Category: Uncategorized

by Christian Ohanian
October 17, 2022
Budapest (Cybercrime) Convention, cybercrime, Cybersecurity, Diplomacy, hacking, Law enforcement, United Nations
by Christian Ohanian
October 17, 2022
The United Nations is engaged in a landmark effort to establish a new global cybercrime treaty. The goal is laudable. Cybercrime does not respect borders, nor is it limited by them. And, as we have seen, cyberattacks that begin with one target can quickly spill into the broader digital ecosystem, causing widespread damage.  But this initiative at the U.N. – if not carefully curated – could also serve as a vehicle for countries to criminally prosecute security researchers, technology companies, and others for activities that are essential to the overall security of our global digital community.
The estimated economic cost of cyberattacks is staggering and seems to grow each year.  The expansion of the cyber insurance industry is a natural consequence as more companies look to protect themselves against these attacks.  The damage wrought by cybercrime has a nontrivial human component too. When a cyberattack targets the healthcare industry – a common victim – the impact on individual lives is stark : prescriptions don’t get filled, surgeries are delayed, and an individual’s health can rest in the hands of a cybercriminal thousands of miles away and out of reach of local and allied law enforcement agencies. Innovative approaches to combatting cybercrime, including drawing on all elements of geopolitical power, are needed if the international community hopes to put a dent in the seemingly unbounded growth of this malicious enterprise. But while the goal of increased global cooperation in the prosecution of cybercrime is worthwhile, current proposals from various countries, discussed during the summer’s U.N. Ad Hoc Committee’s Second Session, raise concerns.
As it currently stands, the most influential and important international cybercrime treaty is the Council of Europe Convention on Cybercrime, more commonly referred to as the “Budapest Convention.”  That Convention was the first international cybercrime treaty and has been adopted by 67 countries, including Australia, Canada, the Council of Europe (which includes the European Union as well as other countries), Japan, the U.K., and the U.S..  The goal of the Budapest Convention was to establish a global approach to cybercrime that would involve harmonizing national law, improving investigative abilities, and enabling international cooperation.  Among other things, the Budapest Convention defined criminal offenses for cybercrimes such as illegal access to a computer system, fraud and forgery, and illegal data interception.  While the Budapest Convention has been the subject of controversy over the years, including concerns that it undermines individual privacy rights,  it is generally regarded as a useful instrument setting an international standard for addressing cybercrime.
In 2019, the U.N. General Assembly adopted a resolution that initiated a multi-year process of negotiating what could become a global cybercrime treaty more widely adopted and influential than the Budapest Convention.  Negotiations for this treaty are wide-ranging and illustrate a lack of unanimity concerning what should be defined as “cybercrime.” Where some proposed crimes mirror the language and approach of the Budapest Convention, such as prohibitions against illegal access to a computer system, others include new provisions, such as those that criminalize the receipt of “any stolen computer resource.”  The competing proposals also raise the specter of significant human rights concerns with sweeping concepts of criminalized conduct,  especially since the countries driving the movement toward the new treaty are among those with the most restrictive laws concerning the free and open use of the internet.
While human rights concerns are the most significant danger in some of the proposals, they are not the only problem. Most ironically, one of the potential flaws in many of the proposed crimes is that they may undermine the goal of bolstering global cybersecurity. One of the notable ways this concern manifests is in the number of proposals calling for the criminalization of computer-enabled conduct without a requirement to show some kind of “intent.”
Intent is a common element in many global cybercrime legal frameworks – and criminal law, generally. The crimes outlined in the Budapest Convention, Articles 2-11, specify some element of intent as a prerequisite to the criminal prohibitions, such as illegal access, illegal interception, and data interference.  While some of the parties participating in the negotiation of the new U.N. Cybercrime Treaty have proposed cybercrimes that are consistent with the language of the Budapest Convention, many other countries have proposed crimes without any intent element. That’s ill-advised and dangerous. For instance, with respect to the crime of “[c]omputer interference,” Proposal 5 from India states:
Each State party shall adopt such legislative and other measures as are necessary to establish as an offence under its domestic law, if any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network…
Another example is Egypt’s Proposal 1 for an offense relating to “[a]ttack on a site design,” which states:
Each State party shall also adopt such legislative and other measures as are necessary to criminalize the following acts:
The unlawful damaging, disruption, slowing, distortion, concealment or modification of the site design of a company, institution, establishment or natural person.
Where many proposals omit intent, other countries seek to maintain it as an important element of the proposed crimes in the new treaty. For instance, Canada’s Proposal 3 for an offense relating to “data interference” states that countries shall:
Establish as a criminal offence to, intentionally and without right, seriously hinder the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.
When intent is removed from a criminal prohibition, it increases the likelihood that innocent individuals who inadvertently produce certain effects from their conduct will be subjected to the full weight of criminal prosecution and the threat of significant penalties, including, potentially the loss of their freedom. This is a danger that is well-recognized in the field of cybersecurity.  To be sure, security research does not always involve activities that might implicate cybercrime laws as such research does not necessarily involve conduct that might constitute “interfering” with a system or circumventing security measures. Omitting intent as an element of a cybercrime may, however, criminalize such conduct, in those circumstances when the effects of cybersecurity research are less clear.
By maintaining the intent element in cybercrime laws, many jurisdictions can avoid the risk of discouraging or chilling the activities of security researchers such that those researchers, who are legitimately acting in good faith, should generally not worry about being prosecuted for inadvertent effects for which different parties might debate whether they constitute “accessing” or “interfering” with a system. There should be no room for ambiguity.
Through its enforcement of the Computer Fraud and Abuse Act (CFAA), the United States itself has struggled to reconcile the line between legitimate computer research and criminal access to a computer system.  In particular, in the case of vulnerability research, some identification and testing of vulnerabilities could potentially, if inadvertently, cause effects that some might argue constitute “interfering” with a computer system in violation of the CFAA.  This has left many critics claiming that vital cybersecurity research, including vulnerability research, is threatened unnecessarily by the specter of potential federal criminal prosecution.  Many technology companies that offer cybersecurity services or products, as well as corporate security departments, depend on the ability to obtain and use actionable intelligence concerning cybersecurity vulnerabilities to protect their systems, the many consumers they serve, and the broader cybersecurity ecosystem. The importance of insulating “good faith” security researchers from cybercrime laws was recognized recently by the U.S. Department of Justice, which announced a new policy for federal prosecutors investigating potential violations of the CFAA.   That policy explicitly discourages prosecutors from pursuing “good faith” security researchers for violations of the law.
To the extent any of the current cybercrime proposals that do not require intent survive in the final version of the U.N. Cybercrime Treaty, it could significantly alter the landscape for cybersecurity researchers, discouraging their work and even potentially threatening them with criminal prosecution.
A new global cybercrime treaty, especially one that aspires to something closer to universal adoption in countries that are not parties to the Budapest Convention, could have significant positive effects on the fight against global cybercrime. An instrument that enables more extensive international cooperation in cybercrime investigations could mean, among other things, more favorable conditions for the extradition of cybercriminals from countries currently unwilling to do so. It could also shrink the number of “friendly” jurisdictions where cybercriminals can act with relative impunity. But when significant human rights concerns are coupled with blind spots that could endanger cybersecurity research, it is apparent that an international instrument that is not carefully crafted could have unintended consequences, including undermining the very purpose for its existence.
 
