per cent). Further,there is notable downward movementin the levels of concern associated withmobile devices and internal employees.It’s not that the concern isn’t there, butother concerns are rising up the prioritylist.With regard to awareness, I worrythat companies and organisations maybelieve that they are doing enough, orworse, believe they have already takencare of the need with online training resourcesor the programme deliveredlast year. The hackers’ success shouldpuncture this complacency. The realityis that delivering awareness trainingisn’t enough. Appropriate security instincts,which starts with a recognitionof accountability, must be embeddedacross the organisation. Common awarenesstechniques only go so far. Thereis considerable work ahead for organisationswho must assure an understandingof how this can be accomplished intheir organisation; assuring their effortsare highly contextual and relevantto their risks. The first step will be recognisingthe priority.“The Government has avision for a vibrant, resilientand secure cyberspace,contributing to economicprosperity, nationalsecurity and a strongsociety. The vision can onlybecome a reality if wehave a strong cybersecurity skills base in theUK, both within Governmentand in the private sector.”[Minister forUniversities and Science- March 2014]This vision calls for urgent actionby executive boards acrosspublic and private enterprises,in partnership with schools, collegesand universities. The initiativepresents national and internationalbusiness opportunitiesfor enterprises large andsmall. Previous national initiativeshave failed because of a failureof executive boards to engageand to provide the necessaryleadership and resources.The national need can be met byfocussing national efforts aroundthe Government Cyber SecuritySkills initiative. Such a programmealready provides a clear statementof the objective that has instigateda range of concurrent activities.These have included therecent changes in primary and secondaryschools’ curricula and theestablishment of cyber securitycentres of excellence in researchand education.While the UK addresses the mediumand long term need for skillsand education, there are majoropportunities for the providersof managed security services tomeet the current, urgent and importantneeds of enterprises. Thiswill achieve the cost effective managementof persistent threats tobusinesses and should result inthe development of a discerningand intelligent customer community.Thesuccess of this historicopportunity will depend on the effectivenessof leadership, by example,throughout public, privateand third sector enterprises.Learn more oncybersecurityinfo.co.uk
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET MEDIAPLANET 7COMMERCIAL FEATUREMind the gap - thecyber security conundrumImagine that you’ve just investedin a brilliant newsecurity tool – there it sits,full of promise – but unlessyour staff know whatit should be protecting and how touse it, it’s little more than a giantpaper-weight. That’s how manycompanies are traditionally tacklingthe cyber security threat – byusing technology to fix a problem.When combating the ever growingcyber threat, it’s commonlyaccepted there is a requirement forpeople, process and technology, butall too frequently companies putmost emphasis on the latter. Whilstthis is proving a successful way toincrease budgets as leadership caneasily conceptualise the need fora solution they can touch and feel,the skills gap that subsequently occurstends to be overlooked.In KPMG Cyber Academy’s survey1 of 300 senior IT and HR professionalsin the UK 74 per cent admittedtheir new security challengesrequire skills they didn’t currentlyhave, whilst 64 per cent believedthe cyber skills needed are significantlydifferent to those used intraditional approaches. These figuresdo beg the question as to whythere is now a skills gap when thefield of information security hasbeen around for many years. Hasthe landscape changed that muchor is our dependency on technologyforcing a reliance on specificallyskilled professionals?Whilst the debate to find theanswer will, no doubt, continue forsome time, the problem remainsunresolved. So how can we beginto fill the inevitable skills gap? Threecommon areas of considerationare hiring, upskilling and outsourcing,but, as is so often the case, theanswer depends on the appetite ofthe company in question.Matt WhiteHead, KPMG access manager,matt.white@kpmg.co.ukTwitter: @cybermattwhiteSome have turned to hiring exhackersto bridge the gap and whilsta seemingly simple solution, this hasits own inherent risks with the simileof ‘poacher turned gamekeeper’springing to mind. Further complicationsarise with 57 per cent of thosesurveyed saying it had becomemore difficult to retain specialised ITstaff in recent times. So is there a betterchoice?To the cynical, upskilling is oftenseen as simply providing moretraining for IT staff so that,amongst other things, they can increasethe number of letters aftertheir name. However, if taken aspart of a structured