Category: Uncategorized

Minneapolis Public School students and staff returned to classrooms on Monday this week, but disruptions caused by an “encryption virus” —  including losing access to district accounts, devices and shutting down after-school activities —  continued throughout much of the week. 
“I think the district is trying very hard not to flat-out say that they’ve experienced a ransomware incident… But this has all the hallmarks of those sorts of incidents and that’s what I would consider it to be,” said Doug Levin, national director of the K12 Security Information Exchange and an expert on school cybersecurity.
Cybersecurity is becoming an increasingly prominent concern for public school districts.
In September of last year, the country’s second-largest district was targeted. According to Levin, there have been approximately 200 similar incidents targeting both big and small districts throughout the country in the last three years — and the ransom demanded has grown from $5-$10 thousand to closer to $1 million or more. 
What does that mean? The news, analysis and community conversation found here is funded by donations from individuals. Make a gift of any amount today to support this resource for everyone.
“(This is) affecting school districts from coast to coast — from some of the largest school districts in the nation to much smaller and more rural school districts,” Levin said. “I do think that these incidents are happening more frequently than people realize.” 
The Minneapolis district has moved from saying on Monday this week that it’s found “no evidence” that personal information was compromised, to emailing families that “an unauthorized threat actor may have been able to access certain data located within the MPS environment.”  
Here’s what Levin thinks you need to know about what’s happening in Minneapolis: What is a ransomware attack? 
A ransomware attack is carried out almost exclusively by criminal gangs operating overseas, largely in Russia, according to Levin. 
The groups gain access to a computer system and make it unusable and then demand a payment from their victims.
The Minneapolis school district has denied MPR News requests for interviews on the ongoing incident. According to Levin, there may be several different issues at stake.
First, most states do not have reporting requirements when it comes to what school districts are obligated to do when they experience a cyber attack. Most states also lack any sort of cybersecurity standard that school districts are required to adhere to.
Levin also posits the Minneapolis district may be getting advice from insurance providers or lawyers who are telling them they can limit their liability if they avoid using certain words in public communications. 
Levin suggests people connected to the district change their passwords — especially if they’re reusing them on multiple accounts — enable two-factor authentication, and keep a closer eye on email, social media and financial accounts.
Parents should freeze their minors’ credit accounts to prevent identity theft (The Minneapolis district is directing people to report major fraud or freeze credit through credit reporting bureaus such as Equifax, Experian and TransUnion) . 
“Presume that data has been breached by criminal actors,” Levin said. “Take steps to protect your identity.” 
Levin said it’s possible the district will continue to experience cyber attacks. 
“Unfortunately, a school system that themselves are victims of cybersecurity attacks like this one are actually fairly likely to experience repeat attacks going forward,” Levin said. 
He also suggests families and staff ask their board and district leaders to make sure there is a dedicated budget for cyber security, and a plan in place to address cyber attacks when they occur. 
“What I would suggest for parents… make sure that the school board and superintendent are ensuring that the school system takes cybersecurity risks just as seriously as they take risks of physical violence on the school campus,” Levin said. 
Cyber attacks are becoming increasingly common, and have the potential to actually halt school programming and shut down systems. 
“At this point, given the data that we've seen, it's really only a matter of time before you know any particular school system is a victim,” Levin said. “We've seen attacks in, you know, some of the largest school districts from, you know, state to state to state, as well, as many small ones.”
Levin points school leaders to a recent federal report on cyber security threats to schools, but also says districts may need help from state and federal sources. 
“This is a growing national crisis,” Levin said. “While there are certainly things that we should and can expect superintendents and school boards to do, ultimately we’re going to need more help from the state and federal government.”