Budapest (Cybercrime) Convention, cybercrime, Cybersecurity, Diplomacy, hacking, Law enforcement, United Nations
All-source, public repository of congressional hearing transcripts, government agency documents, digital forensics, social media analysis, public opinion surveys, empirical research, more.
by Oleksandra Matviichuk, Natalia Arno and Jasmine D. Cameron
Mar 3rd, 2023
by W. Casey Biggerstaff
Mar 2nd, 2023
by John Erath
Mar 1st, 2023
by Inga Imanbay
Feb 28th, 2023
by Mary B. McCord and Jacob Glick
Feb 27th, 2023
by Mark Malloch-Brown
Feb 24th, 2023
by Darryl Robinson
Feb 23rd, 2023
by Luis Moreno Ocampo
Feb 23rd, 2023
by Ukrainian MP Kira Rudik
Feb 22nd, 2023
by Ukrainian MP Oleksiy Goncharenko
Feb 22nd, 2023
by Andy Wright and Ryan Goodman
Feb 21st, 2023
by Mark Nevitt
Feb 21st, 2023
by Ambassador David Scheffer and Kristin Smith
Feb 17th, 2023
by Sophia Yan
Feb 15th, 2023
by Clara Apt
Feb 14th, 2023
by Elizabeth Goitein
Feb 13th, 2023
by Chile Eboe-Osuji
Feb 10th, 2023
by Linda Bishai and Laura R. Cleary
Feb 9th, 2023
by Scott Roehm
Feb 8th, 2023
by Norman L. Eisen, E. Danya Perry and Fred Wertheimer
Feb 7th, 2023
by Ryan Goodman
Feb 7th, 2023
by Rebecca Hamilton and Rosa Curling
Feb 6th, 2023
by Luis Moreno Ocampo
Jan 31st, 2023
by Brian Finucane and Luke Hartig
Jan 30th, 2023
by Douglas London
Jan 27th, 2023
by Eileen B. Hershenov and Ryan B. Greer
Jan 26th, 2023
by Menachem Z. Rosensaft
Jan 25th, 2023
by Jasmine D. Cameron
Jan 24th, 2023
by Ryan Goodman and Clara Apt
Jan 19th, 2023
by Kate Donald and Anne-Marea Griffin
Jan 19th, 2023
by Ryan Goodman, Justin Hendrix and Norman L. Eisen
Jan 17th, 2023
by Marieke de Hoon
Jan 13th, 2023
by Andy Wright
Jan 12th, 2023
by Nikhil Deb and Nadia Genshaft-Volz
Jan 9th, 2023
by Mary B. McCord and Jacob Glick
Jan 6th, 2023
by Dean Jackson, Meghan Conroy and Alex Newhouse
Jan 5th, 2023
by Ambassador Peter Mulrean (ret.) and William J. Hawk
Jan 4th, 2023
by Jon Lewis
Jan 3rd, 2023
by Eugene R. Fidell
Jan 3rd, 2023
by Tess Bridgeman and Ryan Goodman
Dec 26th, 2022
by Ryan Goodman and Justin Hendrix
Dec 23rd, 2022
by Joshua Rudolph, Norman L. Eisen and Thomas Kleine-Brockhoff
Dec 22nd, 2022
by Maria Popova and Oxana Shevel
Dec 21st, 2022
by Maria Popova and Oxana Shevel
Dec 21st, 2022
by Ryan Goodman
Dec 19th, 2022
by John Ramming Chappell
Dec 19th, 2022
by Pierre Espérance
Dec 15th, 2022
by Željko Komšić
Dec 12th, 2022
by Paras Shah
Dec 9th, 2022
by Chile Eboe-Osuji
Dec 8th, 2022
by Kate Shaw
Dec 8th, 2022
by Chile Eboe-Osuji
Dec 8th, 2022
by Beatrice Eriksson
Dec 6th, 2022
by Richard Dicker and Paloma van Groll
Dec 5th, 2022
by Lisa Benjamin
Dec 2nd, 2022
by Ryan Goodman
Dec 1st, 2022
by Ambassador (ret) John E. Herbst and Jennifer Cafarella
Nov 30th, 2022
by Karen Gullo and Christoph Schmon
Nov 23rd, 2022
by Imad Daïmi
Nov 22nd, 2022
by Susan Benesch
Nov 21st, 2022
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Andrew Weissmann, Ryan Goodman, Joyce Vance, Norman L. Eisen, Fred Wertheimer, E. Danya Perry, Siven Watt, Joshua Stanton, Donald Simon and Alexander K. Parachini
Nov 17th, 2022
by Chiara Giorgetti, Markiyan Kliuchkovsky, Patrick Pearsall and Jeremy K. Sharpe
Nov 16th, 2022
by Chiara Giorgetti, Markiyan Kliuchkovsky, Patrick Pearsall and Jeremy K. Sharpe
Nov 16th, 2022
by Marieke de Hoon
Nov 15th, 2022
by Jon Hoffman and Abdullah Alaoudh
Nov 15th, 2022
by Camila Bustos and Jeffrey Chase
Nov 14th, 2022
by Heather Aliano
Nov 11th, 2022
by Asha Rangappa
Nov 10th, 2022
by Ambassador Daniel Fried
Nov 9th, 2022
by Ambassador Daniel Fried
Nov 9th, 2022
by Mark Nevitt
Nov 8th, 2022
by Jacek Pruski and Helen White
Nov 7th, 2022
by Ashley Gorski
Nov 4th, 2022
by Katherine Yon Ebright
Nov 3rd, 2022
by Kirk Herbertson
Nov 2nd, 2022
by Elizabeth Goitein
Oct 31st, 2022
by Letta Tayler
Oct 27th, 2022
by Brianna Rosen
