It’s a cyber security nightmare! More information has surfaced regarding the notorious ransomware attack, WannaCry, that recently infected hundreds of thousands of outdated Microsoft operating systems throughout the world. On May 16th, 2017 the hacktivist group, The Shadow Brokers – leakers of the NSA malware tools used to create WannaCry, released a terribly-written Steemit blog claiming more stolen NSA malware tools will be dumped in June. Unlike WannaCry which attacked older Microsoft operating systems, the new malware dump contains a tool called Adylkuzz. This tool supposedly exploits vulnerabilities found in Windows 10.
The NSA recently drew harsh criticism from Microsoft’s president and chief legal officer, Brad Smith, for allowing government created malware to fall into the hands of black hat hacktivist. While calling for an international, “Digital Geneva Convention” to address future attacks, Smith stated “We need an agency that has the international credibility not only to observe what’s happening, but to call into question and even identify the attackers when nation-state attacks happen. That is the only way that governments will come to recognize that this is not a program that will continue to pay off.”
Organizations all over the word continue to ramp up security efforts in the face of cyber threats from black hat organizations like The Shadow Brokers. However, finding qualified talent becomes more difficult each year. According to the Bureau of Labor Statistics, the rate of growth for information security analysts is 18 percent, which clearly outpaces most professional careers. Unfortunately for employers, this growth fails to keep pace with the growing demand for skilled practitioners. According to a Peninsula Press analysis of BLS data, there were approximately 209,000 unfilled IT security positions and a 74 percent increase in cyber security job postings in 2015. With the ever-growing cyber security skills gap, how can organizations secure their most valuable assets?
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.” – Kevin Mitnick
Although some organizations continue to make capital investments into the latest security hardware or cloud-based solution, others choose a more affordable route with organizational training. While security training initiatives have traditionally focused on improving the skills of the IT team, organizations now recognize the benefit security training has for the entire staff.
According to a 2013 employment study by the Global Institute for Research and Education, training and development enhances employee commitment to the company, improves employee effectiveness and helps achieve organizational goals. When organizations train their end users to avoid costly mistakes, the benefits go far beyond cyber security best practices. However, those who don’t train their staff pay a hefty price, suggests James Scott, senior fellow at the Institute for Critical Infrastructure Technology. According to Scott, “Hackers find more success with organizations where employees are under appreciated, over worked and under paid. Why would anyone in an organization like that care enough to think twice before clicking on a phishing email?” With all the upside to security training and with so much to lose, organizations need to train everyone.
Organizations are often faced with the decision to replace or repurpose existing IT staff. As services consolidate and move into the cloud, the need for technical staff with an expertise in outdated hardware diminishes. However, a trusted member of the IT staff with the willingness and aptitude for learning can be an affordable solution to securing any organization. Instead of competing for security professionals from a limited pool of qualified talent, many organizations choose to train those who have already proven themselves. In fact, a 2016 survey by American Management Association concluded technical training was among the most critical strategies organizations were using to retain their best employees. After all, you can’t put a price on human capital. You also can’t afford to spend your entire budget on one IT professional.
The next time you’re asked: Who is the cyber security professional on your team? The answer should be everyone. Preventing cyber intrusions is everyone’s responsibility and organizations who embrace a company-wide security policy based on sound security fundamentals will survive, as others fall victim to the next big attack.