source

Luis Alvarez/Getty Images

By Tom Kennedy
Everything gets more complex over time. That’s true according to the second law of thermodynamics and of the cybersecurity skills gap. A decade ago, the cybersecurity industry suffered a shortage of 10,000 professionals. Today, that number has reached 2.72 million. How did we manage to get to this point?
For one, the approach to solving the cybersecurity talent gap focuses too much on filling experienced positions and not enough on welcoming true entry-level candidates. Nearly 400 cybersecurity programs exist in the U.S. today, but there aren’t enough entry-level positions open within the public sector to meet the demand from graduating students.
The good news is that both the public and private sectors recognize how critical it is that we find a solution to bridging the gap between talent and open positions. In July, the Biden administration held its first National Cyber Workforce and Education Summit at the White House, bringing together leaders from the private sector, public sector and even academia to identify solutions to help fill cybersecurity jobs.
While the discussions during that Summit have yet to be made public, the following offers a few suggestions for what should have been proposed.  
Adjust your entry-level expectations
The public sector can be deliberately hard to understand. From the multiple terms and acronyms used to describe programs and agencies, to an incredibly complex technological infrastructure, beginning a career in government can seem daunting. That is compounded when realizing even entry-level roles often require at least five years of experience. Many cybersecurity job descriptions highlight requirements for certifications and achievements, which can only be earned after a certain amount of time in the field. 
Instead of having such high expectations for entry-level candidates, which will only continue to leave hundreds of jobs unfilled, government agencies need to update their job descriptions to be truly entry-level and seek out college graduates or individuals who might have just completed a cybersecurity bootcamp or training program—and who have yet to gain any experience. 
It would also be beneficial to look at talent that might not come from a STEM field. Candidates with backgrounds in history or English can bring skills like analytical thinking and communication to the table—skills that are often a lot harder to teach than computer science.
Be open to the fact that on-the-job teaching will be required. 
Promote from within 
Both the private and public sector should aim to promote from within their current organizations. Whether it is someone who has already been working on the IT or security teams or someone who might be interested in transitioning from another department, agencies need to be open to hiring individuals with a diverse set of skills.
Establishing agency-specific cybersecurity apprenticeship programs would enable interested candidates from non-technical backgrounds to receive hands-on training without having to go back to school—and without needing to further delay the ability to fill critical roles quickly and from within.
Promoting from within also helps build loyalty and trust among employees. Giving employees the opportunity to grow within their careers signals that you value their hard work and will make them more willing to stick with the agency, even in tighter and more competitive job markets. 
After all, as Jen Easterly aptly shared during a discussion at RSA, “… nobody really comes into the government to make money. They come in, because they are motivated to raise their hand to support and defend the Constitution of the United States and defend their nation and America.”
But the public sector should still seek to close the public-private compensation disparity. 
Level the income playing field 
Despite suffering from an equally severe cybersecurity talent gap, private organizations often come out ahead because of their ability to offer candidates higher salaries. Recent data from labor market research firm Lightcast.io found cybersecurity professionals in the private sector make 14% more than their public sector counterparts. 
To solve the pay disparity between the public and private sectors, government agencies should allocate more of their spend toward talent acquisition. The president’s budget plan for fiscal year 2023 includes $10.9 billion for cybersecurity to “help improve the protection of federal infrastructure and service delivery against sophisticated cyber threats.” One could argue that infrastructure includes talent, and by directing more funds toward an increase in salaries, the public sector could start to see an increase in interested applicants.
But these are only three potential avenues for helping to close the cybersecurity talent gap. Those in the private sector must continue to cooperate and converse with the government and agree to share their ideas, successes and failures, in order to continue to identify long-term solutions. We’ve got a long way to go, but by coming together, we can help pass legislation that will improve existing hiring programs that work, continue to invest in our current cybersecurity workforce and ultimately improve our national security.
Tom Kennedy is the vice president of Axonius Federal Systems, LLC.
NEXT STORY: NASA is Crashing a Spacecraft into an Asteroid to Test a Plan That Could One Day Save Earth From Catastrophe
Do Not Sell My Personal Information
When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.
Manage Consent Preferences
Strictly Necessary Cookies – Always Active
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data, Targeting & Social Media Cookies
Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link
If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.
Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.
If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
Strictly Necessary Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Functional Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Performance Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Social Media Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Targeting Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Help us tailor content specifically for you:

source

GoDaddy has revealed it suffered a multiyear data breach in which unknown hackers stole source code and installed malware on the company’s servers. 
The hosting company has attributed the security incident to a breach of its cPanel shared hosting environment by a “sophisticated and organized group targeting hosting services like GoDaddy.”
“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities,” GoDaddy said. 
GoDaddy said it discovered the data breach in December after it received customer reports that their websites were being used to redirect web users to random domains.
In a filing with the U.S. Securities and Exchange Commission, GoDaddy said its investigation determined the data breach has been part of a “multi-year campaign by a sophisticated threat actor group.” 
GoDaddy has linked the “campaign” back to previous breach disclosures the company made in March 2020 and November 2021. 
In the November 2021 data breach, hackers reportedly used a compromised password to breach GoDaddy’s WordPress hosting environment, affecting 1.2 million Managed WordPress customers. 
GoDaddy customers affected by the November 2021 breach had their email addresses, database credentials, WordPress Admin passwords, and other information exposed during the attack. 
The company had previously notified 28,000 of its customers in March 2020 that they had been affected by a data breach that was attributed to a hacker who made unauthorized use of web hosting account credentials in October 2019. 
GoDaddy said it has begun working with external cybersecurity forensic experts and law enforcement agencies around the world to try and determine how the breach could have occurred. 
In other recent data breach news, LendUS agreed to a settlement last month to resolve claims the company failed to protect consumers during a 2021 data breach that compromised information that included Social Security numbers. 
Have you been impacted by a GoDaddy data breach? Let us know in the comments.
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
Δ
please add me
add me
Please add me
Please add me
I had a go daddy account.
Closed my account but still have hackers tracking my activities every day: changing settings, deleting emails & contacts, stealing documents, and calling impersonating my bank’s security department. Have had to beef up my security and keep my phone off to all because they will even use my contacts’ phone numbers! Please add me.
Please add me
Add me please.
W/ thousands of names at GoDaddy, the diff between their security today, and 20+ yrs ago, is a bit distressing. Having been moving chunks of domains to other registrars. Question is, are any safe? Can’t think of anything more likely to be effective than dividing your domains amongst multiple registrars, ie: Porkbun,; NameCheap, or whichever you’re comfortable with. #GoDaddy #notrust #registrars #GoDaddySucks
How does this affect my certs with godaddy? I have both domains and certs with them.
The GoDaddy account resulted in multiple affected products and at the time, witnessing the events occur live, GoDaddy was not able to confirm or deny the situation. For multiple years, law firms including GoDaddy failed to provide a resolution of these terms which remain unresolved today. After attempting to regain access to these products through external terms from a data breach all attempts were exhausted.
If these individuals were able to manipulate products it would not surprise me what they are capable of doing with preliminary or financial information.
Yes please add me.
Me to add me to godaddy breach
I had several GoDaddy accounts. Please add me to the list.
Add me please I have go daddy account
Affected
ADD ME
Add me
Yes, I have an account with GoDaddy and they have all of my account information
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Δ
please add me
add me
Please add me
Please add me
I had a go daddy account.
Closed my account but still have hackers tracking my activities every day: changing settings, deleting emails & contacts, stealing documents, and calling impersonating my bank’s security department. Have had to beef up my security and keep my phone off to all because they will even use my contacts’ phone numbers! Please add me.
Please add me
Add me please.
W/ thousands of names at GoDaddy, the diff between their security today, and 20+ yrs ago, is a bit distressing. Having been moving chunks of domains to other registrars. Question is, are any safe? Can’t think of anything more likely to be effective than dividing your domains amongst multiple registrars, ie: Porkbun,; NameCheap, or whichever you’re comfortable with. #GoDaddy #notrust #registrars #GoDaddySucks
How does this affect my certs with godaddy? I have both domains and certs with them.
The GoDaddy account resulted in multiple affected products and at the time, witnessing the events occur live, GoDaddy was not able to confirm or deny the situation. For multiple years, law firms including GoDaddy failed to provide a resolution of these terms which remain unresolved today. After attempting to regain access to these products through external terms from a data breach all attempts were exhausted.
If these individuals were able to manipulate products it would not surprise me what they are capable of doing with preliminary or financial information.
Yes please add me.
Me to add me to godaddy breach
I had several GoDaddy accounts. Please add me to the list.
Add me please I have go daddy account
Affected
ADD ME
Add me
Yes, I have an account with GoDaddy and they have all of my account information
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.

