Category: Uncategorized

In this article, Cyber Security Hub explores the best ways to educate employees on email-based cyber attacks and how to ensure they follow cyber security safety practices. 
When surveyed by Cyber Security Hub for its Mid-Year Market report 2022, three in four cyber security experts said email-based threat vectors social engineering and phishing attacks were ‘the most dangerous threat’ to cyber security. 
One of the reasons why these threats are so dangerous is because of how widespread these attacks are. International consortium and fraud prevention group the Anti-Phishing Working Group (APWG) recording a total of 3,394,662 phishing attacks in the first three quarters of 2022. The APWG noted that each quarter broke the record as the worst quarter the organization had ever observed, with 1,025,968 attacks in Q1, 1,097,811 attacks in Q2 and 1,270,883 attacks in Q3. 
Social engineering and phishing attacks are often utilized by hackers to directly target employees inside a business. In 2022, research by the UK’s Department for Digital, Culture, Media and Sport (DCMS) found that of all UK businesses that identified a cyber attack against them, the threat vector for almost nine in 10 (86 percent) of those attacks was phishing.  
As these attacks specifically target employees, it places the responsibility for ensuring the attack does not progress in the employee’s hands. If employees are unsure of what to do in the event of a cyber attack, which a reported 56 percent of Americans are, then this can have devastating consequences.
These consequences are likely the reason why almost a third of cyber security professionals (30 percent) say that a lack of cyber security knowledge is the number one threat to cyber security at their organization. 
Ensuring good cyber security within businesses requires employees to be engaged with their training so they are better able to retain the information and use it at a later date when they do come across cyber security threats.
If employees are more aware of how cyber attacks can begin and progress, they will be less susceptible to them. Making sure employees remember this training however, is important. Email security company Tessian found that almost two thirds (64 percent) of employees admitted to not paying full attention during cyber security training and 36 percent said that they found the training ‘boring’.
If employees are not engaged, they may miss information that may be vital in the case of an actual cyber attack. With the World Economic Forum finding that 95 percent of cyber security issues can be linked to human error, businesses cannot afford this risk.
Below, Cyber Security Hub explores the tactics companies can use to better engage their employees during cyber security training.
In a discussion between Cyber Security Hub’s Advisory Board, one member suggested linking cyber security to a company’s universal goals. This helps employees understand that they are all responsible for cyber security.  
The board member explained that to do this, their company will conduct multiple phishing tests throughout the year, with the score of said tests affecting employee’s bonuses. This is because phishing attacks have an indirect influence on a company’s bottom line. Cyber attacks cost a lot of money, meaning if a cyber attack occurs, companies will lose money in operations costs. Additionally, cyber attacks may lead customers to lose trust in a company and take their business elsewhere, leading to an overall drop in profits. 
With bonuses directly linked to profit, financially motivated employees will be encouraged to be more diligent in not clicking on potentially dangerous links, as their good behavior is reinforced and rewarded.
Simulated phishing attacks can also be used to ensure employees are engaged with the subject matter, both as it requires hands-on learning and can demonstrate to employees the risks of not properly evaluating emails in real time. They can also be gamified to avoid employees ‘turning off’ during training as one in three employees report increased learning engagement when using gamified learning techniques.
Companies can also better engage their employees through the use of short-form video content. Studies have shown that the use of eLearning techniques like video content can increase information retention rates by up to 60 percent. With employees on the front line of defense against social engineering attacks, this retention increase can really make a difference. 
Video-based training content can include a number of different things, including real-life case studies performed by actors as video testimonials.  An example of this is a video shared to multiple social media sites entitled ‘My LinkedIn post cost my company a fortune’. 
In the testimonial, an actor shares the story of an employee who was directly involved in a cyber attack. He explains that someone posing as a recruiter enticed him into communicating with them first through comments on his LinkedIn posts, then via messages with a lucrative job offer.  
He shares that the faux recruiter built a relationship with him and finally sent him a PDF which, supposedly, contained the job offer. Instead, upon downloading and opening it, the victim found that it contained only a cover letter and two blank pages. When they reached out to the supposed recruiter, the recruiter explained that it was a secure file, and prompted him to download and install a secure PDF reader to view it properly. When this still did not work, the victim contacted the recruiter again, but the recruiter did not respond to any of his messages. He dismissed this, but weeks later there was a data breach at his company that cost the company millions of dollars. The breach was traced back to him, as the PDF reader had actually contained malware that was used to level an attack against the company. 
In a final statement, the actor warns watchers that job scam attacks are becoming more prevalent as people are frequently expected to communicate with strangers and download the attachments sent to them.
By using these eLearning techniques, companies can reaffirm the position of employees in protecting the business from cyber attacks, as well as offering them a framework of what to do during a cyber security incident. It can also provide them with tips of what to look for in potentially malicious communications.
Companies can ensure that their employees are more engaged with cyber security training by showing them that cyber security is inherently tied into their role, even if they do not have a security-based role.
By using training techniques that are designed to boost employee concentration, information retention and understanding, businesses can help strengthen themselves against future cyber attacks by best equipping their employees with key knowledge. 
February 21 – 22, 2023
Free CS Hub Online Event
22 February, 2023
Online
01 March, 2023
Online
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
Insights from the world’s foremost thought leaders delivered to your inbox.
2023-03-15
10:00 AM – 11:00 AM EST
2023-03-15
10:00 AM – 11:00 AM SGT
2023-03-08
10:00 AM – 11:00 AM EST
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