Oct 25th, 2022
by Ambassador Juan Manuel Gómez-Robledo Verduzco
Oct 24th, 2022
by Cathryn Grothe
Oct 21st, 2022
by Steven J. Barela
Oct 20th, 2022
by Douglas London
Oct 18th, 2022
by Luke Hartig
Oct 17th, 2022
by Jonathan Leader Maynard
Oct 14th, 2022
by Oona A. Hathaway
Oct 11th, 2022
by Amanda L. White Eagle
Oct 10th, 2022
by Muhammad Kamal
Oct 7th, 2022
by Richard Dicker and Paloma van Groll
Oct 6th, 2022
by Naomi Kikoler and Sarah McIntosh
Oct 6th, 2022
by Jens Iverson
Oct 5th, 2022
by Jens Iverson
Oct 5th, 2022
by John K. Glenn
Oct 4th, 2022
by Jennifer Trahan
Sep 26th, 2022
by Jennifer Trahan
Sep 26th, 2022
by Norman L. Eisen and Fred Wertheimer
Sep 26th, 2022
by Just Security
Sep 24th, 2022
by Astrid Reisinger Coracini
Sep 23rd, 2022
by Astrid Reisinger Coracini
Sep 23rd, 2022
by Ambassador H.E. Juan Ramón de la Fuente and Pablo Arrocha Olabuenaga
Sep 23rd, 2022
by Karl Mihm, Jacob Apkon and Sruthi Venkatachalam
Jan 30th, 2023
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Clara Apt
Feb 14th, 2023
by Noah Bookbinder, Norman L. Eisen, Debra Perlin, E. Danya Perry, Jason Powell, Donald Simon, Joshua Stanton and Fred Wertheimer
Oct 27th, 2022
by Tess Bridgeman and Brianna Rosen
Mar 24th, 2022
by Megan Corrarino
Feb 18th, 2022
by Mary B. McCord
Jan 24th, 2022
by Emily Berman, Tess Bridgeman, Megan Corrarino, Ryan Goodman and Dakota S. Rudesill
Jan 20th, 2022
by Laura Brawley, Antara Joardar and Madhu Narasimhan
Oct 29th, 2021
by Leila Nadya Sadat
Sep 13th, 2021
by Tess Bridgeman, Rachel Goldbrenner and Ryan Goodman
Sep 7th, 2021
by Just Security
Jul 19th, 2021
by Kate Brannen
Jun 30th, 2021
by Fionnuala Ní Aoláin and Kate Brannen
Jun 14th, 2021
by Steven J. Barela and Mark Fallon
Jun 1st, 2021
by Christine Berger
May 29th, 2021
by Beth Van Schaack
Feb 1st, 2021
by Beth Van Schaack and Chris Moxley
Nov 16th, 2020
by Oona A. Hathaway, Preston Lim, Mark Stevens and Alasdair Phillips-Robins
Nov 10th, 2020
by Emily Berman, Tess Bridgeman, Ryan Goodman and Dakota S. Rudesill
Oct 14th, 2020
by Cristina Rodríguez and Adam Cox
Oct 12th, 2020
by Scott Roehm, Rita Siemion and Hina Shamsi
Sep 11th, 2020
by Matiangai Sirleaf
Jul 13th, 2020
by Catherine O'Rourke
Oct 21st, 2020
by Sarah Knuckey and Jayne Huckerby
May 27th, 2020
by Tess Bridgeman and Ryan Goodman
Sep 12th, 2019
by Just Security
Jan 28th, 2019
by Marty Lederman
Oct 25th, 2018
by Erik Dahl
Jun 7th, 2022
by Justin Hendrix, Nicholas Tonckens and Sruthi Venkatachalam
Aug 29th, 2021
by Ryan Goodman and Juilee Shivalkar
Aug 8th, 2021
by Kate Brannen and Ryan Goodman
May 11th, 2021
by Atlantic Council's DFRLab
Feb 10th, 2021
by Ryan Goodman, Mari Dugas and Nicholas Tonckens
Jan 11th, 2021
by Ryan Goodman and Danielle Schulkin
Nov 3rd, 2020
by Chris Shenton
Aug 24th, 2020
by Ryan Goodman and Danielle Schulkin
Jul 27th, 2020
by Ryan Goodman and Julia Brooks
Mar 11th, 2020
Christian Ohanian (@CGOhanian) is Senior Counsel for Privacy and Cybersecurity for Cyber & Intelligence Solutions at Mastercard and a Senior Fellow in the Tech, Law & Security program at American University. He previously served as an Assistant General Counsel with the National Security Agency (NSA).
Send A Letter To The Editor
by Oleksandra Matviichuk, Natalia Arno and Jasmine D. Cameron
Mar 3rd, 2023
by Katherine Fang and Clara Apt
Mar 2nd, 2023
by Beth Alexion, Nicholas Miller and Jordan Street
Feb 28th, 2023
by Mark Malloch-Brown
Feb 24th, 2023
by Paras Shah
Feb 24th, 2023
by Lauren Van Metre
Feb 24th, 2023
by Luis Moreno Ocampo
Feb 23rd, 2023
by Mark Nevitt
Feb 21st, 2023
by Hans Corell
Feb 14th, 2023
by Hans Corell
Feb 14th, 2023
by Elizabeth Goitein
Feb 13th, 2023
by Norman L. Eisen, E. Danya Perry and Fred Wertheimer
Feb 7th, 2023
Just Security is based at the Reiss Center on Law and Security at New York University School of Law.