Δ
@2023 Top Class Actions. All Rights Reserved. Privacy Policy | Terms and Conditions

source

The Good Guys customers possibly affected by data breach at former third-party provider My Rewards
Up to 1.5 million customers of The Good Guys loyalty program may have had their personal information hacked in a data breach at a third-party company. 
The electronics retailer released a statement saying the IT systems of a former third-party supplier, Pegasus Group Australia, now known as My Rewards, had been improperly accessed by an unauthorised user.
The Good Guys said My Rewards had previously been used for reward services for "Concierge" members and it collected names, addresses, phone numbers and emails and, for some, dates of birth.
However, it said drivers licence, passport and credit card data was not involved in the breach.
The Good Guys has directly contacted 325,000 Concierge members who had set up a My Rewards account, and a further 1.5 million Concierge members whose contact details might have been impacted by the breach, which is believed to have occurred in August 2021. 
The Good Guys no longer uses My Rewards, and accounts linked to Concierge member benefits have been closed.
The Good Guys managing director Biag Capasso apologised for concern the issue had caused. 
New data from the Australian Bureau of Statistics shows more of us were exposed to scams in the past financial year. But, encouragingly, fewer of us are falling victim to them. 
"The Good Guys take the matter of privacy and data security very seriously," he said. 
"It is extremely disappointing that My Rewards, a former services provider, has experienced this breach."
A spokesman for My Rewards, said: "While we believe no serious harm has been caused by the breach, we are very concerned with the unauthorised access to the information and are working closely with the federal government authorities to minimise the impact of the data breach." 
Anyone who has concerns about their personal information should contact IDCare, a national identity and cyber-support community service.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)

source

Call of Duty creators Activision recently confirmed that the company suffered a major data breach, with both sensitive and product-related employee information stolen from the website.
The news comes as Microsoft defends its $69 billion acquisition of the company at an EU competitions hearing, with the supra-national political body currently scrutinizing the tech giant’s decision to buy the gaming company.
Cybersecurity tools like password managers provide protection against common tactics like credential stuffing, but this case is the latest reminder that educating employees so they can identify suspicious correspondence is equally important to cybersecurity.
Verifying
Don’t miss out on the top business tech news with Tech.co’s weekly highlights reel
Activision confirmed this week that towards the end of last year, hackers successfully breached the company’s systems. The threat actors exfiltrated sensitive employee data and information about yet-to-be-released game content.
The stolen data includes full names, email addresses, and phone numbers, as well as confidential information like salaries and work locations.
The breach officially occurred on December 4, 2022, but at that time, Activision did not announce or confirm that a cyber attack had taken place, continuing the trend of large companies prolonging the time between breach discovery and disclosure.
According to gaming publication Insider Gaming, the leaked documents seem to highlight “the entire year ahead for Call of Duty.”
Seven “Core Maps” and a “Haunting of Saba event for Halloween” are scheduled for season 6 (September-November 2023), while one “small map” will be arriving beforehand as part of Season 4 (May – July 2023).
As you can see from the image below (credit: @vxunderground), the leaked documents contain plans for at least “one ‘Licensed’ operator every season, which means a collaboration or crossover… more Gunfights, Spec Ops missions, Raids, and Tier 1 Events starting from Season Three” and “at least another 240 bundles”.
At the bottom of the screenshot, you can just about see date information about “Jupiter” – thought to be a new installment in the Call of Duty franchise.
“Jupiter GL4” is penciled in for April 7 to April 28, “Jupiter Alpha” for May 26 to June 2, and “Jupiter GL5” for June 9 to June 30.
As is often the case with data breaches, the hackers found their way in after an employee fell for a text message phishing scam, rather than by exploiting a technical vulnerability.
This emphasizes, rather emphatically, the importance of ensuring your staff are well-trained in recognizing the telltale signs that an email may be suspicious. Password managers and other cybersecurity tools can only do so much.
You can have an extremely secure network and still provide a hacker with an endpoint to exploit by not adequately training your staff.
Verifying
We’re sorry this article didn’t help you today – we welcome feedback, so if there’s any way you feel we could improve our content, please email us at contact@tech.co
Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
The vulnerability, also discovered on some Google Pixel…
Despite the escalating costs of cyberattacks, only 15% of…
Despite a decrease in attacks, “ransomware remains a…
Keeping drivers safe is a top-three concern for any fleet….
© Copyright 2023

