With data breaches increasingly making headlines, it doesn’t take a cybersecurity expert to know that cybercrime is a continually growing threat.
Something that may be less obvious, but more frustrating to industry experts, is that companies of all sizes are failing to adequately guard against the cybercrime monster.
Equifax’s breach, announced in September, is the most recent and possibly largest example in U.S. history of how seemingly simple cybersecurity failures leave an open door for criminals. Security experts believe Equifax failed to apply a patch to a known issue in a piece of open-source software it was using.
While the Equifax breach may scare some companies into getting better control of their cybersecurity, big data breaches don’t always motivate better cybersecurity at all companies. And when they do, good luck finding qualified security analysts.
Geoff Wilson, a principal security consultant at True Digital Security in Tulsa, Okla., said smaller companies in particular tend to be very relaxed about their security, making them an easier target than large corporations.
“I hear all the time, ‘Oh, well, who would want to target me? We’re not that big of a target,’ ” Wilson said. “But, it turns out, you’re on the internet, so you’re automatically a target. Everybody’s a target, it doesn’t matter what sector your business is in.”
GATEWAY: UNSUSPECTING EMPLOYEES
In 2016, Symantec, one of the world’s largest security software companies, released a study showing that in just one year consumers lost $158 billion worldwide to cybercriminals. Despite that reality, the idea that every person and company is a target seems to be slow to take hold in consumers’ minds.
As part of his security consulting, Wilson said his company often conducts social engagement experiments to see if employees will click on phishing links or allow unknown individuals into the company’s physical building, and he describes these test attacks as almost always highly successful.
“By far the easiest way to break into a company is through a human,” he said. “… We tell companies to not just train employees how to be secure at work, but teach them how to be secure at home, too, because often they treat their work assets similar to how they treat their personal assets.”
200,000 UNFILLED JOBS
Wilson sees signs of progress as businesses are beginning to take cybersecurity more seriously in recent years, creating a rather sudden demand for security analysts.
As evidence that companies are beginning to take cybersecurity seriously, Forbes reported worldwide cybersecurity spending is expected to rise from $75 billion in 2015 to $170 billion in 2020.
But even as companies become willing to spend money on securing data, a huge skills gap remains between the security analysts companies need and those they can hire.
“In the United States right now, there are 200,000 unfilled cybersecurity jobs, and (the Bureau of Labor Statistics) is saying there will be 2 million by 2020, so you’ve got a real workforce gap,” said Bruce Spector, who is chairman of a groundbreaking, cybertraining facility in Baltimore called the Baltimore Cyber Range.
JOB OFFERS BEFORE GRADUATION
The cybersecurity industry is not only growing in response to a growth in crime, but every industry, from hospitals to home thermostats, is becoming automated at such a rapid pace that analysts cannot get trained and experienced fast enough to keep up with the need to protect all of the network-connected devices and information.
Michael Hass, the faculty and accreditation coordinator at the Oklahoma State University Institute of Technology’s School of Information Technology, said every year he sees firsthand the high demand for security analysts in his cybersecurity emphasis program. Hass said he used to advise students not to expect to get even an entry-level security position right out of college, but he said now the students are being snapped up by companies before they even finish their degrees.
“The vast majority of the students are hired into an entry-level cybersecurity position during their final semester,” Hass said.
But while companies are eager, perhaps even desperate, to quickly fill those positions, Spector said there is no replacement for experience and continual training.
“They need about five or six years of experience,” he said. “You just can’t grow these people. You have to nurture them, and you have to take your time.”
And that’s exactly what Spector is doing at his cyber range, a facility that was the brainchild of Maryland Gov. Larry Hogan and partially funded by a state grant.
Spector said everybody from aspiring analysts to fairly experienced analysts could improve their skills and training at the range in a system of modules that gradually escalates in skill and experience level.
While there are a few other cybertraining facilities in the U.S., Spector said the Baltimore range is unique in combining a catalogued library of real previous cyberattacks with a secure network system simulator, where the trainees can watch the attacks play out in real time and learn how to respond.
Spector said the range trains security personnel for private companies and works with government agencies such as the National Security Agency and Pentagon.
But no matter how quickly these cyberfacilities work to train and release well-trained security analysts, it will never be enough to meet the need, Spector said. He believes more private and public partnerships are needed to create the opportunities and the funding for more training facilities.
Spector said other creative solutions must be proposed to meet the demands of the industry’s uncontrolled growth, and while those solutions have yet to be imagined, the future is looking very bright for every tech geek in the world.
BridgeTower Media is the parent company of Lehigh Valley Business.