From Capital One to Equinox, the world has witnessed an increase in cyberattacks, data leaks and espionage over the past year. If your company hasn’t been compromised yet, congratulations. Then again, know that it is going to be — it’s just a matter of time before the hackers get to you.
Consider the numbers: According to Risk Based Security’s 2019 mid-year data breach report, in the first six months of 2019, the volume of data breaches increased 54% over the same period in 2018. A survey by (ISC)2 found a global shortage of almost three million cybersecurity professionals, and 59% of respondents said their organizations are already at “extreme or moderate risk” due to this gap.
Attracting and retaining talent is more difficult than ever, and with security teams trying to do more with less, the skills gap is widening. A tudy by the Enterprise Strategy Group and the Information Systems Security Association reported that this gap is “exacerbating the number of data breaches,” naming the top contributing factors as not only the skill shortage but also a lack of adequate training for non-technical employees.
Evidence shows that the toll a breach takes on a company depends on how prepared its information technology (IT) team and stakeholders — which include all employees — are for the inevitable. Here are a few strategies for training and IT leaders to tighten the growing cybersecurity skills gap within their organizations.
Breaches can result in fines, jeopardize customer relationships and ruin corporate reputations. Everyone in the organization needs cybersecurity awareness, and skills to varying degrees, because all it takes is one unprepared person to make a mistake that everyone pays the price for.
For instance, it’s well known that human error continues to be a top culprit of breaches. Verizon’s 2019 data breach investigation report states that 32% of breaches involve phishing attacks and indicates that cybersecurity awareness training works: Errant employee clicks have been decreasing over the past few years.
Further, as Dante Disparte (founder and CEO of Risk Cooperative) and Chris Furlow (president and CEO of the Texas Bankers Association) wrote in a 2017 Harvard Business Review article, organizations should embrace the concept of “sense something, say something.” As they wrote: “Employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity.”
If your organization does suffer a breach, use it for training purposes, when possible. It’s not about scare tactics or rubbing salt in the wounds of your cybersecurity team; it’s a way to learn from previous mistakes and improve everyone’s skill level.
On a related note, while you and your chief information systems officer (CISO) might work together on IT staff and employee education, others in the C-suite might not be so in tune to security issues. The (ISC)2 study found that leaders don’t always understand cybersecurity job requirements. This disconnect can worsen the skills gap, particularly when it occurs with non-technical, C-level executives who oversee IT budgets and hiring.
Embrace Hands-on Education
Technology alone isn’t enough; it’s important to couple it with human readiness. Training is essential, and the hands-on, “practice by doing” method is one of the most effective ways to learn.
That’s why effective trainers teach solutions, demonstrate how learners should apply them and create challenges for them to solve. They’re also using cloud-based virtual IT training labs to bring rich scenarios to life and train learners, no matter where they are located, and mitigate the skills gap.
Game-based learning, for example, is surging in popularity for cybersecurity training. It’s a new approach to hands-on learning that reproduces the “fun factor” of a competitive computer game. This modality enables IT leaders to keep their security teams up to speed on emerging threats while fighting cybercrime in an engaging, safe and immersive environment that is easily controlled.
A similar hands-on tactic — and a staple used by government and military agencies — are cyber ranges, which enable incident response in isolated, sandbox lab environments. In a cyber range, cybersecurity teams can face real-world scenarios and counter attacks with proven policies — without any risk to infrastructure. If they make a mistake, they learn, reset and try again.
When it comes to employees across the organization, a training simulation can show how hackers use phishing or ransomware attacks to steal data. This technique gives employees an idea of which emails they should treat with suspicion. The training team can then follow up with a test email to see if learners take the bait. In the case of ransomware, you can take it a step further by showing what happens when someone opens the wrong attachment, perhaps by encrypting the files of the employee who does so.
When employees see a pop-up window ordering them to pay a ransom, it’s a firsthand lesson that sticks.
Bridge the Gap
The 2019 World Economic Forum global risks report named data fraud and theft and cyber attacks as the No. 4 and No. 5 global risks, behind risks such as climate change and natural disasters. We’re living in a time when everyone is aware of the repercussions of a cyberattack — and knows his or her company could be next.
Fortunately, industry collaboration is growing. Governments are sharing more information. Vendors are selling more joint solutions. And longtime rivals are becoming “frenemies” and working together.
What can your organization do? Share data and training resources whenever possible. Open up your training to individuals outside your company, and participate in joint initiatives.
Invest in your people. Send them to educational events, and deploy the right technology, like virtual IT labs. Employees are more likely to stick around if they see that the organization is committed to developing their skills; plus, you’ll be able to bring them along in the way that works best for your company.
We’re stronger together. By joining forces, we can build a bridge that’ll help us cross the cybersecurity skills gap.