New types of attacks are being dreamt up with increasing degrees of sophistication, and organizations are particularly worried about ransomware – malicious software that locks or encrypts documents on a computer and demands a ransom to unlock or decrypt it. But what have these changes meant for organizations?
Most businesses have long been aware of the evolving nature of attacks, but even the lexicon has changed. It seems everyone is now talking about cybercrime, yet it’s not that long ago that the focus was on IT security. This may seem like a subtle change, but Siân John, EMEA Chief Strategist at Symantec, says it is a reflection of the growing expertise on both sides of the fight.
“You can see in the explosion of malware, as well as the targeted attacks, that we’ve witnessed the ‘professionalization’ of cybercrime. You have extremely sophisticated nation-scale attacks at one end, but you’ve also got the mass-market, mass-money-producing criminals taking out smaller companies at the other end,” she says.
Kok Yew Toh, Senior Manager – IT Security and Assurance, Prudential, says that businesses are trying to action behavioral changes in staff to decrease the likelihood of attacks to start with.
“Hacking technology and methods have advanced, so simply looking at locks is no longer safe,” he says. “Security has gone from a process of monitoring and detecting to preempting responses. Cyber security has changed in terms of speed and mentality and has become more about cultural changes.”
In practice, this means that educating staff about cyber security risks may need to involve the HR function as well as the IT team. Ideally, the two should work together to identify the key threats and then develop internal training programs so that all staff understand the risks and how to avoid them.
The changing approach to cybersecurity has driven a demand for those who can manage and assess risk, as much as build ways to combat it. Toh says industry needs strategic thinkers more than coders.
“Right now, we are not looking for cybersecurity engineers, we are looking for cybersecurity professionals. There is a big difference,” he says. “Engineers will look to fulfil the baseline requirements for the industry; professionals will look at the baseline and ask if it is appropriate for their own business processes. If it isn’t, they will ask if they can make another baseline for their processes. We’re not looking for firemen any more, we’re looking for people who can anticipate how the fire will happen.”
With many businesses facing a skills shortage in these areas, it could be time to look further afield than those specializing in development. John says that the right attitude will see the raw skills develop naturally. “You don’t need a degree in cybersecurity, which is what many businesses ask for. You can get people from the general IT department or people with history degrees or people who have been engineering apprentices, and give them on-the-job training.”
The necessary skills continue to evolve. Many businesses, particularly in the financial services sector, have a huge number of security systems, producing vast numbers of reports. The new challenges come from organizing teams to analyze these pieces of information as one, and then acting on them accordingly. Toh says the cybersecurity professional of the future will need to find ways to combine team skills and form strategy accordingly.
“This is one of the biggest issues for cyber security right now. Engineers can’t do that because they’re looking at the details, the ones and zeroes. The management person can’t do that because they aren’t familiar with the technology. That’s why management should have the skills to leverage the people working for them to come up with methods to correlate this information, so that managers have a more holistic picture of the state of the company’s security.”