The Colonial Pipeline ransomware attack in 2021, the Yahoo breaches in 2014, and the ongoing cyberattacks organized by Russia to disrupt Ukrainian military operations—these are some of the high-profile attacks that have established cyber warfare as a formidable threat. Now a whole generation of venture capitalists is paying attention to this fast-growing sector. “Even the stuff that we think has been solved has to be solved again, which is why cyber risk is job security for VCs,” explained Bessemer Venture Partners investor David Cowan.
Indeed, while layoffs and recession fears are rippling through Fortune 500 companies, cybersecurity stands out as one place where companies are reluctant to cut back. To find out which VCs are making their mark with the most promising young companies, we talked to cyber experts, entrepreneurs, and VCs themselves. The investors featured on this list have spotted some of the biggest startups before there was a product and, in some cases, before there was even an idea. Some dealmakers have been in the industry for decades; others are rising stars. 
“We’re looking to invest in next-generation technology capabilities that can materially reduce the amount of labor or manual effort required to manage cyber risk across the entire cybersecurity program,” said Jay Leek, partner at Syn Ventures. Leek was the head of security at Nokia globally before becoming the first chief information security officer (CISO) in private equity at Blackstone. In 2017, he started his first venture fund, called ClearSky Security, before founding Syn Ventures in 2021, which is the only venture fund to be led by two former full-time CISOs of Fortune 500 companies. Syn Ventures has spotted industry-shifting companies, like Cylance and hybrid workforce protection company Talon Cyber Security, before founders had a product or revenue. 
“When I started [26 years ago], it was mostly operational issues at an enterprise that were at risk. Now it’s strategic,” said Ted Schlein, founding partner at Ballistic Ventures, which is a cybersecurity-focused VC firm. “Boards of directors are forced to pay attention to cyber-risk issues; the CISO has become one of the most important executives in an organization; and spending to keep the enterprise safe has steadily increased,” he added. Schlein has been a partner at Kleiner Perkins since 1996 and has backed some of the most seminal cybersecurity companies to date. Schlein led security operations company Phantom’s Series B round prior to the company being acquired by Splunk for $350 million in 2018. He was an early investor in fraud prevention company Shape Security, which was acquired by F5 in 2020. 
Alberto Yépez, Forgepoint Capital’s founding partner, has had a legendary career in cybersecurity as an entrepreneur, executive, private equity investor, and now venture investor. Empathy is at the core of his investing approach. “You need to gain the hearts and minds of entrepreneurs,” he explained. “I want to be the investor that I always wanted to have in my corner.” Yépez was born in Peru and moved to California to attend the University of San Francisco. He co-founded Forgepoint Capital, a fund focusing on cybersecurity companies, in 2015 along with Don Dixon. As a VC, Yépez was a seed investor in threat intelligence platform AlienVault, which was acquired by AT&T in 2018. Attivo Networks, an attack prevention company that Yépez invested in, was acquired by SentinelOne in 2022. Area 1 Security, an anti-phishing email protecting service Yépez was an early investor in, was acquired by Cloudflare in the spring of 2022. Yépez emphasized his commitment to fostering greater diversity in the cybersecurity space, especially by recruiting veterans, women, and people of color. 
As any cybersecurity expert will tell you, Israel is a hub of cybersecurity tech innovation. Many VCs seek out founders that have been a member of Unit 8200, Israel’s national intelligence unit, as well as entrepreneurs who have come out of intelligence networks in other nations. Prior to her career in venture, investor Iren Reznikov was an economist at the Ministry of Finance in Israel where she navigated investment treaties internationally, many of which were in the cybersecurity sector. Since jumping into venture, she has made huge key investments at YL Ventures in automotive security firm Karamba Security and cybersecurity asset management Axonius, which is valued at $2.6 billion. Now she is a partner at S Ventures, the venture arm of cybersecurity giant SentinelOne that was launched in September 2022, and leads the $100 million multistage fund investing in cybersecurity internationally. “I’m looking for flexibility of mind in founders because the startup journey is so dynamic, and no matter when you’re investing in the company, things will always change,” she explained. 
Even among the top investors, Gili Raanan’s track record is remarkable: Of the nine initial investments he made when starting his own fund, Cyberstarts, in 2018, five have become unicorns, and the investments are now valued at $20 billion. He owes his success to one core tenet of his investing: “Product ideas are overrated, and people are underrated,” he explained. At Cyberstarts, Raanan recruits the founders first, and the team helps them hone their idea and later their product.
You can click here to read our full list of 13 VCs dominating cybersecurity.
Lucy Brewster
Twitter: @lucyrbrewster
Email: lucille.brewster@fortune.com
Submit a deal for the Term Sheet newsletter here.
Jackson Fordyce curated the deals section of today’s newsletter.
VENTURE DEALS
– PASQAL, a Paris-based neutral atoms quantum computing company, raised €100 million ($108.58 million) in Series B funding. Temasek led the round and was joined by the European Innovation Council Fund, Wa’ed Ventures, Bpifrance, Quantonation, the Defense Innovation Fund, Daphni, and Eni Next.
– SetPoint Medical, a Valencia, Calif.-based clinical-stage health care company for patients with chronic autoimmune diseases, raised $80 million in funding co-led by new investors Norwest Venture Partners and Viking Global Investors. 
– CYGNVS, a Los Altos, Calif.-based guided cyber crisis response platform, raised $55 million in Series A funding. Andreessen Horowitz led the round and was joined by Stone Point Ventures and EOS Venture Partners. 
– Rumin8, a Perth, Australia-based climate technology company, raised $12 million in seed funding. Breakthrough Energy Ventures led the round and was joined by Harvest Road Group.
– Scenario, a Paris and San Francisco-based game asset development company, raised $6 million in seed funding. Play Ventures led the round and was joined by Anorak Ventures, Founders, Inc., Heracles Capital, Venture Reality Fund, and other angels.
– Traction Complete, a Port Moody, Canada-based data management solutions provider, raised $5 million in funding co-led by Pender Ventures and Thomvest Ventures.
PRIVATE EQUITY
– Thoma Bravo agreed to acquire Magnet Forensics, a Waterloo, Canada-based digital investigation solutions developer for cybercrimes, for CAD $1.8 billion ($1.35 billion).
– Ardian agreed to acquire a majority stake in Assist Digital, a Milan-based customer experience services provider.  Financial terms were not disclosed.
– CIVC Partners acquired a majority stake in Industrial Networking Solutions, a Richardson, Texas-based wired and wireless products reseller. Financial terms were not disclosed. 
– Mod Op, backed by Alterna Equity Partners, acquired Context Creative, a Toronto-based creative agency. Financial terms were not disclosed.
– WestView Capital Partners acquired a minority stake in Mobility Market Intelligence, a Salt Lake City-based data intelligence, analytics, and sales tools provider to the mortgage and real estate industry. Financial terms were not disclosed. 
EXITS
– An affiliate of One Rock Capital Partners acquired EnviroServe, a Cleveland-based environmental and waste management services provider, from Savage. Financial terms were not disclosed. 
OTHER
– Xylem agreed to acquire Evoqua, a Pittsburgh-based water treatment solutions and services company. TheA deal is valued at approximately $7.5 billion.
– Blue Wheel, a Rochester Hills, Mich.-based digital commerce agency, and Retail Bloom, a Rochester Hills, a Mich.-based e-commerce marketplace agency merged to form Blue Wheel.
– McKinsey & Company acquired Iguazio, a Tel Aviv-based data science platform. Financial terms were not disclosed. 
FUNDS + FUNDS OF FUNDS
– Highland Europe, a Geneva and London-based venture capital firm, raised €1 billion ($1.09 billion) for its fifth fund focused on growth- stage software and consumer internet companies in Europe.
PEOPLE
– Intuitive Ventures, a San Francisco-based venture capital firm, hired Murielle Thinard McClane as a director. Formerly, she was with Ontera.
– J.F. Lehman & Company, a New York-based private equity firm, hired Erik P. Toth as managing director and Kellan M. Strain and Rikke L. Gillespie as vice presidents. They also promoted Michael J. Greenspan to principal and Tyler W. Creamer and Alfred E. Johansen to vice president. Formerly, Toth was with Larx Advisors, Strain was with Alvarez & Marsal, and Gillespie was with Larx Advisors.
– Swander Pace Capital, a Bedminster, N.J. and San Francisco-based private equity firm, promoted Alex Litt and Robert Vassel to directors.
This is the web version of Term Sheet, a daily newsletter on the biggest deals and dealmakers. Sign up to get it delivered free to your inbox.
© 2023 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information | Ad Choices 
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions.

source

Share this article
 

Estimated reading time: 5 minutes
While most of us are celebrating the holiday season, cyber attackers are planning their next wave of breaches. Sad, but true. So what should security experts be planning for?
Every year technology makes things a litter faster, cheaper or both. It’s the wonder of innovation – and it’s been this way for two hundred years. But new every advance brings some downside. And in the digital era, it’s cybercrime. Regrettably, for all the benefits ushered in by online connectivity, there are criminals dreaming up thefts and deceptions that take advantage of flaws in data storage, identity and encryption.
Every year the number of attacks appears to grow. In 2021, for example, the FBI 2021 Internet Crime Study reported 847,376 complaints in the US alone. That’s a seven percent increase from 2020. Meanwhile the Anti-Phishing Working found that in Q1 2022 there were 1,025,968 attacks — the worst quarter for phishing to date.
And the financial damage is growing too. In 2022, the average cost of an attack reached $4.35 million – up 2.6 percent on the previous year, according to IBM’s Cost of a Data Breach Report.  
On the flip side, cybersecurity experts are developing new tools to repel attacks. Also, awareness of the risks is growing. And given that criminals target employees as much as they do systems, this is an important development.

