One of the biggest influential components of the rise of the Fourth Industrial Revolution (4IR) is that we live in an interconnected world. Smartphones talk to tablets which talk to televisions and other smart devices such as fridges and even cars.
These devices are also connected to our work networks which makes the line between work and personal life very blurred. With smart devices, you don’t need to take the works laptop home to complete unfinished work.
Unfortunately, this also opens the door for vulnerabilities in the network. A recently published article on digitalnewsasia.com highlights the extent of the issue.
On slippery ground.
The article points out that enterprises operating in today’s highly connected world must make cyber-defence and detection a top priority rather than believe that they are impervious to any form of cyber-attack, according to Finland-based cyber-security company F-Secure Corp.
Speaking at Cyber Nordic Finland recently, F-Secure chief executive officer Samu Konttinen (pic) warned that there is no way any company can defend against the relentless attacks of cyber-criminals and that today’s top management must switch their mentality away from “if we’re attacked” to “when we’re attacked.”
“One of the biggest challenges today is that too many organisations are incapable of combating advanced attacks because cyber-criminals are extremely persistent and they take time to attack,” he said at a briefing at F-Secure’s headquarters in Helsinki.
“[The truth is] practically, you can’t stop all the attacks and given time, cyber-criminals will succeed in breaching,” he argued. “So If you can’t stop attacks you must at least know when you’re being attacked or hacked,” he added, noting that every company must have a mitigation plan.
Held annually in Helsinki, Finland, Cyber-Security Nordic is northern Europe’s cyber-security event attracting executives, leading decision-makers and government officials. The event comprised a site visit to F-Secure’s headquarters and a conference presenting keynotes and panels by international and Finnish experts aimed at discussing problem solving strategies and solutions for cyber-security professionals.
The article points out that Konttinen said the situation is exacerbated by the fact that some of the tools cyber-criminals use today aren't designed by these criminals but by intelligence agencies of nation states, which have advanced, military-grade cyber-security capabilities.
“This is what we call the ‘trickle down effect’. The most advanced attacks consist of organisations that engage in surveillance and intelligence of nations,” he claimed. “They have unlimited resources and they can spend hundreds of millions, even billions, to create cyber-warfare technology.
“The challenge is that some of these technologies have leaked and will continue to leak into the hands of cyber-criminal groups, which are being equipped with these tools and are used to attack companies. This is a very worrying phenomenon we’ve seen for quite some time.”
The article points out that Konttinen also revealed that according to F-Secure’s research data, 68% of attacks remain undiscovered by enterprises for a month or more, on average. Also, it takes an average of 69 days to fully resolve cyber-breaches and that the average cost of a breach to an organisation is about US$3.86 million.
“Two years ago, we believe that some 90% of companies didn’t even have any means to detect if they are breached,” he claimed. “But companies are waking up and investing more in cyber-security than before; nevertheless it’s still alarming as by the end of next year, up to two in three companies will still be blind to attacks.”
The article adds that Konttinen said enterprises crucially need to have a mitigation plan where they can quickly act, restore systems, and prevent further compromises in the event of a breach, noting that companies needed to expect the unexpected.
The conclusion reached by F-Secure generally falls in line with what another leading security researcher said about the current state of security.
Far from reality.
The article points out that Rik Fugerson, Vice President of Research at Trend Micro, noted that current security practitioners like to believe that they’ve invested in the right technology, built the right processes and are managing their information properly.
“Unfortunately the current reality is like this: we don’t like to admit it and want to pretend we’re better than this… but unless we shift the way we do things as a security industry and as security practitioners, and unless we start planning for the future, it [cyber-security] does become an unmanageable ask [of us],” he pointed out in his keynote at Cyber Security Nordic.
Don't blame people for breaches.
The article points out that, according to renowned cyber-security researcher Mikko Hypponen, business email compromises remain one of the greatest challenges facing enterprises today as it can create maximum impact without people knowing about it, even when business executives exercise caution.
The chief security researcher at F-Secure related a case in the United Kingdom where one legitimate real estate business wanted to acquire another, and were going back and forth making changes to a legal contract via Microsoft Office 365.
“The CEO of both companies knew each other, and they’d met [multiple times] to hash out the deal, and they were making changes over email until both parties were happy with the terms.
“Finally, the acquiring company’s CEO sends a crucial email to the seller informing that he wanted to pay the downpayment and asked the seller to please forward his bank account details. What both parties did not know was that cyber-criminals were waiting patiently, sitting in their compromised systems, and doing nothing for long periods of time until they were alerted to this crucial [payment] email.
The article adds that Hypponen said the hackers then stopped all outbound email from the sellers’ Office 365 account, commandeered the account to send a spoof email to the buyer purporting to be the seller, giving an account number.
“The buyer than instructed his CFO to pay [into the spoofed account], and lost its downpayment to the hackers,” he said.
The article points out that Hypponen said these kinds of attacks aren’t because of “stupid users,” as everything leading up to that last email was a real business transaction.
“I'm fed up with users always getting the blame. It's not stupid users but stupid systems and lack of education," he argued.
The article adds that Hypponen also argued that modern business email compromises cannot be handled by being clever, but mitigation can only be done through education and by understanding how the attackers work.