source

The number of cyberattacks continues to rise as we spend more time online and assets are moved to the digital universe. In fact, the average number of cybersecurity attacks per company per year rose 31%, to 270 attacks, according to a 2021 report from Accenture. In reaction to the growing number of cyberattacks, companies are spending more money to protect their digital assets.
The global cybersecurity market is projected grow to a $2 trillion addressable market, which is 10 to 15 times the amount of current spending, according to a new survey conducted by McKinsey & Co. This steep market projection puts pressure on companies to invest in the right cybersecurity talent. 
“The biggest challenge that our market faces is that threat actors are working around the clock to find new ways to exploit and attack their victims. There are no days off. There are no hours off,” Nick Schneider, CEO of cybersecurity firm Arctic Wolf, tells Fortune. “In many ways, the bar of innovation in cybersecurity is set from the outside, as our industry races to stay one step ahead of threat actors, creating an ever-present challenge for the cyber teams protecting businesses of all sizes.”
The challenge of combating a growing number of cyberattacks may seem unattainable, but the solution is finding and retaining top cybersecurity talent.
Yet, there’s already a massive talent gap in the cybersecurity industry. In the U.S. alone, there are more than 700,000 unfilled cybersecurity jobs, data from Cybersecurity Ventures shows. While the global cybersecurity workforce has reached an all-time high with an estimated 4.7 million professionals, there’s still an overall shortage of 3.4 million workers, according to the 2022 (ISC)2 Cybersecurity Workforce Study.
Fighting this talent gap is no small feat, but there are tactics both cybersecurity applicants and recruiters can take to curb the growing number of cyberattacks. Cybersecurity experts agree that companies need to be more lenient with their candidate expectations and invest in leadership at the very top.
Companies big and small also need to hire and compensate someone who is fluent in cybersecurity at the executive board level, Peter Trinh, a cybersecurity architect at TBI Inc., tells Fortune. “Whether you’re hiring a cybersecurity team in-house or partnering with a third party, cybersecurity is expensive, but increasingly necessary to ensure organizational health.”
With so many open cybersecurity jobs, the common conclusions are that there either aren’t enough qualified people to fill the positions or that companies aren’t offering the right compensation packages. While both of these ideas are partially true, cybersecurity experts also argue that the market could stand to have improved recruitment measures and be more open to hiring people with varied professional experience. 
“Companies need to understand that exceptional candidates are out there, but we need to be flexible with the job requirements we set,” Schneider says. “Businesses aren’t looking at nontraditional candidates enough—folks that don’t have a college degree, neurodiverse candidates, veterans, etc. Whether your background is in construction, health care, or even food services, I promise that there is room for you in cyber.”
Learning the tricks of the trade takes time, however. Companies are increasingly offering upskilling opportunities for employees who are interested in making a career switch. Other ways to enter the cybersecurity field include earning a master’s degree, taking certifications, or even start taking a few free classes at a time. 
Because cybersecurity professionals are learning in a variety of ways, companies should pursue a variety of avenues for recruitment, Schneider suggests. 
“Too often, companies spend massive amounts of money recruiting in a stereotypical talent hub like the Silicon Valley and end up competing in an overinflated market,” he says. “Businesses should take stock of the universities that are investing in cyber programs and degrees and make inroads into their internship and professional development programs.”
No matter how professionals enter the industry, they can expect a good payday. The current median salary for cybersecurity professionals in the U.S. is $135,000, the (ISC)2 study shows. Also, nearly 30% of cybersecurity professionals enter the industry for the potential of high salaries and strong compensation packages. 
“The race for cybersecurity talent has been underway for several years and the shortages of skilled employees is difficult to overcome,” Trinh says. “Security specialists are very fluid in their employment choices as compensation, titles, responsibilities, and job pressures all play into the career choices made by these individuals.”
As the talent gap continues to widen, however, so will the need for companies to pursue more automated avenues of protection against cyberattacks, says Sumedh Thakar, CEO of cybersecurity company Qualys, which Fortune has recognized as one of the 100 Fastest-Growing Companies. 
“Shortage of talent in anything always drives toward wage expansion, which in this case, also increases the cost for enterprises to secure themselves,” he tells Fortune. But even as companies become more willing to pay higher wages to cybersecurity professionals, it is still incredibly difficult for them to find qualified experts.”
And for the hires that companies have already made, cybersecurity experts make one thing clear: cybercriminals are motivated to work faster than their victims, which means that cybersecurity professionals need to work to stay one step ahead of bad actors.
“As the number of vulnerabilities continues to explode, the amount of time it takes for attackers to weaponize and exploit these vulnerabilities continues to contract,” Thakar adds. “Essentially, cybersecurity is a challenge of speed. Can the attackers get to your weak points faster than you can?”
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as the best doctorate in education programs and MBA programs (part-time, executive, full-time, and online).