 
The need to promote awareness is critical, not least because the nature of the threats changes all the time. So what can we expect in 2023? We reviewed the insights of various experts – including Crowd Strike, Ntirety, Atakama, IBM, Cybertalk.org – to bring you this round up.
 
#1 –  Criminals will turn their attention to SaaS APIs 
Software as a Service is not new. But adoption is still growing every year. Experts believe cyber attackers will increasingly target the SaaS APIs that enterprises use to connect critical data and services. There could be targeted attacks on top-tier cloud providers. 
 
#2 –  Attackers could go after standalone 5G networks
5G standalone mobile networks represent a break with what has gone before. They are based around a virtualised core, and as such rely much more on software operations and automation than physical infrastructure. This makes them fast and capacious – but it also changes the nature of the security risk.
In 2023 the risk will be real rather than speculative. Why? Because at least 36 operators in 21 countries have launched public 5G SA networks, while 111 operators in 52 countries are planning deployments. 
 
#3 –  Data leak marketplaces will grow rapidly
One of the reasons for the proliferation of cybercrime is the ease with which criminals can share their expertise and illegal ‘assets’. In 2023, there could be explosive growth in new criminal marketplaces dedicated to advertising and selling victims’ data. Security specialist believe attackers will target industries such as healthcare that possess especially sensitive user information.
 
#4 –  Expect a boom in cybercrime-as-a-service 
The marketplaces mentioned above have lowered the barrier of entry for less experienced/technical cyber criminals. As the global economy stutters, there’s a risk that the supply of hackers-for-hire will grow. 
 
#5 –  No let-up in zero-day hacks 
A zero-day attack happens after a developer learns of a flaw – but before they release a patch to fix it. These hacks look set to grow thanks to greater information sharing (see above) among criminals.
 
#6 –  Economic and geopolitical uncertainty could weaken resistance to attacks
Enterprises are tightening budgets in response to macro-economic factors. Cyber security could come under budgetary pressure thanks to the high cost of cleaning up after a breach, paying for investigations, legal costs, changing security providers, to notifying customers and regulators etc. Criminal will exploit this.
 
#7 – Cyber insurance premiums will soar
Inflation is everywhere – and cyber security is not exempt. Experts believe 
cyber insurance premiums will skyrocket in 2024, with new compliance standards emerging around areas such as ransomware payments. Big breaches could incur big fines.
 
#8 – The combination of IoT and shadow IT will be a rich new attack surface
With billions of devices connected to the internet in 2022, attackers already have huge number of (often not well secured) connections to target. What might make this even worse in 2023 is the proliferation of IoT devices in shadow IT systems (ie devices, software, applications and services being used by employees without explicit IT department approval). 
 
#9 – There will be a fresh drive to protect DevSecOps environments 
Security departments still shiver at the memory of the SolarWinds attack in 2020. That hack saw criminals insert a few lines of malicious code into an IT management platform. As a result, they gained access to the networks of multiple companies and US federal agencies. 
It was a notably ‘successful’ attack, so more are definitely likely. Most will take place thanks to social engineering (persuading employees to share of passwords and log-in credentials). So we may see a special drive to protect DevSecOps platforms.
 
#10 – 2023 will be a breakthrough year for SASE
In the edge era, data and users will be more diverse, more widely distributed, and more vulnerable than ever. This vulnerability is the driver of SASE (secure access service edge). It’s a cybersecurity technology for organizations seeking simplified solutions, tighter technology stacks, and an alignment between network performance and security. 2023 could see a big increase in adoption.
 
#11 –  A major space-tech attack?
To date space tech has been relatively unaffected by cybercrime. But this market is growing fast, so experts have warned to be vigilant against potential breaches of satellites, launch centers, networks and communications.
 
#12 – A major crypto attack?
Unlike space, the crypto world is constantly another attack. Could 2023 be the year of a crypto breach that fatally undermines cryptocurrency as a viable financial instrument?
 
#13 – State-sponsored crime is growing
In a connected world, it’s inevitable that nations will use leaked credentials, supply chain attacks, breaches and industrial secrets to undermine their perceived enemies. This trend grew in 2022, and looks set to persist across 2023.
 
#14 –  Social engineers will focus more on ICS systems
Hackers use all sorts of techniques to persuade employees to share log ins and other sensitive information. But which employees? Specialists believe they will sharpen their focus on the gatekeepers of Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA). These systems are essential to the operations of industrial manufacturers. A breach can be catastrophic. 
 
#15 – Criminals will find ways to evade EDR 
Endpoint Detection and Response (EDR) describes security solutions that monitor end-user devices to detect ransomware, malware and so on. Security watchers say criminals have developed many EDR evasion techniques. They expect to see these tools go widely for sale on the dark web in 2023.
 
#16 – 2023 could be the year of deepfake cybercrime
Deepfake tech has been on the agenda for a few years, especially as the creation tools have become cheaper and more user friendly. Worryingly, 2023 could be the year it is deployed in ransomware – with deepfake pictures, videos and audio files used to ramp up the impact of attacks. 
 