“If nobody has educated them in these kinds of attacks, they are not going to figure it out by themselves, so how can they be blamed? Clever attack tactics only work until the victims know how they are done so it all goes back to awareness,” he said.
Asked how educational campaigns are to be undertaken, he told DNA, “Companies should start by first figuring out all the people in all of their offices that could become a victim of attacks. Then explain to them how these attacks are done and what the processes are to fight these attacks."
The key to fighting cyber crime is to establish where the responsibility lies when it comes to building cyber defenses. We already know that there is a severe lack of skills in the UK when it comes to combatting cyber-crime, a recently published article by securitymagazine.com points out that simple implementation can solve major problems.
The article points out that cyberattacks have realized unparalleled heights. In 2019 alone, cyber criminals have compromised the data of hundreds of millions of users. They have penetrated Apple’s iOS, Microsoft’s Visual Studio and other systems that were once seen as impenetrable. Tens of millions of Capital One credit card applicants had their banking information stolen in one of the largest-ever hacks of a financial institution. Ransomware is infecting local governments across the U.S. and disrupting private industry around the globe.
The article adds that, unfortunately, while the frequency and intensity of these malicious breaches grows at an alarming pace, so, too, does the gaping hole of talent needed to beat these sophisticated hackers at their own game. This year, the U.S. has a shortage of 314,000 trained cybersecurity professionals. That’s a 50-percent increase since 2015.
Finding the talent to perform these essential tasks is a top business concern for U.S. CEOs.
Solving a Systemic Lack of Cyber Skills.
The article points out that, to remedy this deficit on the domestic front, American companies are looking overseas. They are turning to Europe and other regions whose new strategies are churning out the software professionals needed to plug the cyber skills gap. Many of these firms are establishing overseas operations in places that offer multiple benefits, where the talent pool is abundant and the overall cost of doing business is lower. They are also embracing Europe’s “cluster” concept, a highly successful economic development model that engages regional, market-specific teams of government, research and academia to meet organizations’ hiring goals and bolster growth.
The article adds that, for more than 20 years, Europe’s “cluster” concept has helped U.S. companies prosper. More immediately, these novel initiatives are addressing the worrisome talent deficiency in the security sector.
As global security spending is expected to exceed $124 billion in 2019, and $170.4 billion in 2022 and demand for artificial intelligence, cloud services, data analytics and other technologies rapidly accelerates, U.S. security companies are casting wider nets to protect their assets and fill the talent void. For example, Microsoft is investing $1 billion in cybersecurity in each of the coming years and tapping Israel – with its strong military and defense focus – to fill some of its cyber needs.
An Ecosystem that Keeps on Giving.
The article points out that, in such countries as Norway, Sweden, Denmark, Finland and Ireland, extensive efforts are underway to train and graduate large numbers of professionals for careers in such critical areas as enterprise and network security, cloud security, application security, busines continuity management, penetration testing and malware.
The article adds that Ireland is a major player in this arena, as is Stockholm, Sweden and many other major European tech hubs. With more than 200,000 tech workers in Stockholm alone, Sweden is opening new schools to produce more STEM-focused (science, technology, engineering, mathematics) technologists, with a strong focus on cybersecurity positions.
In Ireland, where more than 6,000 security professionals work for more than 40 multinational companies – the majority with U.S. headquarters – a robust cyber training movement is being led by the nation’s Cybersecurity Skills Initiative (CSI). CSI is a product of Cyber Ireland and IDA Ireland, and facilitated by Cork Institute of Technology (CIT) as a mechanism for creating jobs and accelerating Ireland’s growing cybersecurity ecosystem.
The article points out that this collaboration of government and academia also includes U.S. companies IBM, Deloitte and others with Irish operations, among its major business supporters. CSI is training 5,000 new cybersecurity professionals in the next three years to fill the country’s demand for security analysts, security engineers, architects, auditors, testers and a host of other sector jobs. The majority of these graduates are expected to find jobs with multinational corporations, and the initiative is moving toward its goal of bringing 4,000 firms into the fold.
Educating a New Generation of Tech Talent.
The article points out that Microsoft, Google, Facebook, SAP, Dell, Cisco and many other American tech firms with high stakes in digital security provided input before the program was set in motion. Putting aside their competitive business approaches for the greater good of the tech community, these giants collaborated to identify needs, risks and specific vulnerabilities so that Irish universities and tech institutes could develop programs for a wide range of occupations. The varied programs extend from two-day courses for non-technical employees to 12-week courses to graduate programs.
The article adds that Dr. Eoin Byrne, cluster manager of Cyber Ireland, said that CSI was developed to train a high-quality workforce that not only meets employment needs in cybersecurity, but also those in the broader tech sector. These new skills will build on the existing base of talent that already supports the country’s growing tech hub, he says.
“As far back as 2017, U.S. businesses, the Irish government and academia have been working together to, first, understand key challenges and then create solutions for the cybersecurity and technology sector. We plan to address industry employment issues beyond just security,” Byrne says.
Even as we ready a current generation of cybersecurity professionals, we must prepare the next one. Cybersecurity is becoming enormously complex. The war for cybersecurity talent requires innovative solutions that are realized when public and private enterprises work together for this unified goal. To develop this critical pool of talent, both the cybersecurity industry and national governments must be deliberate in their efforts.