The topic of cyber security is one of the most contentious and discussed subjects in the world; in the news, at conferences and in the boardroom. As cyber attacks continue to bombard businesses, public sector organisations and even critical infrastructure, effective cyber security represents the great challenge of the internet age.
Cyber attacks like WannaCry, NotPetya and the Equifax breach have gained almost myth-like status – thrusting the issue of cyber security into the public eye like never before. Crucially, attacks are not only impacting businesses, and their reputation and finances, but also affecting the average person. The potential danger to privacy, livelihoods and life itself, is only increasing as more data is generated and more devices are incorporated into every facet of society; from virtual assistants to pacemakers.
Focusing on the enterprise, cyber security should now be a consideration of every boardroom. But, how best to mitigate the threat?
Cyber security training
In Information Age’s latest cyber security best practice feature, it was clear that improved cyber security training and education were the most important factors to address in mitigating the cyber threat.
>Read more on Cyber security vulnerabilities
In the UK, for example, 88% of UK data breaches were caused by human error, and not direct cyber attacks, over the last two years. So, while it is necessary to employ technological solutions to detect malicious code and to help prevent it ever entering a network, improving cyber security training must be the priority. And, these initiatives should be led by the CTO.
“Cyber security training can be split into two categories,” according to Avishai Wool, the CTO and co-founder of Algosec – the security management firm.
1. General training of non-cyber staff
Everyone in an organisation who is connected to the internet should be given general cyber security training. This is “definitely lacking,” says Wool. As phishing scams – among others – surge, the untrained employee remains a constant risk to the security of their company.
The level of training needs to be improved, because currently “there is a poor understanding of the basics of the threat landscape,” according to Wool. “This is something that should be taught in elementary schools. When children learn how to use Excel, PowerPoint and Google, it makes sense for them also to be trained on basic safety rules, just like crossing the street.”
>Read more on Algosec CTO looking to the future amid more complex customer requirements
“Cyber security training hasn’t been done for most people in the workforce. I think it’s really important to do that kind of basic training just as we do any on-the-job training. Anybody who has a mobile, or is connected to the internet at home or at work has to know that there are cyber threats to worry about.”
2. People who work directly in cyber security
The cyber security experts within an organisation – the CISOs, the heads of IT security – “need specialised training, and lots of it,” says Wool. Worryingly, this is also lacking.
Wool beliefs this is more difficult to do, however, because the threat landscape and technologies are constantly changing. “The training that you may have received in the recent past is being replaced by new knowledge at a very fast pace. It is very hard to stay current.”
Cyber security training… it takes time
“A lot can be done and it can be effective, but it takes a very long time to put together,” explains Wool.
“Think: how long did it take the human race to figure out what needs to be done to make vehicle transportation reasonably safe. Think about sidewalks, zebra crossings, highway exit and entry ramps and so on. It took 100 years from the invention of the automobile to where we are now. When it comes to safety, we can always do better.”
>Read more on The comprehensive IT security guide for CIOs and CTOs
The same is true of cyber security – it is improving, but truly effective systems will take time to be put in place. The problem is that as recently as 10 years ago, nobody knew that cyber security would arise as an issue. The internet and threats against it were still in a stage of relative infancy compared to today. As a result, “universities and training organisations didn’t teach anything about it. There wasn’t any obvious need,” says Wool.
The cyber security skills gap
The cyber skills gap is an issue that businesses, governments and universities are trying to resolve. The need for these skills is growing at a significant rate.
As the need for cyber security skills continues to rise, the people involved in protecting an organisation have had “to generate their own know-how since they had no formal training,” according to Wool.
“Because cyber challenges are growing at the speed of the internet, the gap remains.”
>Read more on A guide to overcoming the skills crisis in the cyber security industry
Combine this with the rapidly changing cyber threat landscape, the challenge increases.
“Things that were the major concerns a few years ago, and the major tools we used then, are obsolete already. New threats require new tools, new procedures, new mitigations, making your previous knowledge less relevant.” Cyber security training, therefore, must be a continuous journey, with regular updates.
Here is an example: “It used to be common advice not to write down passwords. In order to remember, people used the same password for many products, computers, websites, bank accounts, etc. In 2018, that is a big mistake. Today, you should write down your passwords. Yes, there is a threat, but that threat is actually quite small. A password thief requires close proximity to the computer or notepad where the passwords are stored. On the other hand, if you do write your passwords down, you don’t have to rely on your memory. Today, we recommend different passwords for each service. There is no way for the human being to remember them all. The only way to do that is to write them down.”
Cyber education
Cyber security training at work should be a necessity for any enterprise wanting to reduce the threat to their business and their reputation.
This should be factored into budgets and be a priority for the decision-makers. However, more can be done, and it should start at school. “Education institutions need to develop special courses for cyber security training at all levels, training operators, technicians, etc,” says Wool. “Every Computer Science of Software Engineering degree should be accompanied by cybersecurity courses. Higher education needs to be involved.”
>Read more on The UK education system exacerbating cyber skills gap
Even at the early stages of education, school children should be taught the rudiments of cyber safety. And we are seeing more of this, with subjects in coding being introduced to primary schools across different countries education systems.
“Cyber education cuts across the entire society.”
Vendor view
For AlgoSec, security is a business focus because it is a vendor in that space.
Wool notes that his customers’ concern with security functions is growing. “Now, there is more visibility and attention from senior management all the way up to the boardroom. I think the importance and focus on cyber security, network security and computer security is on the rise especially in major corporations and in companies that are prime targets for cybercrime. But also in other industries like retail, manufacturing, healthcare, education. Really, everywhere.”
“Today, cyber security is part of everyday business operations.”