source

Illustration: Maura Losch/Axios
Russia's cybercrime underground is starting to recover from the disruptions caused during the ongoing war, which could spell bad news for U.S. companies, experts told Axios.
The big picture: Before the war started, some still hoped Russian President Vladimir Putin might crack down on the deluge of ransomware gangs in his country.
Why it matters: The war has killed off any incentive Putin may have had to stop cybercrime operations from targeting Western organizations.
Flashback: When the war started, factions formed within cybercrime forums between those who supported Russia's war and those who stood with Ukraine.
What's happening: Initial slowdowns in the Russian cybercrime underground have proven to be only blips, experts told Axios.
Between the lines: Even Russian cybercriminals who have fled their country to avoid the draft are seemingly starting to deploy ransomware attacks, Thanos said.
The intrigue: By enabling cybercrime gangs, the Russian government can claim it wasn't responsible for any of the groups' attacks while reaping the benefits of seeing Western organizations hindered.
Sign up for Axios’ cybersecurity newsletter Codebook here.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
https://www.nist.gov/news-events/news/2023/03/your-cybersecurity-strategy-falling-victim-these-6-common-pitfalls
Here’s a pop quiz for cybersecurity pros: Does your security team consider your organization’s employees to be your allies or your enemies? Do they think employees are the weakest link in the security chain? Let’s put that last one more broadly and bluntly: Does your team assume users are clueless? 
Your answers to those questions may vary, but a recent article by National Institute of Standards and Technology (NIST) computer scientist Julie Haney highlights a pervasive problem within the world of computer security: Many security specialists harbor misconceptions about lay users of information technology, and these misconceptions can increase an organization’s risk of cybersecurity breaches. These issues include ineffective communications to lay users and inadequately incorporating user feedback on security system usability. 
“Cybersecurity specialists are skilled, dedicated professionals who perform a tremendous service in protecting us from cyber threats,” Haney said. “But despite having the noblest of intentions, their community’s heavy dependence on technology to solve security problems can discourage them from adequately considering the human element, which plays a major role in effective, usable security.”  
The human element refers to the individual and social factors impacting users’ security adoption, including their perceptions of security tools. A security tool or approach may be powerful in principle, but if users perceive it to be a hindrance and try to circumvent it, risk levels can increase. A recent report estimated that 82% of 2021 breaches involved the human element, and in 2020, 53% of U.S. government cyber incidents resulted from employees violating acceptable usage policies or succumbing to email attacks. 
Haney, who has a comparatively unusual combination of expertise in both cybersecurity and human-centered computing, wrote her new paper, “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned,” to help the security and user communities become allies in mitigating cyber risks.  
“We need an attitude shift in cybersecurity,” Haney said. “We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners. That approach doesn’t set them up for success. Instead of seeing people as obstructionists, we need to empower them and recognize them as partners in cybersecurity.” 