 
Read more
Read more
Read more
Share this article
.
+33 (0) 1 57 77 80 00

source

Use the CRI to assess your organization’s preparedness against attacks, and get a snapshot of cyber risk across organizations globally.
Content added to Folio
Risk Management
Discover the four main types of cyber crime groups: access as a service, ransomware as a service, bulletproof hosting, and crowd sourcing as well as tips to strengthen your defense strategy.
By: Trend Micro November 10, 2022 Read time:  ( words)
Save to Folio
The adage “teamwork makes dreamwork” extends to cybercriminals as well. To launch more successful cyberattacks, malicious actors with different specialized skills have conglomerated to form Cybercrime as a Service (CaaS).
We’re now seeing people and groups specialize in various parts of the attack lifecycle. This means that we’re likely going to see less mistakes made leading to detections, and we should expect multiple groups colonizing an infected network.
Within CaaS there are four types of cyber crime groups:
Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks. Identifying the commonly used tactics, techniques, and procedures (TTPs) can help CISOs and security leaders strengthen their cybersecurity strategy and minimize risk.
Types of Cyber Crime Groups
1. Access as a service (AaaS)
Trend Micro Research analyzed Access as a Service (AaaS), a service offering in the undergrounds whereby malicious actors are selling access into business networks.
AaaS is composed of individuals and groups that use numerous methods to obtain remote access into an organization’s network. There are three types of AaaS sellers:
Groups who specialize in gaining access to networks and then purposely selling it to others are more worrisome as their access is usually solid and ensures their buyers that they can deliver their service. Both types of AaaS actors can be troublesome, but the latter is certainly the group that will trouble more organizations due to the complexity of attributing the initial attacker.
Read more: Organized Cyber Crime Cases: What CISOs Need to Know
2. Ransomware as a Service (RaaS)
Credited as one of the reasons ransomware attacks continue to increase, RaaS has enabled less-skilled hackers to launch costly attacks on large organizations – like SolarWinds – by providing the necessary tools and techniques.
This newfound accessibility has led to a dramatic 63.2% increase of RaaS extortion groups in the first quarter of 2022. The Trend Micro Research 2022 Midyear Cybersecurity Report found that over 50 active RaaS and extortion groups victimized more than 1,200 organizations in the first half of 2022.
LockBit, Conti, and Blackhat were the most prominent RaaS threat actors in the first six months, but new ransomware families like Black Basta and SolidBit are growing.
Read more: How to Prevent Ransomware as a Service (RaaS) Attacks
3. Bulletproof Hosting
Reliable web hosting services that can withstand abuse complaints and law enforcement takedown requests are critical to keeping a cybercriminal operation running smoothly and covertly. Bulletproof hosting services are essentially leased hideouts where malicious actors can store files or even the malware necessary for their attack campaigns.
Void Griffin offered its first fast-flux bulletproof hosting service in 2015 and has been home to many different APT groups and prominent malware families since.
Read more: Looking into The Void: Probing a Top Bulletproof Hosting Service
4. Crowdsourcing
Cybercriminals have turned to crowdsourcing their offensive research and development processes to find new attack methods. This relatively new type of cyber crime had increased in the last two years. Trend Micro Research observed an uptick in malware actors holding public contests in the criminal underground to find new creative attack methods.
Some contests will seek talent (like The Voice or American Idol), but these are rarer. Most contests are seeking knowledge; they’re looking for technical articles on new attack techniques, vulnerabilities, etc. And yes, a prize – or even multiple – are awarded to the best or most innovative technical proposal. Oftentimes the requests are more generic versus limiting the topic to a specific domain.
Trend Micro Research anticipates an increase in the number of crowdsourcing competitions, which in turn will accelerate criminal innovation. And such evolutions do not need to be major; small tactical wins can allow criminals to bypass current defenses.
Read more: From Bounty to Exploit: Cybercriminals Use Crowdsourcing for New Attacks
Cybersecurity Defense Strategies
So, how can you address the different types of cyber crime groups? Unfortunately, enterprises can’t jump into the cybercriminal underground and stop crowdsourcing. But they can work to prevent or limit the scope of the outcome by implementing a cybersecurity defense strategy that focuses on detecting and preventing the initial access breach.
The earlier you can detect the initial access of an attack, the more likely you can prevent the following components of the attack lifecycle from occurring, like ransomware. Here are other components to consider when creating an effective security strategy:
1. Partner with a security vendor that leverages global threat research to constantly monitor public breaches and bulletproof hosting services in the criminal underground. This ensures your solutions are optimized to defend against the latest threats. Additionally, by proactively locating and blocking the bulletproof hosting infrastructure, defenders can block attacks in the earlier stages of the kill chain.
2. Follow a zero trust approach to network security by implementing a SASE architecture. SASE is composed of Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) capabilities to strengthen protection and control across the attack surface.
3. Establish an incident response (IR) playbook to surface any security gaps. Make sure your IR teams or vendor understand the multi-attacker scenario and know where to focus their efforts.
4. Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilizing virtual patching.
5. Leverage trusted cybersecurity frameworks for password best practices like the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). The Center of Internet Security (CIS) provides thorough guidance on prioritization and resource management, as well as filling any gaps that could be exposed by attackers.
6. Use a unified cybersecurity platform with XDR capabilities to help consolidate and correlate threat activity across endpoints, cloud, networks, email, etc., for more visibility.
For more insights into types of cyber crime groups and how to strengthen your defense strategy, check out the following resources:
Trend Micro
CISO Resource Center

source

The search to find the mastermind of the attacker group Lapsus$ led to a home outside Oxford, England. The suspected leader was a 16-year-old. He helped take down some of the world’s biggest companies, including Microsoft, from his mother’s house. The BBC reported the teen is alleged to have earned $14 million from his attacks. The search for other group members led researchers to the arrest of six other teens.
The Lapsus$ group is just the latest example of teen cyber criminals. In 2021, Canadian police arrested a teen for stealing about $36.5 million in cryptocurrency using a SIM swap attack. Another teen, Ellis Pinsky, began stealing crypto when he was 15 and passed the $100 million mark by the time he was 18.
Reducing cyber crime committed by teenagers starts with knowing their motivation and paths. Of course, each person has their own reasons for their actions. Many teens start hacking because the challenge and fun entice them. Other teens turn to cyber crime because of their beliefs regarding a specific issue. Money is also a common reason, as in the case of Lapsus$.
Many teens stumble into cyber crime by mistake as they cross the line between ethical and unethical activities. In episode 112 of Darknet Diaries, a teenager who identifies himself as Drew shares his journey. Drew started by running a discounted server for a video game that led to selling stolen usernames.
While some teens start out with video games and piracy, new tools have created new paths into cyber crime for teenagers. Crypto is quickly emerging as a gateway, with a 13-year-old becoming a multimillionaire selling NFT art. Cybercrime related to NFTs is also increasing, including phishing, fake art and crypto wallet cracking. Both NFTs and related cyber crime may rise. It’s likely that many teen cyber criminals will start their journey with NFTs.
Teens who become cyber criminals often have a passion for, and expertise in, technology. The key to reducing the number who put on the black hat starts with focusing on using their interest and skills in positive ways instead of negative. The media often glorifies attackers, which can cause teens to gravitate toward the dark side. What if the industry focuses on increasing coverage and accolades for cybersecurity workers? That way, teens can see white hat roles or other professional careers in cyber defense.
Here are other ways to keep teens on the white hat path:
The cybersecurity industry needs more workers to help reduce the skills shortage and the high number of open positions. And at the same time, the industry needs to reduce the number of cyber criminals. Focusing on educating teenagers, especially younger teens, can help accomplish both goals. By encouraging careers in cybersecurity, the industry can gain the professionals needed to combat increasingly high-volume and sophisticated attacks.
Jennifer Goforth Gregory is a freelance B2B technology content marketing writer specializing in cybersecurity. Other areas of focus include B2B, finance, tec…
4 min read – As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting…
9 min read – James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks…
4 min read – Cyberattacks can cause immense damage to an organization’s system and have only increased in frequency over recent years. SQL injection is an especially devastating example. This form of attack involves exploiting a website or application code through the use of…
Some rare good news in the world of cyber crime trends: Certain crimes declined in 2022 after years of constant rises. Should we credit crypto?Some estimates say that cryptocurrencies have lost $2 trillion in value since November 2021. During that time, the costs associated with cyber crimes, such as ransomware payouts and financial scams, declined. Pop the champagne! The crypto crash is also crashing cyber crime, right? Well, not so fast. How Cryptocurrencies Enable Cyber CrimeThere are four major categories of cyber…
One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…
Cyberattacks can cause immense damage to an organization’s system and have only increased in frequency over recent years. SQL injection is an especially devastating example. This form of attack involves exploiting a website or application code through the use of Structured Query Language (SQL). It is considered one of the most severe cyber threats, as it can give attackers access to sensitive data stored within databases, allows them to modify or delete data and even create new user accounts. With…
Attacks on service providers are mounting — and so are downstream victims. Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account. Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.