source

A federal jury has found Joe Sullivan, former CSO of Uber, guilty of covering up a data breach the company suffered in 2016. 
The breach saw 57 million user’s information including full names, email addresses, telephone numbers and driver’s license numbers exposed, and led to Uber paying US$148,000 to settle civil litigation.
Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with attempting to cover up the hack.
In November 2014, Uber suffered a data breach that exposed the personal information of 50,000 customers. As this hack was disclosed to the FTC, Uber’s data security practices were investigated. In May 2015, Uber was served a Civil Investigative Demand by the FTC. The demand required Uber to give extensive information on its data security practices as well as detailed information on any other occasions where unauthorized parties had gained access to confidential user information.
The Department of Justice (DOJ) said in a statement that it was demonstrated that Sullivan played a significant part in Uber’s response to the FTC, including “supervis[ing] Uber’s responses to the FTC’s questions, participat[ing] in a presentation to the FTC in March 2016, and testify[ing] under oath…to the FTC on November 4, 2016, regarding Uber’s data security practices…includ[ing] specific representations about steps he claimed Uber had taken to keep customer data secure”.
Ten days after his testimony, Sullivan learned that the data breach had taken place, as he was contacted directly by the hackers on November 14, 2016.
Evidence at the trial demonstrated that Sullivan actively tried to keep knowledge of the breach reaching the FTC, including telling a subordinates that information about the hack was to be “tightly controlled” and that they “can[not] let this get out”. He also told employees outside of the security team that the official line to the rest of the business was “this investigation does not exist”.
Sullivan attempted to pay the two hackers $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”. Uber paid the hackers $100,000 in Bitcoin in December 2016, despite not knowing their true identities. In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy. They are currently awaiting sentencing.
Despite this information being crucial to the FTC investigation, evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.
In 2017, Uber began investigating the 2016 breach. During the investigation, Sullivan lied to the new CEO of Uber, Dara Khosrowshahi, telling him that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that it involved the exposure of a large amount of personal information of a large number of Uber customers. The breach was eventually discovered and disclosed to both the FTC and the general public in November 2017. 
At the trial, the jury found Sullivan guilty of obstruction of justice and misprision of felony. He faces a maximum of five years in prison for obstruction and a maximum of three years for misprision. He remains free on bond and will be sentenced at a later date, yet to be set. 
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

IT Pro Today is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Karen D. Schwartz | Sep 07, 2022
Chances are you have spent some of your work hours clicking through your company’s cybersecurity awareness training modules. As you progressed through the training, you may have hoped to get just enough answers right so you could return to your real work. You may even have resented how much time it took from your day and wondered if it made a difference.
Despite the continued use of cybersecurity awareness training programs, it has become clear that the typical approaches simply don’t work as well as they should. Employees often fail to retain the information they are taught. The reason for this may be what 19^th-century German psychologist Herman Ebbinhouse called the “Forgetting Curve.” According to Ebbinhouse’s studies, without reinforcement or connection to previous knowledge, most people will forget an average of 56% of what they learned within an hour, 66% after a day, 75% after six days, and 90% within the first month.
Related: Ransomware Security for IT Pros: 2022 Report
Cybersecurity awareness training can also fail because it focuses on the wrong things and uses a one-size-fits-all approach. In addition, the training often has a punitive nature when instead it should seek to create a real culture of security.
“We make people who have better things to do sit through an hour or more of cybersecurity talk that they don’t care about, and they don’t retain the information,” said Jinan Budge, a vice president and principal analyst who leads Forrester’s security and risk research in Asia Pacific. “As a result, they end up hating security.”
The shortcomings of security awareness training have pushed the industry to pioneer a new category of cybersecurity protection, one that focuses on understanding the human risk within an organization. It aims to analyze the cybersecurity behavior of individual employees, divisions, and geographies, then promptly provide users who deviate from security policies with short, constructive “learning moments.” The goal of the approach is to change cybersecurity behaviors and culture permanently.
Because this is a relatively nascent area, vendors and analysts are calling it different things. KnowBe4 calls it human detection and response (HDR), while Living Security calls it human risk management (HRM). Forrester, meanwhile, calls it human risk quantification (HRQ).
The underlying idea behind the new approach is to provide a gentle yet persistent way of reinforcing good cyber hygiene, said James McQuiggan, a security awareness advocate at KnowBe4.
“Rather than hitting employees with so much training, this is a way to provide small, friendly reminders whenever something happens that triggers [an intervention],” McQuiggan said.
“Rather than hitting employees with so much training, this is a way to provide small, friendly reminders whenever something happens that triggers [an intervention].”
— James McQuiggan, KnowBe4
KnowBe4’s HDR offering, Security Coach, is based on its recent acquisition of SecurityAdvisor. Security Coach pushes micro-learning modules to users based on parameters set by the customer organization. The offering integrates with KnowBe4’s existing security awareness training platform.
Living Security, another enterprising vendor in this space, provides Unify Insights. Its HRM offering quantifies human risk, engages users, and then measures changes in user behavior. Its human risk index provides risk scores for the organization, user segments, and individuals, and pinpoints specific weaknesses that get immediately addressed through short and targeted training sessions.
There are plenty of examples for how training sessions would be triggered, including these scenarios:
So far, only a handful of vendors are at work in this space. In addition to KnowBe4 and Living Security, vendors offering similar products include Elevate Security and CybSafe. While products work somewhat differently, they share many attributes.
Products tend to use a data-based approach that centers on quantifying and measuring security behaviors, for example. In most cases, products integrate with most of or all the security tools an organization uses, from antivirus and firewalls to extended detection and response and endpoint detection.
In addition, user behavior data can be communicated back to the organization’s security operations center, highlighting areas that need work. If a user or group performs an action outside of acceptable cybersecurity behaviors, they will receives a short “coaching moment” – e.g., a 5-minute pop-up video via email, Slack, Teams, or another communication platform.
“Let’s say you plugged in a flash drive that had malware on it and [the malware] was detected,” McQuiggan said. “The person might get an email saying, ‘We wanted to let you know that you inadvertently introduced malware into our environment through a flash drive. Here are some of the dangers that can occur if you don’t know where the flash drive came from or what’s on it.’ ”
This data-based approach can also provide valuable information to security teams. For example, if some learning prompts are triggered more than others, they may point to a persistent issue that the security team must prioritize.
“CSOs and security program owners really just want to see what’s going on so they can assess their human risk index,” Living Security CEO Ashley Rose explained. “With that information, they can better understand what groups or people are the most at risk and most vigilant, and they can prioritize their program focus and determine what actions to take.”
Finally, these offerings take a markedly different approach to measuring training success. With traditional security awareness training, NIST research found that most organizations have measured success by simply the number of trainings completed or if phishing simulation click rates decreased. Other organizations have relied on employee feedback, attendance at security awareness events, and online views of security awareness materials.
These new products measure success with more sophisticated frameworks, such a human risk index.
Moving toward the new training approach requires buy-in from leadership and the creation of comprehensive security policies. Additionally, it’s critical to focus on positive reinforcement instead of the more negative reinforcement used frequently in traditional cybersecurity training.
“If employees have to train, it might as well be fun and engaging,” Rose said. To that end, Living Security provides access to content such as cybersecurity escape rooms and live-action modules.
Organizations must also create a feedback loop. “Companies hear from employees all the time that they were asked to complete training and it was never mentioned again. They want to know how they performed,” Rose noted. “The company needs to address it with the employee. It reinforces everything and empowers them to take an action, like downloading a password manager or being more cautious with opening email attachments.”
During the next three years, Budge expects this market to explode. She said the market might evolve into “adaptive people protection” – a process that reduces training in favor of automated processes, tools, and policies that protect employees.
“Your role as a human is to be human,” Budge said. “Security should do its job.”
About the author
More information about text formats
Follow us:

source

Cybercrime is the biggest fraud threat facing most businesses today. Image: Unsplash/Jefferson Santos
Listen to the article