firm wide cyberawareness initiative involving everyonefrom the C-suite to graduates,the results can be profound.Last but not least is outsourcing,an option that for years has beenimmersed in a culture of cost cuttingand efficiency benefits. However,when faced with a lack oftechnical security skillset the applicationof managed services canprovide significant returns. For example,an identity and access managementprogramme is a potentiallylabour intensive and specialistfield, but by removing the need forcontinued development or recruitmentof information security personnel,a trusted outsourced providercan deliver a level of comfortand assurance.Further benefit can be takenfrom outsourcing as it potentiallyreduces the likelihood of someoneexploiting their access rights,something 60 per cent of UK CIOssurveyed in KPMG’s ‘Trust Paradox’2 believe will come from withintheir organisation.1 KPMG in the UK’s Cyber Academy’s ‘Cyber SkillsGap Survey’ October 2014 http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/NewsReleases/Pages/Hire-a-hacker-to-solve-cyberskills-crisis-say-UK-companies.aspx2 ‘The Trust Paradox: Access Management in an insecureage’ February <strong>2015</strong>, CIO UK in association withKPMG in the UK and RSA. http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/topics/the-trust-paradox.pdfCOMMERCIAL FEATUREThe Human Factor - Lessons learnedfrom staff training and policymanagement projectsAccording to the findingsin PWC’s “GlobalState of InformationSecurity Survey <strong>2015</strong>,”the annual average financialloss attributed to cyber securityincidents was estimated at $2.5million, a jump of 34 per cent over2013. No one doubts that the digitalsecurity posture of an organisationis now a board level issue, and that’sa big change from five years ago. However,executive anxieties need tobe matched with a long-term structuredstrategy that everyone in thecompany ecosystem is willing to investin so that the highest standardsof information security are maintained.Inevitably, this will require achange in company culture as moststaff members view this issue as belongingto the IT department. Theyoften forget that the consumptionof IT Services is often the point ofmaximum vulnerability for thecompany. It is here that the usercan compromise the security of thecompany by becoming a victim tophishing tactics or acting in an inappropriateor negligent manner,regrettable situations that exposethe organisation to cyber risk.So what are the lessons wecan learn from implementingan appropriate strategy tochanging human behaviorin this area?Well the first is to recognise thatchanging culture in informationsecurity practices is no differentthan any other change managementprocess within a company.It is as difficult as any other changemanagement process requiringsignificant effort and resources tomake an impact.Another lesson is that qualitymatters. Too often staff securitytraining is a ticking the box exercise,with very little energy beingexpended on planning or on con-Robert O’BrienCEO, MetaCompliancewww.metacompliance.comtent. The latter is one of the most importantconsiderations in determiningthe success of a culture changeinitiative. Take eLearning contentfor example. The industry is awashwith boring, bland, and often dumbeddown IT Security training courses.It is no wonder that there are casesof low staff participation that necessitatesignificant managementintervention. ELearning coursesshould reflect the digital threat thatwe all need to combat.Another key lesson is ensuringthe correct targeting of high-riskgroups. Rather than “blanket bombing”all staff with general cybersecurity communications and policies,organisations should identifyhigh-risk staff groupings andprovide tailored messaging andsurveying. Examples of these staffgroups would be privileged users,such as administrators and informationasset owners. Clearly, thecommunications sent to these highlevel positions would be more detailedthan what would go to theoverall user population. In manycases companies are struggling toget messaging out to everyone. So ashift in priorities is required.Be prepared for the long haul. Thechanging of IT Security culture is amulti-year project. It’s not possibleto deliver all the policies and educationthat are required in a shortperiod, as the user base will becomefatigued. The best approach isto build up your communicationsover time. Obtaining outside expertiseto assist in the crafting of a fitfor-purposecommunications initiativeis one way of jump startinga moribund security staff trainingprogramme.So let’s accept that email,Share Point and corporate intranetsare not suitable for obtaining activestaff participation in proper staffawareness activities. They requiresignificant management interventionto ensure that staff membersundertake their commitments tomandatory policies and eLearning.A more appropriate approachwould be to adopt best in breed automationthat actively engages theuser and provides the necessary reportingneeded for certification andregulatory review.