The recent past has shown us how the
digital revolution, from cloud computing and 5G to artificial intelligence and
augmented/virtual reality, can disrupt as well as develop the business
landscape.
Added
to this is the pace of technological change, and organisations can be forgiven
for feeling somewhat overwhelmed. This digital revolution is not exclusive to
the business world, it extends to the world of cyber crime too. New tools,
attacks and threat vectors are emerging all the time, adding to the general
level of uncertainty and doubt in the digital world.And then came the pandemic.
To add to the struggle already underway for many
businesses trying to transform digitally, new threats and new threats actors
have been detected as criminals take advantage of the global health crisis. Outside
of the usual protections, many agencies have documented new levels of
vulnerability combined with an increased level of cyber threat and attack as
people worked from home. As many who moved outside of the office for the first
time were unfamiliar with best practice, awareness of threats and malicious
actions were often harder to maintain.
According to one study
by a security company, 47% of people admitted to interacting with a
malicious communication attempt while working from home during the pandemic,
compared to 43% in the office.
The ENISA
2021 Threat Landscape report lists the top threats as Ransomware, Malware,
and Cryptojacking – all vectors that regularly employ some element of human
targeting as part of their attack structure.
The cyber criminals are preying on the
uncertainty generated by pandemic conditions, leveraging the very digital tools
and services on which we have come to rely to cope with the public health
measures.
This combination of circumstances has meant
that cyber security professionals are stretched as never before in providing
the basic protections to ensure that workers have adequate safeguards, risks
are mitigated and awareness is spread of how to work safely.
According to a
study by the Chartered Institute of Information Security, more than half
(51%) of cybersecurity professionals are kept up at night by the stress of the
job and work challenges. The 2020/21 State of the Profession report
found that almost half (47%) of information security professionals are working
more than 41 hours a week, with some reporting up to 90.
This situation is further exacerbated by
the fact that even before the pandemic, there was a critical shortage of cyber
security professionals across the globe. The ISC2 annual report for
2021 estimates that Ireland has some 15,000 cyber security professionals, but
needs 10,000 more to meet the rising demand for information security skills.
While the ISC2 report does show
a decrease in the global workforce shortage for the second consecutive year,
down from 3.12 million to 2.72 million people, the trend is not enough to
alleviate the immediate issue of a shortage of skills.
The outlook then is one of a perfect storm
- a potential cyber epidemic - increasing demand for digital transformation, an
accelerated pace of technological change, a shortage of cyber security skills
and a global adjustment to new ways of working in the post pandemic world that
must yet plan for new disruptions, be that the next pandemic of something else,
as yet unknown, all in the context of increasing sophistication, organisation
and opportunism by cyber criminals and nation states.
Some in the cyber security world have
strongly argued that new ways to approach cyber security must be developed to
address these various issues and concerns. A risk-based approach, encompassing
techniques such as threat modelling, can allow organisations to understand
their own risk profile, develop an appropriate risk mitigation programme and
assign scarce resources to achieve the greatest effectiveness.
Cyber risk needs to be thought of on a
strategic level. Taking a leadership approach, from the CEO, CIO and CISO,
cyber risk needs to be aligned to business risk, informing business strategy.
This approach, much like previous
conversations in business to align business and IT strategies, requires
examination and self discovery for each organisation to fully understand what
it means and what needs to be done. However, certain organisations have already
begun this journey and are enjoying the benefits.
The shared experience of peers, sectors and
markets has been invaluable in the past to allow organisations to fully
understand the impact of these kinds of changes. Senior information and cyber
security professionals coming together and sharing experiences and insights, in
an appropriate forum, provides the kind of support that will be vital to combat
rising tide of cyber threats. It takes a community to defeat the community of
underground, avaricious cyber criminals.
Taking a new approach to the current
situation, the EU Cyber Threat Summit will provide at its heart this year, a
round table session allowing Ireland’s top cyber security professionals and C
Suite officers the opportunity to share and discuss their experiences in the
pandemic, and their plans to transition to hybrid working and the evolving
threat landscape.
Facilitated by a moderator and informed by
industry experts, the session will encourage all participants to share and
explore the recent experiences with observations, allowing everyone to
understand what has worked and what has struggled, and how the community can
come together to provide support.
The perfect storm, that could lead to a
cyber pandemic, need not be so mesmerising as to dazzle professionals into paralysis.
Understanding how peers, professionals and sectors are tackling the same
challenges across the board, in a secure, supported forum is a proven means of
ensuring that everyone has the information and expertise necessary to make the
hard decisions and provide the protections needed for each organisation.
Paul Hearns is an author, journalist and presenter of more than two decades experience.