What is the World Economic Forum doing on cybersecurity?
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
A weekly update of the most important issues driving the global agenda

You can unsubscribe at any time using the link in our emails. For more details, review our

privacy policy.
Cyber scams are exploiting Türkiye-Syria earthquake relief efforts. Here’s what to know
Spencer Feingold
February 24, 2023
What everyone misses when it comes to cyber attacks
Thomas Johansmeyer
January 25, 2023
Here’s how business leaders can prepare for systemic cybersecurity events
Paolo Dal Cin, Michael Rohrs and Sean Doyle
January 18, 2023
Cybersecurity: What the global tech experts have to say about it
Why we need global rules to crack down on cybercrime
Robert Muggah and Mac Margolis
January 2, 2023
New cyber threat landscape spurs shift to zero trust security paradigm
Adrian McDonald
December 12, 2022
About Us
Events
Media
More from the Forum
Partners & Members
Language Editions
Privacy Policy & Terms of Service
© 2023 World Economic Forum

source

Bob Ferguson
Special edition of the report focuses on protecting Washingtonians’ sensitive data in wake of record cybercrime
OLYMPIA — Attorney General Bob Ferguson released his seventh annual data breach report today. The report shows that data breaches remain at record-breaking severity. This year, 4.5 million data breach notices were sent to Washingtonians, second only to the 2021 record of 6.3 million since the Attorney General’s Office began tracking this number.
This year’s report is a special data-privacy edition, focusing on protecting consumer data even before breaches occur. Corporations collect and sell massive amounts of sensitive personal data. The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime. In this year’s special-edition report, Ferguson is proposing a slate of reforms to protect Washingtonians’ data privacy — particularly sensitive data on consumers’ reproductive health care.
“Washingtonians deserve control over whether entities get to profit off their most sensitive data,” Ferguson said. “This is particularly urgent after the U.S. Supreme Court overturned Roe v Wade. The Legislature must adopt these reforms to help protect Washingtonians.”
The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data.
The report includes recommendations to policymakers and best practices for the public to protect their data and minimize risks.
The public can access the Attorney General’s database of breaches here.
Another record-high year
Data breach activity remains at historic levels after last year’s torrent of breaches.
State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed, and report breaches impacting more than 500 Washingtonians to the Attorney General’s Office. Breached businesses and agencies sent 4.5 million of these notices to Washingtonians in 2022. This year’s number of data breach notices is the second highest after last year’s record of 6.3 million notices.
The Attorney General’s Office received 150 data breach notifications this year, also the second highest amount after the 2021 record. This is more than double the average number of breaches from the first five years the report was issued, 2016 to 2020.
The number of larger breaches — breaches affecting more than 50,000 Washingtonians — remained in the double digits for the second year in a row.
This is the second consecutive year Washington was hit with a “mega breach” — a breach affecting more than one million Washingtonians. This year, a cybersecurity attack on T-Mobile exposed the data of more than 2 million Washingtonians. This is the largest breach to hit the state since the Equifax breach of 2018, which affected 3.2 million Washingtonians.
Cyberattacks and ransomware remain at prolific levels. Breaches caused by malicious cybercriminals caused 68 percent of all reported data breaches. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — was involved in 43 data breaches this year.
The data used in the report is acquired through a high-level review of breach notices submitted to the office. A list of all data breach notices that have been sent to the office since 2015 is publicly available at https://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
A roadmap for strengthening data privacy in Washington
The report makes several policy recommendations for Washington lawmakers to strengthen privacy and data breach protections.
-30-
Washington’s Attorney General serves the people and the state of Washington. As the state’s largest law firm, the Attorney General’s Office provides legal representation to every state agency, board, and commission in Washington. Additionally, the Office serves the people directly by enforcing consumer protection, civil rights, and environmental protection laws. The Office also prosecutes elder abuse, Medicaid fraud, and handles sexually violent predator cases in 38 of Washington’s 39 counties. Visit www.atg.wa.gov to learn more.
Media Contact:
Brionna Aho, Communications Director, (360) 753-2727; Brionna.aho@atg.wa.gov
General contacts: Click here
Advanced Search
1125 Washington St SE • PO Box 40100 • Olympia, WA 98504 • (360) 753-6200
OFFICE HOURS: 8:00 AM – 5:00 PM Monday – Friday  Closed Weekends & State Holidays

