SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Upskill your workforce to boost cybersecurity
Mon, 21st Oct 2019
FYI, this story is more than a year old

In today's digital world every company needs to be a technology company.

Traditionally non-tech companies, such as those in manufacturing and healthcare, are undergoing rapid digital transformations, deploying digital technologies to stay competitive.

They are introducing new technologies to drive innovation and growth faster than those technologies can be made secure.

As a result, cybersecurity is now a high priority for every business.

Seventy per cent of respondents to a recent survey conducted by DDLS said they expect data breaches and cybersecurity concerns to dominate their company's IT agenda.

Addressing cybersecurity presents considerable challenges.

Threats are many, they need to be prioritised and addressed accordingly.

This demands cybersecurity skills, which are in extremely short supply.

Tech Research Asia reports have shown that cybersecurity professionals are being produced nowhere near the rate needed to fulfil the demand for skilled security staff.

However, there are many initiatives organisations can take to boost their resilience and security while minimising reliance on high-level cybersecurity skills.

Boost employee awareness of cybersecurity

Employees represent the weakest point in most organisations' cyber defences. People-based attacks such as account takeovers, ransomware and phishing account for the majority of cybersecurity breaches.

Staff may be unaware of the dangers of connecting devices to an unsecured Wi-Fi network, or of storing customer details on a USB stick, and do not know how to spot a phishing email.

Training staff to be more alert to such threats and to the dangers of insecure practices does not demand high-level cybersecurity skills, it simply needs to be undertaken thoroughly, and frequently.

According to the Bitglass 2019 Insider Threat Report, 59% of respondents surveyed said their organisation had experienced at least one insider attack over the past year, and more than two-thirds believed insider attacks had become more frequent.

Investment in regular cybersecurity training will reduce the likelihood of successful cyber-attacks and is a small price to pay compared to what cybercrime costs Australian businesses, estimated at more than $5 billion in 2018.

Upskilling in-house cybersecurity expertise

There must be a plan in place to retain and train existing staff instead of outsourcing security to contractors who may not have the same depth of understanding of a company's IT systems and, importantly, of its business priorities and business risks.

More than two-thirds of respondents to a DDLS survey said their biggest cybersecurity challenge was keeping their own skills and those of their team up to date.

This suggests more investment is needed to improve in-house cybersecurity expertise.

Moving from defensive to offensive security practices

For an organisation to move from defensive to offensive cybersecurity, business leaders must understand that security breaches have impacts far beyond their direct impacts on IT systems.

The monetary and reputational damage data breaches cause is well-documented: customer trust disappears, share prices plummet; intellectual property and other intangible assets are lost.

Effective security builds trust with clients, end users and other stakeholders and can create a competitive advantage for organisations.

The bottom line is that business leaders must be security leaders. They must treat security as a primary business function and not a sub-department of IT.

Executive teams must prioritise and champion security.

The ways to achieve this include introducing KPIs and risk indicators so that boards can keep track of the state of cybersecurity within their organisation and having the CSO report direct the COO instead of the CIO.

This will elevate cybersecurity to a high priority business issue and ensure cyber risk is assessed with the same priority as other risks, rather than coming to the fore only in the wake of a cyber-attack.

Importance of training for the future

Training staff in cybersecurity is not a one-off exercise.

The threat landscape evolves rapidly, and new defences come on the market frequently.

Training costs money, but the benefits IT professionals with current training bring to organisations far outweigh the cost of regular cybersecurity training.

Arming employees with the knowledge to prevent and efficiently deal with cybersecurity attacks may sound daunting but does not have to be.

A wide range of training courses are available from multiple vendors.

So, organisations can commission training in those aspects of cybersecurity most appropriate to their business.

This is particularly important when training staff in the use of public cloud services like Amazon Web Services and Microsoft Azure.

The services these platforms offer are many and varied.

Training in all aspects of these services, including cybersecurity, needs to be focussed on what users are seeking to achieve by their use, rather than trying to cover everything they offer.

As the only authorised training partner in this region of AWS, Microsoft Azure and Google Cloud, DDLS is well-placed to work with organisations on all aspects of training in the use of these service, security included.

More generally, there are many organisations offering training and certification in cybersecurity skills.

DDLS is able to help companies navigate this landscape.

We can recommend and provide the most appropriate training and certification.

For example, we recently started offering training and certification for CISSP (Certified Information Systems Security Professional), from ICS2, an international, non-profit membership association for information security leaders.

CISSP is widely regarded as the world's premier cybersecurity certification, and the demand we've seen for this has been phenomenal.

Also proving very popular is the Certified Ethical Hacker Program (CEH) offered by the EC-Council, the world's largest cybersecurity technical certification body.

Ethical hackers, otherwise known as penetration testers or white hat hackers, break into computers and devices to test the defences and discover vulnerabilities.

Regularly monitoring, testing and updating systems and security technology is best achieved by having a white hat hacker inside the business rather than using an external contractor. And businesses that undertake such testing gain an advantage over cyber criminals.

Ethical hacking is widely considered the most important cybersecurity certification and full-time ethical hackers command high salaries.

The average salary for an ethical hacker in Australia stands at $110,000, a steep price for many SMEs.

So, investing in the Certified Ethical Hacker credential is an excellent way to upskill your current workforce and strengthen your cybersecurity defence without breaking the bank.

To find out more about the importance of upskilling your cybersecurity workforce and the best courses available to achieve this, read DDLS's new e-book here.

Cyber threats are everywhere. To stay safe, organisations need more than the right technology. They need highly trained staff, and business leaders must be security leaders who treat cybersecurity as a primary business function and not a sub-department of IT.