source

Smart city and IoT (Internet of Things) concept. ICT (Information Communication Technology).
With historic inflation, rising prices, the escalating Ukraine conflict, and massive job losses in banking and tech, policymakers and executives are stretched to deliver a recovery agenda to get the world back to normal. Most have little bandwidth for yet more problems to solve, like the impending perils faced by cyber threats.
Sadie Creese, a Professor of Cyber Security at the University of Oxford, said, “There’s a gathering cyber storm and it’s really hard to anticipate just how bad that will be.”
Speaking at the World Economic Forum in Davos in January, she was joined by other heavy hitters sounding alarm bells like Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL) who said, “This is a global threat, and it calls for a global response and enhanced and coordinated action.”
Their concern cannot be understated. Fortunately, heads are becoming unstuck from the sand pile of cyber threat denial, albeit slowly. We are facing an estimated $10 trillion (eight percent of global GDP) cyber damage headache by the year 2025 if we continue to take a “business as usual” approach to cybersecurity.
The statistics make grim reading. A 2021 CyberEdge report stated that 85 percent of the surveyed organisations in the report were affected by a successful cyberattack. Ransomware attacks have increased by 80 percent year-over-year with over 37,700 ransomware attacks happen every hour globally, that is about 578 ransomware attacks each minute.
Putting the size of the cyber threat problem into context is a herculean task. With global GDP estimated at $94 trillion, eight percent, or $7.5 trillion, is a hefty sum of money to put at risk to criminals.
Currently, the combined market value of FAANG (Facebook, Amazon, Apple, Netflix, and Google exceeds $3 trillion. If you compare this to the GDP of a country, Apple’s market cap is 2.1 times higher than Mexico’s GDP, and Amazon’s market cap is 4 times the GDP of Austria.
Add Microsoft into the mix, and its $1.8 trillion market cap would make it one of the richest countries in the world, with a value larger than the GDPs of Canada, Russia and Spain combined, even then however, the market cap of FAANG and Microsoft combined would only amount to $4.8 trillion.
Some of the best criminal minds are poised to control more money than the largest companies and countries in the world, and many criminal syndicates are state-sponsored.
This money will not be invested in new infrastructure, job creation, poverty alleviation, food security, or the environment. The money is lining the pockets of a cohort that are not acting in the best interests of “team humanity” or democracy.
The Internet of Things (IoT) has been an incredible contributor to humanity, but it comes at a cost. According to Statista the global number of connected IoT devices is expected to grow to 30 billion connections by 2025. Everything from car keys to baby monitors, laptops to mobiles are all potential single points of failure as their internet connectivity opens back doors to vulnerable networks.
In the past, enterprise and institutional security was ring-fenced, and could be managed within the walls of the organization, but with servers moving to the cloud, remote workers, and a proliferation of IoT devices creating a huge mesh of interconnectivity, borders are no longer identifiable or defensible.
This glaring weakness has been swept under the rug or at least underestimated by both Web2 and Web3 enterprises. Until there is a monumental major shift in our understanding and thinking of both cybercrime and cybersecurity, institutions and private citizens will continue to be victims relentless criminal hackers.
Monica Oravcova, co-founder and COO of Naoris Protocol says, ”When the World Economic Forum and the head of INTERPOL state that cybersecurity is in a crisis, it’s time that we change our approach and embrace new technologies like decentralized solutions, that remove the single points of failure, from traditional cybersecurity solutions, with the ability to identify and mitigate threats in real time.”
Current cybersecurity is centralized, it configures every device to be a single point of risk to the network it’s connected to. Cybersecurity software lives in a black box controlled by the cybersecurity company, it is opaque and centrally owned and governed.
Cloud services used by companies, institutions and governments are also centralized, so it’s a challenge to trust the service when we cannot see or audit how it operates and performs. Any device is a point of entry for an attacker and any centralised system is vulnerable.
We are only now beginning to spotlight the weaknesses that exist in the current cybersecurity arena. Many organisations are realizing that they are working off outdated cybersecurity models and practices that are no longer fit for purpose, with some systems and processes dating back 40 years.
Today, a professional hacker can breach a system in less than 12 hours, using software that can be bought on the dark web for a few hundred dollars. Hackers are forming cohesive and organised businesses, with their own marketing departments and administrative systems, for the purpose of selling Ransomware-as-a-Service (RaaS).
We are only now beginning to spotlight the weaknesses that exist in the current cybersecurity arena. Many organizations are realizing that they are working off outdated cybersecurity models and practices that are no longer fit for purpose, with some systems and processes dating back 40 years.
The cybercrime space is as at least as well funded as the cybercrime prevention space – but the criminals are winning. The fight is not against a band of hooded teenagers grappling with existential malaise, cybercrime is a multi-billion-dollar industry run by some of the many brilliant minds on the planet, and often incentivized by malevolent governments.
Despite a global cybersecurity spend of $1.75 trillion in 2022, companies are still losing the battle, not because they are being outsmarted, but because they are fighting a tank battle on horseback. There needs to be stronger intervention and more innovation in the technology used to fight cybercrime.
According to Microsoft, the average cost of a data breach is touching $4.25 million, and username and password attacks amount to 921 attacks every second, a 74 percent increase in 12 months, from July 2021 to June 2022. Their digital defense teams blocked 34.7 billion identity threats and 37 billion email threats in 2022.
It’s not difficult to understand why so much money is being thrown at the problem. IBM reports current detection time for a reported breach is 280 days on average, it’s little wonder that chief information and risk officers are being kept awake at night.
No company is immune to attack, in 2017 the Equifax hack compromised private data of 50 percent of the US population, Twitter had 200 million records compromised, the U.K’s Royal Mail was shut down due to a Ransomware attack, and 44 universities or colleges and 45 U.S. school districts were hit by ransomware attacks in 2022. The list of companies affected by cyber attacks in 2022 reads like the Top Companies List, it includes San Francisco 49ers, Cisco, Macmillan Publishers and The Red Cross.
Traditional Web2-based cybersecurity configures devices to operate independently of each other and not in harmony, with each device acting by default as a single point of risk (as it is outside the walled security network of an enterprise and a vulnerability for hackers to attack).
This means there is no unifying governance between network devices. In addition, there is no ability to monitor device behavior and trust status, moment to moment. The traditional Web2 “single point of failure” model cannot be trusted.
A recent Gartner report identified cybersecurity mesh as a leading trend for 2023, but stopped short of looking at a decentralized mesh that can remove the centralized mesh’s points of failure. While zero trust and cybersecurity mesh strategies offer the flexibility and composability to accommodate moving boundaries and limit attack surfaces, the underlying device architecture is still centralized.
Companies like Naoris Protocol are leading the charge with a new approach to technology that transforms centrally managed computer networks with traditionally un-trusted devices and services such as mobiles, servers and laptops. A whole new category of startups across the decentralized cybersecurity landscape have popped up including Anchore, Dig Security, Project Discovery, and Twingate.
David Holtzman, security advisor and architect of DNS, echoes this new approach, “The rapid ascension of Web 3.0 acknowledges the evolution from centralized to decentralized architecture, including a decentralized cybersecurity mesh. This transition is inevitable for three reasons:

Technological innovation is moving at a pace that few others than innovators and cyber criminals can keep up with. Business and government leaders are slowing understanding that Web3 will not safely scale for society without a dramatic shift in our thinking to decentralized networks, which require decentralized cybsecurity solutions.
Even with little bandwidth, leaders will require greater and a more persistent digital education to better secure our future from cybercrime, or worse, a cyber meltdown.

source

The expansion of potential cyber threats has increased due to the integration of connected devices, the Internet of Things (IoT), and the convergence of IT and OT in railway operations.
In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation.

At the Dutch Railways (but this goes for our entire sector), our cyber jobs have evolved to focus more heavily on cybersecurity in the face of increased digital transformation, -threat landscape, and -cyber legislation. With the integration of connected devices, the IoT and IT-OT convergence throughout our operations, the attack surface for potential cyber threats has greatly expanded.
As such, our main responsibilities include implementing and maintaining robust security measures to protect our systems and networks from cyber-attacks. This includes regularly assessing and mitigating risks, implementing security protocols and controls, and ensuring compliance with railway sector regulations.
Additionally, our IT- and operations teams work closely with our strategic and GRC teams to integrate security into the design and deployment of new technologies, as well as to develop incident response plans to address any security breaches that may occur. In summary, the increasing digital transformation in the railway industry has emphasized the need for a top level, proactive and comprehensive approach to cybersecurity to protect the company’s assets and customers’ and employees’ data. Cybersecurity has become ChefSache!
Yes, 100%. We keep track of all incidents that are happening in the sector together with our (European) Railway ISAC, local NCSC’s and ENISA. Cyber-attacks on the railway industry have been increasing in recent years, as this vital sector too becomes more reliant on digital systems and connected devices as you mentioned before. The types of attacks that we see include:
We educate and train employees on the importance of cybersecurity and the methods as described above. This includes regular security awareness training and simulated phishing campaigns to test employees’ susceptibility to social engineering attacks. Finally, we have implemented and are continuously working on a multi-layered and zero trust security approach that includes both traditional IT security controls such as firewalls and intrusion detection systems, as well as OT control system-specific security controls and new approaches like continuous cyberpolicy enforcement.
Well, there are several key steps that you can take in your first 100 days:
Don’t limit yourself and your teams to those bullet points but also work on compliance, incident response, and supply chain collaboration. Don’t be afraid to ask your colleague CISO’s for advice, I will be happy to give some guidance too.
Yes, that’s always a challenge as these systems may still be in use but are no longer supported by the vendor. Some assets (like trains) have a lifecycle of 30 years. It depends a bit on the Purdue level this asset is working in, but some of the ways to address this issue include:
We closely follow what our friends on the other side of the pond are developing. Your president seems to have embraced cybersecurity and I recently had the privilege to meet with his Cyber Security Director Chris Inglis. Vital infrastructures will be specific targets for attacks so having legislation in place to speed up the resilience is perfect to my opinion. Having the possibilities to fine organizations that purposely do not comply is necessary as well. We’re only as strong as the weakest supply chain link. In Europe we are similarly working on implementing the NIS directive and recently the Commission has issued the NIS2– and Critical Entities Resilience (CER) directives. I applaud these initiatives.
In general, I believe that requiring institutions, groups, and companies whose service interruptions might jeopardize the economy or public security to report cyber incidents is a positive step towards improving the security of our critical infrastructure. By mandating the reporting of incidents, organizations will be able to share information about threats, vulnerabilities, and best practices, which will help to improve the overall security of the sector.
I also believe that new cyber legislation is an important step in the right direction, but it’s just one piece of the puzzle. Organizations must take a holistic and proactive approach to cybersecurity to effectively protect their critical infrastructure from cyber threats. I am positive that if we have the right commitment to do this, that the Railway Sector will become more resilient day after day!

source

Check out all the on-demand sessions from the Intelligent Security Summit here.