source

The world is becoming a smaller place. The prospect of working in another country becomes increasingly realistic and even promising as businesses migrate toward the cloud and collaborate more closely with international partners. Amid this shift, cybersecurity professionals may wonder if they can work abroad.
Cybersecurity is a worldwide concern, creating plenty of global opportunities for security professionals. They may not even have to be in the same country as their employers to provide their services. This opens up many questions for those who are considering a move to another region. Here is a closer look at some of these questions.
In any industry, working in another country will carry some unique understandings. Outside of varying workplace cultures, cybersecurity professionals should expect to encounter different demands and regulations.
Cybersecurity workers in the U.K. should understand the National Cyber Security Centre (NCSC) and its role in their work. Similarly, professionals in the EU must consider GDPR more heavily in all their decisions. Some of these regulatory differences will be more stringent than what employees see in the U.S., while others won’t. However, they require adaptation.
Just as there are cost-of-living adjustments within a particular country, there will likely be pay-scale differences between various nations, too. For example, a person working in the U.K. will be compensated differently than someone working in Singapore. Similarly, what companies expect from their cybersecurity partners varies slightly, but best security practices are universal, so professionals won’t need to relearn what is and isn’t safe. However, standard business practices and preconceptions will differ as well, so different challenges may be encountered there.
For example, the standard Israeli work week is 43 hours instead of 40 and runs from Sunday to Thursday instead of Monday to Friday. Sometimes, these differences are a legal matter, as in France, where the law holds that most workers aren’t responsible for responding to messages after hours.
Adapting to these differences may be challenging, but working abroad has many advantages. Most notably, security experts may be able to make more in other countries. Professionals in some nations earn six figures on average, and others may offer more flexibility and benefits than U.S.-based companies.
The potential for job growth and a wider choice of employment opportunities are other factors driving people abroad. The U.S. employs more cybersecurity professionals than anywhere else, but demand remains high globally. The U.K., Brazil, South Korea, and Japan have booming security industries that could give job-seekers unique opportunities.
Other workers may seek security jobs abroad simply because they want to see the world. Some countries may also have lower crime rates or easier tax regulations than the U.S.
Working abroad will bring unique challenges as well. People who move somewhere with another primary language may encounter communication barriers.
Required skills and backgrounds may also differ among countries. Skills that constitute a qualified cybersecurity expert in the U.S. may not carry the same recognition in Japan, so some workers may face limited options when moving internationally.
Traveling security workers who choose to work remotely will encounter some cybersecurity challenges of their own. They must remember to follow the best hybrid environment security practices to keep their data private.
Every country offers unique benefits and disadvantages for cybersecurity professionals working abroad. What constitutes the best place to work may differ depending on people’s preferences and needs, but generally speaking, some areas are better for cybersecurity than others.
India has rapidly growing IT and banking industries, creating plenty of opportunities for cybersecurity professionals. Switzerland also has a high demand for security workers thanks to its banking industry, and its low tax rate is also attractive. The EU has many opportunities, as legislation like the European Cybersecurity Act and GDPR raises the demand for security professionals. If you’re a person working abroad, it’s really important to understand the tax implications prior to making a commitment.
Some workers may migrate to areas with higher average salaries. Luxembourg has the highest average pay for cybersecurity professionals at more than $110,000 annually, but it also has a high cost of living. Japan, Belgium and the U.K. also offer globally leading salaries for security workers.
Some cybersecurity professionals may seek to work remotely. Remote work lets employees live where they want and opens the door to new opportunities, so it’s an excellent strategy for working abroad.
Experts predict that 25% of all jobs will be remote before long, but this trend is uneven across different industries. Naturally, fewer manufacturing jobs are remote than programming positions. Cybersecurity professionals looking into working abroad may wonder where this industry falls along that spectrum.
Many cybersecurity positions still require workers to be in-office at least some of the time, but several remote jobs are also available. Companies are becoming less stringent about noncritical requirements due to a global cybersecurity workforce gap of 2.7 million workers. More are accepting remote and hybrid security positions to fill this rising demand.
Cybersecurity is a global problem, so there is a demand for these workers worldwide. Professionals seeking a different experience, new setting or potentially higher pay can capitalize on this movement by working abroad.
Security experts who want to work for an international company, whether in that company’s domiciled country, or remotely, should expect differences in salary, culture, and even work hours. If they can adapt to these unique considerations, they can excel in this globally important profession.

Image

About the Author: Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

source

Image by Freepik
Dropbox has disclosed a security breach after threat actors stole 130 code repositories from one of its GitHub accounts using employee credentials stolen in a phishing attack.

The company said that no content, passwords, or payment information was accessed, and the issue was quickly resolved. The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.

Upon discovery of the incident, security teams took “immediate action” to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, had been accessed or stolen. 

“To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers,” Dropbox revealed on Tuesday.

The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors, Dropbox says, noting the company has more than 700 million registered users. 

The company also revealed that its core apps and infrastructure were unaffected, as access to this type of code is more limited and strictly controlled. 

“Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here,” Dropbox said. The company hired outside forensic experts to verify its findings and reported the incident to appropriate law enforcement and regulators.

Nick Rago, Field CTO at Salt Security, says the Dropbox security breach “serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository.”

Dr. Eric Cole, Advisory Board Member at Theon Technology, says there are several red flags raised in reading the details of the disclosure. “Why was Dropbox/GitHub targeted, and what was the attacker after? Attackers do not break into an organization with no goal or objective. Dropbox is making this sound like it was just a casual attack and no real damage happened, but very rarely is that true. Either the attacker did indeed compromise sensitive data, and it was not discovered yet, or information was taken that can be used for extortion or ransom payments. In summary, stay tuned; what was initially reported and what will be reported over the next several weeks is going to most likely change dramatically.”

You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
The John F. Kennedy Center for the Performing Arts is home to some of the nation’s largest events, from the Kennedy Center Honors to the Mark Twain Prize and high-caliber theatrical and symphonic performances.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source

Toyota discovered the leak after a third party was able to access a company server with credentials that they obtained from source code published on GitHub by a third party contractor.

Japanese automaker Toyota suffered a breach of customer records after a hacker obtained credentials for one of its servers from source code published on GitHub by a website development subcontractor. The third party “mistakenly uploaded part of the source code to their GitHub account while it was set to be public”, the company said.
As a result, the company said that email addresses and customer management numbers of as many as 296,019 customers were leaked. However, Toyota, one of the two biggest global automakers by revenue, seems to have caught a stroke of luck, considering the access key in the source code on GitHub was exposed for five years, between December 2017 and September 15, 2022.
“It’s instructive just how much potential damage can come from a simple mistake and that the mistake can take years to identify,” Chris Clements, VP of solutions architecture at Cerberus Sentinel, told Spiceworks. “This is far from the first time an organization has had private information potentially exposed from uploading secret keys or passwords to public code repositories or exposed cloud storage buckets.”
Toyota said a website development subcontractor “mistakenly uploaded part of the source code to their GitHub account while it was set to be public” in December 2017. This led the unknown hacker straight to the server containing customers’ data associated with the company’s infotainment system T-Connect.
“This is a very common password theft scenario. It’s been estimated that hundreds of thousands of exposed passwords are up on GitHub waiting for anyone who can access the source code to reveal it,” Roger Grimes, defense evangelist at KnowBe4, told Spiceworks. “Example projects have revealed that passwords located in code uploaded to GitHub have been accessed and used against the victim in less than 30 minutes. It’s a big problem.”
The silver lining to the leak is that customer names, phone numbers, credit cards, etc., remain unaffected. With no additional personal information about the user, threat actors cannot tailor their social engineering efforts while carrying out phishing attacks, making them a bit less severe.
However, email IDs tend to be made up of names, and with the associated customer management numbers, phishing, even if weakened, certainly is a concern.
See More: Intel Alder Lake CPU BIOS Source Code, Tools and Files Leaked on GitHub and 4chan
Customers whose data was leaked should get an apology email from Toyota. The company has also set up a page for customers to check whether their email addresses have been leaked and has set up a call center to answer any questions.
“It [the leak] points to just how difficult a challenge that data proliferation presents. Every copy of data from employees to subcontractors presents an additional avenue for inadvertent disclosure. It doesn’t matter if your main storage location is heavily secured and monitored if a user can just copy that data to a cloud service outside of your control,” Clements added.
Grimes opined that developers need to be more careful in dealing with the complexities of the cloud. After all, the human element has proven to be a weak link in organizations’ cybersecurity. Human-centric activities are attacker favorites because they strengthen their social engineering efforts, or in Toyota’s case, lead them right into the server.
In its 2022 Data Breaches Investigations ReportOpens a new window , Verizon noted that 82% of data breaches are caused due to a human element. “Developers need to know that putting active, production, passwords into source code is not allowed. We need to make developers realize that putting passwords into source code, even for testing purposes, is like running with scissors…nothing good can come up of it,” Grimes added.
Toyota said it hasn’t noticed any unauthorized use of data but warned customers to remain vigilant of spoofing or phishing scams. To mitigate the fallout of the breach, the company removed third-party access to the server, changed the access keys, and changed the GitHub repository to private.
Clements and Grimes suggested a policy-driven approach to minimizing similar errors. Clements said, “Like most things in cybersecurity, there are no easy answers because it’s not an easy problem.  Considering that truism, it’s imperative that organizations adopt a cultural approach to cybersecurity that is integral to every business process.  It’s still not an easy job, but it’s much more manageable when every person understands the need for secure operations and what their responsibilities are.”
Grimes added, “The solution is the defense-in-depth combination of policies, technical tools, and education to prevent errant passwords from being left in source code.”
Jordan Schroeder, managing CISO at Barrier Networks, spelled out some concrete steps regarding the use of access keys to avoid a similar situation.
“Addressing these weaknesses requires implementing secrets management so that access keys are pulled from secured secrets servers and not hard coded into software, by locking down the development environment to prevent public access, and by setting up automated code repository security and access reviews, which includes searching the internet for code snippets that would indicate source code leakage,” Schroeder told Spiceworks.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock

Asst. Editor, Spiceworks Ziff Davis

source

Electronics giant Samsung has confirmed a data breach affecting customers’ personal information.
In a brief notice, Samsung said it discovered the security incident in late-July and that an “unauthorized third party acquired information from some of Samsung’s U.S. systems.” The company said it determined customer data was compromised on August 4.
Samsung said Social Security numbers and credit card numbers were not affected, but some customer information — name, contact and demographic information, date of birth, and product registration information — was taken.
“The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter,” said the statement.
Samsung spokesperson Chris Langlois told TechCrunch by email via crisis communications firm Edelman that demographic data relates to customer information used for marketing and advertising, but didn’t specify what types of data this includes. Langlois added that registration data, provided by customers in order to access support and warranty information, includes product purchase date, model, and device ID.
Langlois declined to say how many customers were affected or why it took Samsung more than a month to notify customers about the breach, which was announced just hours ahead of a U.S. holiday weekend marking Labor Day.
“Even though the investigation is ongoing, we wanted to notify our customers to make them aware of this matter because we understand how important their privacy is,” Langlois said.
The company noted that it has taken steps to secure its systems and has brought in an unnamed third-party cybersecurity firm. Samsung said it was coordinating with law enforcement.
This is the second time Samsung has confirmed a data breach this year. In March, the company admitted that the Lapsus$ hacking group — the same group that infiltrated Nvidia, Microsoft and T-Mobile — obtained and leaked almost 200 gigabytes of confidential data, including source code for various technologies and algorithms for biometric unlock operations.
If you know more about Samsung’s data breach, get in touch via Signal at +1 646.755.8849 or via SecureDrop.

