With data breaches increasingly making headlines, it doesn’t take a cybersecurity expert to know that the world of cybercrime is a continually growing threat. Something that may be less obvious, but more frustrating to industry experts, is that companies of all sizes are failing to adequately guard against the cybercrime monster.
Equifax’s breach, announced in September, is the most recent and possibly largest example in U.S. history of how seemingly simple cybersecurity failures leave an open door for criminals. Security experts believe Equifax failed to apply a patch to a known issue in a piece of open-source software it was using.
While the Equifax breach may scare some companies into getting better control of their cybersecurity, big data breaches don’t always motivate better cybersecurity at all companies.
Geoff Wilson, a principal security consultant at True Digital Security in Tulsa, Oklahoma, says smaller companies in particular tend to be very relaxed about their security, making them an even easier target than large corporations.
“I hear all the time, ‘Oh, well, who would want to target me? We’re not that big of a target.’” Wilson said. “But, it turns out, you’re on the Internet, so you’re automatically a target. Everybody’s a target; it doesn’t matter what sector your business is in.”
In 2016, Symantec, one of the world’s largest security software companies, released a study showing that in just one year consumers lost $158 billion worldwide to cybercriminals. Despite that reality, the idea that every person and company is a target seems to be slow to take hold in consumers’ minds.
As part of his security consulting, Wilson said his company often conducts social engagement experiments to see if employees will click on phishing links or allow unknown individuals into the company’s physical building, and he describes these test attacks as almost always highly successful.
“By far the easiest way to break into a company is through a human,” he said. “In Oklahoma, specifically, we’re very friendly people, and we like to trust people on the phone and in person. But every employee at a company has a role in security protocol. We tell companies to not just train employees how to be secure at work, but teach them how to be secure at home too, because often they treat their work assets similar to how they treat their personal assets.”
Wilson does see signs of progress as businesses are beginning to take their cybersecurity more seriously in recent years, creating a rather sudden demand for security analysts.
As evidence that companies are beginning to take cybersecurity seriously, Forbes reported worldwide cybersecurity spending is expected to rise from $75 billion in 2015 to $170 billion in 2020.
But even as companies become willing to spend money on securing data, a huge skills gap remains between the security analysts that companies need and those they can actually hire.
“In the United States right now, there are 200,000 unfilled cybersecurity jobs, and (the Bureau of Labor Statistics) is saying there will be 2 million by 2020, so you’ve got a real workforce gap,” said Bruce Spector, who is chairman of a groundbreaking cyber training facility in Baltimore, Maryland, called the Baltimore Cyber Range.
The cybersecurity industry is not only growing in response to a growth in crime, but every industry, from hospitals to home thermostats, is becoming automated at such a rapid pace that analysts cannot get trained and experienced fast enough to keep up with the need to protect all the network-connected devices and information.
Michael Hass, the faculty and accreditation coordinator at the Oklahoma State University Institute of Technology’s School of Information Technology, said every year he sees firsthand the high demand for security analysts in his cybersecurity emphasis program. Hass said he used to advise students not to expect to get even an entry-level security position right out of college, but he said now the students are being snapped up by companies before they can even finish their degrees.
“The vast majority of the students are hired into an entry-level cybersecurity position during their final semester at OSUIT,” Hass said.
But while companies are eager, and perhaps even desperate, to quickly fill those positions, Spector said there is no replacement for experience and continual training.
“They need about five or six years of experience,” he said. “You just can’t grow these people. You have to nurture them, and you have to take your time.”
And that’s exactly what Spector is doing at his cyber range, a facility that was the brainchild of Maryland Gov. Larry Hogan and partially funded by a state grant.
Spector said everybody from aspiring analysts to fairly experienced analysts could improve their skills and training at the range in a system of modules that gradually escalates in skill and experience level.
While there are a few other cyber training facilities in the U.S., Spector said the Baltimore range is unique in combining a catalogued library of actual, previous cyberattacks with a secure network system simulator, where the trainees can watch the attacks play out in real time and learn how to respond. Spector said the range trains security personnel for private companies, but also works with government agencies like the National Security Agency and the Pentagon.
But no matter how quickly these cyber facilities work to train and release well-trained security analysts, it will never be enough to meet the need, Spector said. He believes more private and public partnerships are needed to create the opportunities and the funding for more training facilities.
Spector said other creative solutions must be proposed to meet the demands of the industry’s uncontrolled growth, and while those solutions have yet to be imagined, the future is looking very bright for every tech geek in the world.