First coined by Lebanese-American thought leader Nassim Nicholas Taleb, the term “black swan” refers to unexpected global events that have a profound effect on society. Some are beneficial, like the invention of the printing press; and others are destructive, such as the subprime crisis in 2008. But they have all altered the course of history.
In recent years, we have bore witness to a surge of black swan events, and they continue to emerge in real time. They have affected every facet of our lives, and this rings true in the world of cybersecurity. By analyzing these recent events, we can better map out our industry’s evolutionary processes to predict where cybersecurity is heading next. 
It’s unquestionable that one of the most significant black swans of recent memory was the beginning of the COVID-19 pandemic in 2020. One of the direct results of this global crisis was the transition to work-from-home practices, and with it came an overwhelming incentive to migrate a significant portion of our digital activity away from physical data centers to the virtual cloud workspace.
>>Don’t miss our special issue: The CIO agenda: The 2023 roadmap for IT leaders.<<
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
This was a matter of decentralization versus centralization. Prior to the pandemic, centralizing an organization’s digital assets in one physical location that could be protected with a traditional security perimeter was considered standard practice. But during the pandemic, it became a liability, and organizations rapidly decentralized to move assets like business-critical applications and databases to the cloud. But this adjustment altered hackers’ attack vectors, requiring completely different defenses.
The decentralization of digital assets introduced new security vulnerabilities, both in the workplace and in employees’ homes, creating a significant hurdle to protecting against cyber criminals who were only growing more sophisticated and well-funded. These hackers developed new methods, known as 5th generation (Gen V) attacks, which were multidimensional and allowed the threat actors to hit from many different angles simultaneously.
As these new cyber threats emerged, the newly-developed cloud environments also demanded security products that were easier and quicker to install, activate and maintain. All of these elements combined to create the perfect conditions for a new approach to cybersecurity, one that would require record-breaking funding.
The next black swan in cybersecurity came on the heels of the pandemic’s effective end (also known as the COVID-cyber-boom). The combination of the need to protect decentralized digital assets from Gen V attacks with the need to develop new products for today’s modern environments was a powerful incentive for innovation, fostered by a macroeconomic environment where interest rates were low and liquidity was high. It’s unsurprising that in 2021, more than $20 billion in venture funding was invested in cybersecurity companies globally, a new record. Venture capital firms were eager to get involved in this expanding industry.
As a result of this free flow of cash, cybersecurity start-ups experienced meteoric market valuations, resulting in the emergence of many unicorns. While these valuations certainly represented their potential, they were often inaccurate representations of the companies’ actual worth. And with these investments came an onslaught of new cybersecurity products available to CISOs, providing a level of variety previously unheard of. But as the market was flooded by companies with inaccurate valuations, a bubble was created. And unfortunately, we know how bubbles end.
The final black swan actually involved three events in 2022: an increase in interest rates, a global supply chain crisis, and the war in Ukraine. This was a perfect storm for a worldwide recession. Capital and market valuations, which both seemed so abundant just a year before, seemed to fall off a cliff, and as a result, the growth so easily sustained in 2021 experienced a huge slowdown.
Today, we are left in a troublesome situation. Amidst a decline in innovation investments, assets continue to be decentralized, the Gen V attack surface still exists and organizations need an end-to-end solution.
As such, I predict that in the next 18 months, the industry will experience extreme consolidation to strengthen the defensive line of cybersecurity products and provide a comprehensive solution. This means consolidating similar products under one roof to create an end-to-end solution that empowers CISOs to deliver a layered model of protection. Rather than relying on the founding of new companies, this will be accomplished through mergers, acquisitions, or partnerships.
The challenge here is one of execution, and the gravity of these sorts of integrations for large organizations looms large. There are real and valid concerns around these sorts of unifications. What if large organizations with deep pockets absorb start-ups and rob them of their agency and agility, essentially stamping out any capacity for innovation before they can hit their stride? Any advantages to be gained by the acquisition will be lost if they effectively squash these competitive differentiators.
To prevent this, organizations must tread carefully to grant the acquired start-ups a high degree of autonomy without any added bureaucracy or friction. Only by guaranteeing these freedoms can large organizations harness start-ups’ ability to develop, test, and deploy solutions with advanced precision and speed. This will likely require strategic organizational restructuring, wherein an individual who understands how to balance the needs of a start-up with the wealth, size and goals of a large organization can act as a trusted go-between between leadership and the start-up team. This is how larger organizations can reinvent themselves to rise to the occasion brought about by a series of black swans.
On the start-up side, these entrepreneurs need to ensure that their new parent organization aligns with their vision for growth. They should establish a roadmap for the next two or three fiscal years to set expectations on both sides. With all parties united in their goals, cybersecurity organizations can provide a modern, end-to-end solution to decentralization without forcing the industry to rely on venture funding that simply no longer exists.
The digital decentralization of 2020, industry growth of 2021 and inevitable bust of 2022 have been a whirlwind of events in just three short years. But their challenges and opportunities will move us forward to a more cyber secure world. After a rapid succession of black swans that have irreversibly shifted the course of our industry, the technological and economic evolution of cybersecurity is progressing in a positive direction toward a brighter future.
Moshe Lipsker is SVP of product development at Imperva.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!
Read More From DataDecisionMakers
Did you miss a session at Intelligent Security Summit? Head over to the on-demand library to hear insights from experts and learn the importance of cybersecurity in your organization.
© 2023 VentureBeat. All rights reserved.

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

Different mindsets can bring new and better solutions to the table that can mitigate advanced cyberthreats, Google Cloud’s director of the office of the CISO writes.
Editor’s note: This article is from MK Palmore, director of the office of the CISO at Google Cloud. If you would like to submit a guest article, you can submit it here.  
With recent cyberattacks against organizations of all sizes and governments alike, the importance of sharpening cybersecurity across sectors has been recognized globally as a top concern.
However, according to research published by security industry nonprofit ISC(2), while the global cybersecurity workforce added 464,000 jobs over the past year, there is still an employment gap of more than 3.4 million positions. While cybersecurity remains one of the most critical challenges organizations are facing, roles continue to go unfilled. 
So, how do we address this disparity? One solution is to prioritize diversity, equity and inclusion, and recognize how it can impact an organization’s security posture for the better. 
While some industry professionals actively pursue diversity in tech, the numbers show that the majority of security teams fail to put ideas around DEI into practice. Recent findings from the Aspen Digital Tech Policy report note only 4% of cybersecurity workers self-identify as Hispanic, 9% as Black, and 24% as women. Collective cybersecurity ultimately depends on having a diverse, skilled workforce that can implement and transform it. 
As leaders align on their focus for 2023, CISOs should prioritize increasing diversity on their teams and finding new ways to reach untapped talent.
Software supply chain security remains a critical national security risk. Financially-motivated attacks like ransomware have been studied and documented for decades. Distributed denial-of-service (DDoS) attacks are increasing in frequency and growing in size. 
Threat actors continue to act on poor cyber hygiene and use social engineering to capitalize on our own human vulnerability. 
These are just a few of the top concerns across our industry and yet, while these issues are top of mind and widely agreed upon, the solutions to these challenges over the past few decades remain the same.
This is why diversity in cybersecurity is so critical. CISOs need to stop thinking about how we can solve cybersecurity issues in silo, and instead consider how embracing diverse perspectives may prompt more creative solutions. 
Different mindsets can bring new and better solutions to the table that can mitigate advanced cyberthreats. In security, we work to solve complex problems that often don’t have a clear solution. Addressing the diversity issue in cybersecurity will help us move to the next stage of security itself. 
As cyberattacks increase in frequency and complexity, organizations need unique ideas to detect and defend against emerging threats. Organizations need to embrace individuals from non-traditional talent pools to stay one step ahead.
With new talent comes new ideas and solutions – and embracing perspectives from people with different backgrounds will help organizations anticipate future threats, build solutions in preparation, and avoid potential large scale attacks. 
There are several steps security leaders can take to increase diversity, equity, and inclusion in their organizations this coming year and beyond. 
We must broaden the scope in which talent is identified. This starts with building job descriptions that provide more detail, and are focused on the requirements necessary for success in the role.
Is a traditional four-year college degree necessary, for instance? Challenge the listed bullet points.
The interview process should not just focus on the technical skills a candidate might have, but also take into account a candidate’s level of interest and overall aptitude to be successful.
In doing so, this allows for non-traditional applicants – like those making a career change – to be considered for roles where they bring experience and innovative thinking that may not have traditionally been considered. 
Industry leaders need to build training programs that are targeted for their existing workforce but also provide assistance for those wanting to break into the industry.
Training shouldn’t stop after the initial onboarding process, or be closed off to members of the security organization we must be open to implementing training and development programs that can help anyone sharpen their cybersecurity skillset, no matter their level of proficiency.
For the security industry to scale and evolve, CISOs and security leaders must communicate externally that security is an industry of opportunity even for those interested in topics outside of traditional computer science.
Organizations should consider finding ways to engage with college and even high school students to challenge the traditional perception of a career in technology, and help them understand that, in many cases, it is a more viable career path than they may perceive. 
It is crucial for organizations to continuously train and mentor their current employee base in order to enable additional growth.
Community-based mentor/mentee relationships are important for information sharing and brainstorming out-of-the-box ways to tackle emerging threats – and a key component to retaining diverse industry talent. 
Networking has long been the immeasurable social component to a successful career trajectory. Building a successful network can be challenging, but there are tools and organizations available to help drive the desired outcomes.
Those hoping to enter the field should continue to build an individual brand with tools like LinkedIn and other professional social media platforms, consider blogging or writing thought leadership on areas of passion or expertise, and explore one of the many nonprofits focused on supporting diverse career goers in all phases of their cybersecurity journey.
As CISOs look to navigate cybersecurity challenges in 2023, it will be essential for leaders to provide fresh perspectives and solutions.
Cybersecurity is a team sport, so it’s important that CISOs create a diverse team of players that can help tackle these challenges and contribute to the industry’s overall progression.
Get the free daily newsletter read by industry experts
Everyone wants to stay on good terms with their employer. Threat actors know this too, and they exploit this weakness accordingly. Don’t fall for it.
The password manager warned customers to lookout for brute force attacks, phishing or credential stuffing.
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Everyone wants to stay on good terms with their employer. Threat actors know this too, and they exploit this weakness accordingly. Don’t fall for it.
The password manager warned customers to lookout for brute force attacks, phishing or credential stuffing.
The free newsletter covering the top industry headlines