source

It’s not just cybersecurity talent that is in short supply, but also ideas on who to recruit and how.
By Greg Noone
Ian* had spent four years as a lorry driver before he decided to pursue jobs in cybersecurity. More people were needed in the sector than ever before, he’d heard. Besides which, Ian recalls, “I wanted more”; more money, more opportunities for career progression.
And so, he began teaching himself the rudiments of computer science through courses he found online. “I started one, and it was brilliant,” says Ian. “I was like, ‘Yeah, you know what? I could do this as a career.”
Finding time to study with a full-time job and a young family was difficult, but after he was put on furlough during the first national lockdown, Ian knuckled down on a £749 course for CompTIA Security+ certification (“That was the discounted price,” he says.)
When it became clear his old job was no longer viable, Ian parleyed the resulting accreditation into a job as an IT technician at the school where his wife worked. Impressed by his enthusiasm, his manager allowed him to study for further qualifications on the job.
Ian thought that this combination would put him in good stead with recruiters for entry-level cybersecurity jobs. He was wrong. After applying for dozens of vacancies for SOC analysts and junior pen testers, Ian saw that most recruiters were asking for two or three years’ experience in similar roles, in addition to a set of unfamiliar qualifications and skills. Progression would involve investing hundreds of pounds more into additional training courses, although it was difficult to know which ones were worthwhile enrolling onto.
“I don’t know what skills these people are looking for,” says Ian. Even if he did know, it’s difficult to find the time to study. “I’m spending six hours a day going to fix a broken PC or replace a mouse that a student’s broken. It takes me away from sitting there [and] learning Python, learning SQL.”
Ian’s story is all the more remarkable given the strength of demand for cybersecurity professionals in the UK. According to recent figures, 51% of all businesses have identified a shortage in basic cybersecurity skills, a reflection of the global estimate of 2.7 million vacancies for cybersecurity jobs.
This shortage of talent is making businesses of all stripes more vulnerable to cyberattack. Earlier this month, a report from Fortinet estimated that up to 80% of breaches can be linked in some way to the cybersecurity skills crisis.
But this isn’t just down to a general shortage of candidates in cybersecurity recruitment. Businesses themselves are making elementary mistakes in how they hire and retain talent.
“They’re putting the job out there, and they’re requesting too much from these roles,” says Jason Nurse, a cybersecurity professor at the University of Kent. Simply put, businesses are envisioning an ideal candidate that simply doesn’t exist. Other firms, meanwhile, do not know what they want their new recruits to accomplish once they join and fail to ensure clear paths for career progression or even hint at supplementary in-house training.
This leaves applicants like Ian high and dry. “There’s people out there that are willing to train, willing to even pay for it themselves, but they need to be in the job to learn it, as well,” he says. “And I think that’s what they’re missing out on.”
It’s little wonder that a job in cybersecurity is attractive right now. Average salaries for cybersecurity jobs in the UK have ballooned, with some sectors seeing rises of between 30-45%. Many businesses, however, either cannot match this or simply aren’t aware that offering anything less than £50,000 is likely to result in the job advertisement being roundly ignored.
The pandemic hasn’t made things any easier for the industry. Remote working has been a double-edged sword for businesses, vastly increasing their attack surfaces but allowing them to recruit for cybersecurity jobs from almost anywhere in the world.
However, while this might be great for individuals, companies outside London and the South East are suffering, explains Andrew Rose, resident CISO at Proofpoint. “They can’t even afford the people who are local to them to come and work for them,” says Rose, “because they’re insisting on bigger wages from the bigger companies who can actually pay.”
Even if they get the salary they want, new starters may not be inclined to stick around. “Stress levels have gone up,” says Rose, especially since the pandemic. An increased attack surface means bigger workloads for security teams, and it’s not unusual for cybersecurity personnel to burn out within months. Add in the general shortage of talent and highly competitive salaries, and it becomes much more difficult for businesses to retain staff.
Unsurprisingly, specialist recruitment agencies have gotten bolder in poaching talent – leading to bizarre outcomes in some cases. “I had an experience with one organisation where a recruitment agent phoned up one of my staff to offer him a job in my team,” recalls Rose. 
Not that companies themselves fare any better when it comes to recruiting. With HR departments bringing recruitment in-house, the risk that requirements for cybersecurity jobs get lost in translation has risen. When the GDPR came into force in 2018, recalls Gary Hibberd, a consultant with the Cyberfort Group, “you had recruiters asking for people who had GDPR experience of five years or more.”
Then there are those companies that know exactly what they want from applicants and will not compromise on getting it. This is a symptom of increased specialisation in cybersecurity generally, explains Nash Squared’s global CISO Jim Tiller, but it also leads to unrealistic job advertisements. Unless you’re a massive organisation with money to burn, says Tiller, “it’s hard to hire a team that just does threat hunting.” 
This also points toward a wider ‘expectations gap’ in cybersecurity recruitment, says Hibberd, which assumes that those applicants who have the necessary qualifications but not the experience, and vice-versa, are unsuitable. “There are a lot of people out there who have the requisite skills,” he says. “They may be 20-year-olds, they may be 17-year-olds, they may be 25, they may be 45, but they’ve got the skills. What they may lack is experience.”
By prioritising experience over expertise, argues Hibberd, companies risk missing out on recruiting truly talented individuals. “There’s hundreds of thousands of people who are developing skills in their own time,” he says, “but maybe lack the experience of working with an organisation or with a client to actually [use them.]”
In-house training opportunities are also uneven, explains Tiller. In his experience, most cybersecurity tools “are not fully implemented,” he says. “They may be only leveraging 2%, or 3%, or even 20% of the feature capabilities.”
This contributes toward an overall impression that such roles consist of little more than putting out fires. This negative impression of cybersecurity poses an existential threat to the profession, argues Rose. Computer scientists fresh out of university, after all, seem more likely to pursue more creative developer jobs if they think a career in cyber defence consists of playing whack-a-mole against hackers and little else. Ultimately, argues Rose, “they don’t see it as a thing that needs attention and support, and a big career option.”
Where does this leave businesses? One thing hiring managers can do is broaden their definition of who suits a cybersecurity role, explains Tiller. “You need to think of similar skillsets that play into a specialist area,” he says. “Maybe somebody who does threat hunting would maybe also be interested in monitoring, forensics, or incident response.” 
Businesses should also be open to hiring from a more diverse pool of candidates. One recent survey indicated that 70% and 61% of organisations have experienced difficulties in recruiting women and minorities respectively. Companies should also accommodate more neurodiverse candidates, says Hibberd.
Raw enthusiasm should also count for more, he adds: “I want to hire that person who says to me, ‘Oh, I take computers apart, I like to learn how they work,’ you know? ‘I built my own lab at home,’ [or] ‘I go on hack-me websites and various other places, and I play.’”
Once they’re hired, says Rose, businesses also need to work much harder at convincing new staff that it’s worthwhile staying. That doesn’t just involve regular reviews of salaries, but investing where possible in the latest software and in-house training, while ensuring that members of the cybersecurity team know there’s a path to promotion within the firm.
Ultimately, says Rose, it comes down to building a corporate culture where new arrivals “feel part of a wider family, so they can actually feel like…they’re working as a real team, and they feel like they’re effective.”
That’s easier said than done for many organisations, acknowledges Rose. Inevitably, firms with larger recruitment budgets will pull in a higher quality of talent. “You’ll find that the recruitment crisis at a charity will be a lot worse than the recruitment crisis at a top bank,” he says, which itself speaks to the increasingly shallow pool of talent that’s available.
“What we really need is more people in the industry,” says Rose. “And that’s something we’ve been talking about for years and years, and we just don’t see that coming through.”
There are signs, however, that that is beginning to change. The UK government, for example, is investing more in digital upskilling across the board, while “more and more universities [are] offering undergraduate security courses,” says Nurse.
Big Tech is also pitching in. IBM has pledged to enhance cybersecurity skills training in its plan to digitally upskill some 30 million people worldwide by the end of 2030, while Microsoft has recently pledged to expand its existing cybersecurity skills partnerships with US community colleges to 23 additional countries.
That effort also involves boosting the diversity of those applying for cybersecurity courses. “In the countries where we’re actually expanding the initiative, on average only about 17% of the workforce is female,” says Kate Behncken, vice-president and lead of Microsoft Philanthropies. “Leaving women out of the cybersecurity workforce leaves talent on the table and will only hurt our ability to close the skills gap.”
Training takes time, however, and with millions of vacancies to fill, the demand for external cybersecurity consultants is only growing, with the UK’s cybersecurity sector reporting a 14% rise in revenues in 2021.
Automation in cybersecurity may also advance as a result of the crisis, adds Rose, although most IT departments currently don’t have the time or the energy to even begin thinking how they can do it themselves. “They’re too busy fishing people out of the river to go and figure out who’s throwing the people in the river a bit further up,” he says.
Ian, meanwhile, is still trying to find a way to break in. He was recently hired as a network manager at another educational institution, and hopes that the role will give him more time to pursue his studies. Even so, he remains jaded at the lack of mentorship opportunities for individuals seeking to transition into cybersecurity from other professions.
What would make his life easier, and thousands of others like him, explains Ian, are more apprenticeship schemes – courses that would allow him to showcase his passion for solving cybersecurity problems more than a CV ever could. 
“I’m a learn-on-the-job person,” he says. “Show me once, let me do it once, let me ask questions, and I’m good. That’s my theory. That’s how I learn.”

source