The paper details six pitfalls that threaten security professionals (also available in this handout), together with potential solutions:  
Haney stressed that not all security professionals have these misconceptions; there are certainly security teams and organizations making positive progress in recognizing and addressing the human element of security. However, these misconceptions remain prevalent within the community. 
Haney said that though the issue with neglecting the human element has been well known for years — her paper cites evidence from industry surveys, government publications and usable security research publications, as well as her research group’s original work — there is a gap between research findings and practice. 
“There has been a lot of research into this issue, but the research is not getting into the hands of people who can do something about it. They don’t know it exists,” she said. “Working at NIST, where we have a connection to all sorts of IT experts, I saw the possibility of bridging that gap. I hope it gets into their hands.”
Paper: Julie Haney. Users Are Not Stupid: Six Cyber Security Pitfalls Overturned. Cyber Security: A Peer-Reviewed Journal. March 2023.  
Webmaster | Contact Us | Our Other Offices

source

WASHINGTON—Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) will hold a hearing titled “Unpacking the White House National Cybersecurity Strategy” to delve into the cybersecurity strategy the Biden Administration released on March 2^nd. The strategy is intended to be a road map to strengthening federal cybersecurity and protecting Americans’ sensitive information.
“It is crucial to protect Americans from hackers and cybercriminals and defend against emerging threats and malicious actors. We look forward to hearing from the top White House cybersecurity official how this plan will help protect the nation’s critical infrastructure from bad actors like China, Russia, and North Korea; effectively partner with industry to increase cybersecurity standards, and ensure government systems are secure so that citizens’ confidential data remains safe,” said Subcommittee Chairwoman Nancy Mace.
WHAT: Hearing titled “Unpacking the White House National Cybersecurity Strategy”
DATE: March 23, 2023
TIME: 2:00 PM EST
LOCATION: 2154 Rayburn House Office Building
WITNESS: Kemba Walden, Acting Director, Office of the National Cyber Director
The hearing will be open to the public and press and will be livestreamed online at https://oversight.house.gov/.

source

Get a snapshot of the issues affecting the IT industry twice a week straight to your inbox

Follow us @informationweek to stay up-to-date with the latest news & insider information about events & more

Get a snapshot of the issues affecting the IT industry twice a week straight to your inbox

Follow us @informationweek to stay up-to-date with the latest news & insider information about events & more

Get a snapshot of the issues affecting the IT industry twice a week straight to your inbox

Follow us @informationweek to stay up-to-date with the latest news & insider information about events & more
As the metaverse advances and the difference between a cyber existence in the metaverse and current “real life” becomes less defined, the potential for malicious actors to perpetrate a range of criminal activity is likely to grow.

Currently, a growing issue concerns cyber-physical security, where digitally connected assets can be used to create physical acts of crime or terrorism — think Colonial Pipeline, Stuxnet, and others.

In the metaverse, such crimes could be easier to perform and potentially acted out on a much larger scale.