source

IT Pro Today is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Karen D. Schwartz | Dec 02, 2022
In many ways, IT security professionals today know they are in the driver’s seat. Shortages of cybersecurity skills plague modern businesses. If you’re a security pro, it’s easy to think that you can call your own shots.
And you can, to a point. That’s one takeaways from ITPro Today’s latest salary survey, which interviewed IT security professionals on a variety of topics, including job satisfaction, compensation, and perks.
Related: ITPro Today’s 2022 Salary Survey Report
The survey found that while most IT security professionals are satisfied with both their current positions and their total compensation, satisfaction numbers were only 67% and 64%, respectively. In fact, 22% said they are dissatisfied with their total compensation.
Those numbers aren’t at all surprising, given the proliferation of unfilled cybersecurity positions, said Ken Coffman, an IT systems administrator and engineer who participated in the survey. Coffman works directly with the security team at Tri-Tech Medical, a medical equipment manufacturer in Avon, Ohio.

“I see a lot of crazy-high offers coming through just in my daily emails from recruiters who have found my resume online,” Coffman said. “It’s pretty much ‘Name your price’ from a lot of them, but it’s really a [‘Let the buyer beware’] situation. It might be good for three to six months, but how long is that gig actually going to last? Will it be better for you in the long run?”
Pam Nigro, vice president of security for health management company Medecision and an ISACA board chair, noted the current economic conditions, with its rising inflation rates, has made some IT security professionals more flexible.
“Before, [when] I offered someone a position, they came back with a counter, I met their counter, and then they came back with another counter,” Nigro said. “But when I spoke with someone more recently about a different position, I mentioned that we could meet their salary expectations and they were fine with that. They wanted other things,” such as the ability to work from home and avoid travel.
The survey also found that about one in four IT security professionals are likely to seek alternative employment in the next 12 months. Twenty-six percent of respondents said they would seek new jobs outside their current organization, while 24% said they would look within their current organization. Those results make sense to Keatron Evans, principal security researcher and cybersecurity expert at Infosec Institute.
“Those who have tangible, marketable, demonstrable skills can pretty much write their own ticket and move either horizontally or vertically as they see fit,” Evans said.
However, there aren’t many professionals at that level, and Evans suspected that most of the survey-takers were IT security professionals that have years of experience. “Those people are definitely looking to make moves,” he said. Indeed, about 93% of the security pros that took the survey said they have 10 or more years of experience in tech.

Marketing and press can also influence security professionals into thinking there is always someplace where the grass is greener. “Everybody has the Hollywood view of cybersecurity, where you’re a hacker who does exciting work, but cybersecurity is really boring if you’re doing it right,” Nigro said. “It’s about looking at controls and doing assessments, not looking for bad guys on the dark web. It’s easy to think that the next job will be more exciting.”
At the same time, most of the survey respondents had a positive view of their current jobs. When asked if they love their job, 39% of respondents said they strongly agreed and 40% said they somewhat agreed.
“You can love your job and still be seeking better opportunities,” Evans noted. “The market for people with the right skills is so ripe and favorable that you can love your job and the people you work with and still want to explore new opportunities.”
In addition to compensation and basic benefits like insurance and vacation time, IT security professionals value having the right tools, access to enough training, and, increasingly, the ability to work from home.
Twenty-six percent of respondents strongly agreed they have all the tools they need to perform their jobs, while 49% only somewhat agreed. About a quarter of respondents were either neutral or said they lacked the necessary tools.
As the cybersecurity landscape continues to evolve, attitudes toward the tools are bound to change.
“Cybersecurity professionals will never have all the tools they want,” Nigro said. “During my entire career, I’ve focused on the process, with tools enabling the process. That’s a better method than building your process on the tool. But then people will go to conferences and see a shiny new tool, and [they will] find out that it’s way over [their] budget. But as a manager, I try to ask them what they liked about the tool and find a way to get them those capabilities.”
Meanwhile, about two-thirds of survey respondents said they have all the training they need to do a good job.
Training is a complicated issue, Nigro noted. Training budgets can be limited, but there are other ways to get training. Amazon, Microsoft, Google, and many security-focused vendors will provide free training for their platforms. She added that while her company can’t send everyone to the RSA Conference, for example, it does occasionally give staff a few hours off to attend a security association meeting or training session.
When companies offer training, it sometimes comes with strings attached, however. “I’ve been burned in the past where the company paid for training but then makes you sign something saying that you would remain with the company for the next three to five years or would have to pay them back,” Coffman said. “That actually happened to me, and I had to pay it all back. Now I just pay for my own training.”

To ensure that you get the training you expect, Evans recommended pushing for it in your contract negotiations.
And then there are the intangible job benefits, which make a big difference to all employees. One of the most important of these today is the ability to work from home. In general, younger employees are more eager to work remotely. That’s fine, but they must be flexible, Nigro noted.

“The job of a security professional isn’t 9 to 5. Sometimes it can be 24/7,” Nigro said. “If something blows up, you have to be there on the front lines. Flexibility and trust are key.”
Less experienced IT security professionals can have unrealistic expectations for their employers, according to Evans.
“Some people are being sold a bill of goods indicating that they can go through a quick [educational] process and make $200,000 a year, but that’s clearly not true,” Evans said. “Sure, the security field needs people, but they still need experience and training. The people going through those [IT security] bootcamps can still get good jobs, but it’s nowhere what they thought they were going to get.”
It’s also important to understand the culture of the company, Coffman added. “When you’re looking for your next job, make sure it’s a good fit, because once you get in, it’s hard to get the company to change.”

At the same time, hirers should cast a wider net for job candidates, Evans said. “People in charge of hiring need to stop thinking the way we thought 30 years ago, where people needed a computer science degree or an IT background to be a good cybersecurity person,” he said. “It just isn’t true today.”

Some of the best cybersecurity professionals that Evans has hired have no security or IT background whatsoever. “It’s more about the way they problem-solve and their ability to learn new information,” he explained. “Allow some room for some people with nontraditional backgrounds. I think you might find some value there.”
More information about text formats
Follow us:

source