By Kyle Gingrich
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world." – Ginni Rometty IBM's Chairman, president and CEO.
If you are in any doubt about the accuracy of Rometty’s assessment, consider the following:
- By 2021, cybercrime damage costs will hit $6 trillion
- More than $80 billion was spent on cyber security in 2016
- Global ransomware costs are predicted to exceed $5 billion in 2017
- It takes an average of 46 days to resolve a cyberattack at an estimated cost of $21,155 per day
- Cyberattacks cost US companies $15.4 million per year
- More than 50% of cyberattacks are on US Companies
- An attack costs $40,000 per hour to victims
Then there are the intangibles impacts to things like customer goodwill, lost opportunities and brand implications to name a few.
So Rometty’s claim is frightening but very real.
What should we do about it?
As we’ve always heard, the best defense is a good offense. But cyber is different, it’s constantly changing, and how can you run an effective offense when you don’t know what you’re defending against?
Be Prepared: Keep Training Current
The answer lies in preparation, in being well trained and keeping IT skills current to establish baseline offensive skills. Think about the WannaCry ransomware attack from earlier this year, how do you think a 22-year old web developer was able to find the kill switch? It wasn’t by chance; it was through preparation and using his skills and knowledge to analyze the situation and apply it to the problem. That’s what effective training does. It prepares people to know how to apply their knowledge effectively to react. We’re all part of the offensive line and building and implementing a comprehensive awareness around cyberattacks is the first step to creating your offensive playbook. I’m reminded of Thomas Jefferson who said, “Knowledge is Power,” the piece that allows people to connect the dots, to identify the threat and evaluate how best to solve the problem.
The year’s National Cyber Security Month aims to increase everyone’s situational awareness, a “see something, say something” for cyberattacks. I’ve been fortunate to work with the Department of Homeland Security in my career, and I know from experience just how impactful these initiatives are for organizations. With five powerful weekly themes to help educate employees about cyber threat prevention, it is a great way to jumpstart an offensive approach.
The weeks are categorized as follows:
Week 1 – Simple Steps to Online Safety
Week 2 – Cybersecurity in the Workplace is Everyone’s Business
Week 3 – Today’s Predictions for Tomorrow’s Internet
Week 4 – The Internet Wants YOU: Consider a Career in Cybersecurity enter for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers.
Week 5 – Protecting Critical Infrastructure from Cyber Threats
Look at their website for further information.
Your entire organization is part of the offensive team, or what I like to refer to as the “insider threat.” At this year’s Financial Industry Regulatory Authority (FINRA) Annual Conference, Richard Hannibal, Assistant Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission (SEC), said “Employees are the biggest risk for firms” and gave the following tips to ensure all staff are made aware, and not just a particular group:
- Training needs to be conducted regularly, and not just once a year
- It needs to be varied, both in method (such as in-person, email, blogs) and with different topics (such as passwords or visitor access) to engage your employees.
- Tailor the training by staff role, and include both registered and non-registered persons.
- Make training practical and relevant. Use prior mistakes as examples.
- Show employees what good cyber hygiene looks like so they may bring those practices home with them to protect their families and home systems.
- Training also needs to be engaging and interactive. This can involve sending phishing emails to all employees and requiring those who clicked on the email to take additional training.
Each of us has a role to play as part of the offensive line, IT is the quarterback and it’s the job of the rest of the organization to protect “this position.”
Studies show that employee training can significantly reduce the risk of a cyberattack, so the issue is less about whether or not to train, and more about how best to train employees.
Provide Training by Department
However, while all employees absolutely need training, remember that different employees and departments require different levels of training and development to be effective. Look at what the job roles are and how they impact the effectiveness of an offensive threat position and arm them with the knowledge and skills that make them part of the solution.
One of our key strengths here at Skillsoft is providing that training for all levels of the organization, so work with your solutions team to put your game plan into place.
Some of our most popular IT Security courses are:
- Information Security – Compliance content for the entire organization, train them on the basics of what they can do day-to-day or IT Security for End Users
- Certified Ethical Hackers (CEH) – you spoof actual hackers’ attempts to hack your network to discover vulnerabilities before a real attacker finds them
- CompTIA cybersecurity certifications (Security+, CompTIA Cybersecurity Analyst (CSA+), CompTIA Advanced Security Practitioner (CASP)) CompTIA CSA+ is an internationally recognized professional qualification created to fill the gap in cybersecurity credentials and address the unique role of the cybersecurity analyst.
- Cisco certifications in security (CCNP Security or CCNA Security)
- ISC2 certifications (Certified Information Systems Security Professional (CISSP)
Kyle Gingrich is the VP of IT and Certification at Skillsoft.