As these threats grow more concrete, governments and international law enforcement agencies are working on plans to not only “police” the metaverse but use virtual worlds to train law enforcement agents.

“Because cybercrime has the potential to impact the population at large, there is clearly a role for governments and the public sector to police and set guidelines and policies,” says Bud Broomhead, CEO at Viakoo.

He points to efforts by the US Government in the past few years to establish mandates and provide information, including CISA’s Known Exploited Vulnerability catalog, as an indicator there will more involvement by governments in general to prevent cybercrime.

“International regulations should focus on the potential for the metaverse to be a venue to act out crime on a massive cross-border scale,” Broomhead says.

Gartner director analyst Tuong Nguyen says governments and regulatory bodies must understand the implications of an increasingly digital world to effectively regulate or put proper guidance in place.

“Outside of this, it’s mainly a political issue,” he says. “How is cybercrime handled today? If you committed a crime in country A, live in country B, while all the digital assets and transactions for the crime were hosted in country C, who has jurisdiction and why?”

From his perspective, this is an example of how the topic of crime in the metaverse still needs to be addressed.

“They are in fact issues that exist pre-metaverse and will only become more common and exacerbated with the metaverse era,” he says.

Nguyen says the risks of cybercrime in the metaverse are very similar to what we have today with the internet and digital spheres in general.

“The issue is perpetuated because we’ll be faced with an unprecedented amount and degree of exposure and interaction with digital content,” he says. “This includes crimes around fraud, data manipulation, and stalking.”

For example, currently, you may have an identity tied to your email account, but this is one of many accounts you have on the internet.

As we move toward the metaverse era, the idea is that many of these accounts (identities) are harmonized so you can manage them more effectively. 

“The upside is having more personalized experiences, the downside is potential fraud that targets the ‘main’ account, or persona, or avatar, or whatever you call it,” Nguyen says.

He points out individual companies have similar responsibilities they do today, but due to the volume of personal data, the risk is proportionally higher. “All these organizations need to understand the roadmap that is the metaverse in order to adapt their strategies accordingly,” he says. “Just like they had to do with the internet.”

Andrew Barratt, vice president at Coalfire, says a major issue concerns what must be done to ensure that forensic evidence can be retained or obtained by law enforcement.

“It is well known that in-game voice chat has often been used by criminals to organize and communicate due to it not falling into any of the traditional communications windows,” he explains.
He says if someone is committing offenses in a metaverse, law enforcement must be able to ensure the evidence can be collected and the appropriate authorities can make use of it in the jurisdiction it applies.

“My suspicion is that cyber criminals will continue to operate as they do today, and the only targeting of metaverse uses will be if they can extract something of value,” Barratt says.

Broomhead points out the metaverse is already being used for training, including what to do in an active shooter situation — and is proving to be more effective than other forms of training.

“Likewise, the metaverse has the potential to be used more extensively for cybersecurity awareness training,” he says. “With policing, it can potentially be a very powerful tool for simulating, modelling, and assessing potential threats at a much high speed and more thoroughly than current approaches allow.”

In that way it can significantly reduce the “black swan” type events by assessing and judging even very unlikely situations for their potential cybercrime impact. 

Interpol secretary general Jurgen Stock recently said the global police agency is investigating how the organization could police crime in the metaverse — an endeavor that would also include agent training within virtual worlds.

“This is a start,” Nguyen says. “I’d like to see more organizations consider the broader aspect of the metaverse — not just VR. Most organizations are overly focused on VR and trying to force-fit value or a use case and missing on the broader potential benefit.”

For example, how would collaborative (multi-sourced) information help police do their job better.

“Maybe different sensor and sensing data in the environment, or near-real time video and content of an environment to help police make better informed decisions because they have a holistic view of the situation,” Nguyen says.

How to Tackle Cyberthreats in the Metaverse
How CIOs Can Prepare the Enterprise for the Metaverse
10 Ways IT Can Get Ready for the Metaverse
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source