The cyber security skills your business needs
The threat landscape is constantly evolving, so it's important your staff are equipped with the right tools
It seems that every other day we are reporting on a new external threat or software vulnerability that could pose a danger to businesses across a range of industries. Considering this growing arsenal, it is unsurprising that cyber incidents reported by businesses are up from 45% in 2018 to 61% in 2019, unsustainably draining budgets.
The evolving threat landscape
Regardless of the size or type of your company, it's highly likely that you will have to address a cyber security incident sooner or later. But the problem isn't just the frequency of attacks, which have increased thanks to the rise of user-friendly tools and hacker-for-hire services. Threats today are becoming incredibly sophisticated and are capable of evolving at a pace that far exceeds any cyber defence strategy.
Modern cyber attack strategies are usually multi-pronged. Active or passive reconnaissance may first be undertaken as a preliminary for harmful attacks. Botnets, which are comprised of entire armies of infected machines, can be released, growing as new targets are infected through drive-by downloads of trojan horses. And island hopping is the latest threat keeping CIOs up at night.
The people factor
Part of the ongoing battle is having the right people, in the right place, at the right time. Cyber security requires a very specific skill set, and a workforce that's prepared to work reactively and proactively to deal with threats. Often, the perfect security employee is, ironically, a hacker only the ethical kind. The role requires that employees are able to figure out the exact nature of the threat they are facing, whether that's simple password exploits or complex malware-based attacks, and devise an appropriate response.
When assessing skills, and developing a strategy, it's important to also factor in the attack vectors as well as the threats themselves. The rise of technology like IoT and edge are increasing the opportunities for attacks, and with most companies now moving to either pure cloud or a hybrid approach, this can make things even more difficult to secure.
Cyber security isn't just about dealing with external threats - internal threats, whether accidental or malicious, also pose a significant risk to businesses. Good network security is key to preventing data loss due to this type of incident and any candidate should be able to enact policies and controls within and around the network.
Such policies could include network access control, such as restricting the type of device that can access the network, or restricting what a device or user can do once connected. For example, those who aren't employed by the HR department shouldn't be able to access HR files, nor should those not working in the finance department be able to access financial data.
There is a wide range of tools available to administrators to enact these types of policies, including VPNs (virtual private networks), firewalls or more recent innovations like machine learning algorithms, which can quickly identify when a user or device is behaving unusually and cut it off. Firewalls are now being integrated with machine learning to produce the web application firewall (WAF) tool. Though not entirely foolproof in its ability to spot the difference between human and machine users, WAFs usually provide enough of a barrier to dissuade hackers from targeting your applications.
Software can also be deployed to divide servers into micro-segments, which can halt the spread of infection throughout the network.
These days, virtually all organisations use the cloud to some degree. This means that organisations need to secure data and applications using the cloud in addition to securing their own on-premise infrastructure.
There is, however, a shortage of cybersecurity professionals with expertise in the cloud. Nearly a third (29%) of businesses claim to have a shortage of cloud security skills, according to 2017's ISSA/ESG survey.
The responsibility for ensuring the security of data and apps in the cloud is with an organisation, and not with the company that provides the cloud service. As organisations move from dealing with on-premise threats to cloud-based threats, they need professionals with cloud security skills.
Among the cloud security threats is poor identity management, as hackers may mask themselves as legitimate users in order to access, modify and delete data.
Another cloud security issue is poorly-secured cloud apps. Most apps and cloud services use APIs to communication and transfer data. This means the security of the API directly affects a cloud service's security. The chance of a data breach increases when third parties are granted access to APIs.
Institutions such as SANS and CSA offer cloud security certifications for professionals to increase their skill sets in this area.
The base skill any cyber security specialist should have is an understanding of risk management - knowing how best to respond if and when the company is hit by a threat. Good risk management is always built on solid strategies and procedures for dealing with security events. Despite this, insurance broker Marsh reported that business leaders are not prioritising risk management as part of their wider IT security strategies.
Such a strategy should follow three steps: prevention (how to reduce the risk of an attack), resolution (steps to follow if an attack is successful), then restitution (repairing customer trust, or generally mitigating any consequences of a hack).
Since risk can't be eliminated entirely, this skill is incredibly important. Risk management helps prevent or decrease uncertainty within an organisation and improves its overall efficiency, confidence, and reputation.
Patching and software management
When an organisation stores a lot of data on-premise in its own data centres, it needs a security expert that understands the importance of regular software updates, as well as how to roll them out across the business with the least possible disruption.
Patch management is key to ensuring malicious actors are unable to attack an organisation via a disclosed vulnerability. Most software programs issue a sequence of patches after the initial release of the software, so the security expert must continually download and apply them to ensure systems remain protected. Microsoft takes this a step further, following a weekly patch release schedule for their customers.
Organisations using SaaS software will have an easier time because updates are made to the cloud directly from the vendor. Vendors also provide an audit trail, ensuring compliance needs are met. It's still important to keep an eye on any security issues within these products, though.
Big Data analysis
Analysing large amounts of data is another essential skill in cybersecurity. An example of how data analytics is a useful cyber security skill can be found when looking at advanced persistent threats (APTs).
According to the Cloud Security Alliance, advanced persistent threats (APTs) generally aim to steal intellectual property or strategic business information and are currently among the most serious security threats to organisations.
Big Data analytics is beneficial for detecting APTs as there is typically a huge amount of data to look through in order to find anything abnormal. Without it, this process would take much longer and be less likely to identify any threats.
When it comes to cybersecurity, non-technical skills are just as important as technical expertise. For instance, strong communication skills are essential for communicating a threat clearly and to make sure other departments understand the importance of security. Teamwork and collaboration also play a role, as experts work in various teams to ensure the job is done effectively.
Moving away from siloed workspaces and integrating departments can generate the transparent, collaborative culture necessary to ensure ideas and issues are not lost in translation.
Governance plays a large role in cybersecurity as well. For example, if a cloud computing data breach occurs, the service provider should alert all customers of said breach - even the ones who were not impacted. The provider should then make efforts to identify and resolve any issues or vulnerabilities. Under new data protection laws, known as the General Data Protection Regulation (GDPR), organisations must inform affected users and the data protection authority within 72 hours of a breach, or face a fine of up to 2% of their annual turnover, or 10 million.
The proliferation of regulations being applied not only protects consumer privacy, but also protects business data and IT infrastructure. Compliance benefits both the organisation and any customers and partners it comes into contact with. Though, it is important to not be so focused on simply compliance that actual cyber risks are forgotten.
Time for some automation?
One solution being proposed to cover the problem of the cyber security skills gap, while also improving security in businesses overall, is the increased use of automation.
Most of this focuses on the use of machine learning and artificial intelligence (AI) to identify known and potential threats faster, while also reducing some of the false positives seen in earlier automation. This means that anything flagged as a potential issue is less likely to be a waste of human time.
AI and machine learning can identify threats by type, such as ransomware or phishing attempts, whether it's a known malware or not. They can also identify errant behaviour by users, for example, if a person who works 9-5 becomes active at 3am, or starts trying to access systems and data they don't normally or don't have the appropriate privileges for. This could be indicative of a successful hack or an insider threat and can be investigated by the appropriate members of the IT team.
The most modern enterprise security software offers AI and machine learning capabilities, although what you choose to adopt will depend on the skills already present in your business. If there's no one who knows how to investigate and remedy potential and actual hacks, you will need to train someone up in this area in order to use the software effectively.