By Maurice Gibson, Cyber Security Product Manager, global mthree Academy. With over 10 years of experience in industry and education at the likes of Fortinet and The University of Phoenix, Maurice leads our new cyber security pathway for Alumni and Reskill.
You work in procurement at an investment bank for two years. Your department is undergoing a software refresh as a cost-savings measure. The new vendor is difficult to work with and the implementation is behind schedule. The service level agreement doesn’t clearly define responsibilities between your organization and the vendor, and your team is becoming frustrated with the additional time simple tasks are taking.
A few months later, there is a data breach. The API connection set up between your organization and the vendor was compromised by a malicious actor in a credential stuffing attack. The attack has given a malicious actor access to your organization as well as the vendor, via the new procurement portal you’re both connected to. It snowballs into headline news, and your organization is liable for its breached data. The failure to adequately vet the new vendor and their security policies, now cost your organization both in brand and financially.
The reality is that anyone in your organization’s supply chain could pose a cyber security risk.
Cyber attacks often happen through third parties. In fact, Accenture indicated that 40% of cyberattacks originated from the extended supply chain. Between 2019 and 2020 supply chain attacks increased 78%, meanwhile, 60% of small businesses do not have a cyber security policy of any sort. Even if your system is secure, the supply chain you are connected to might not be.
Thanks to BYOD policies and the shift to remote work employees are a part of an organization's supply chain. In early July 2021, Google took down 9 malicious applications from the Play Store. The code had somehow made it through their security checks and been downloaded by customers. Malicious code can infect employee devices that connect to your organization's network.
In the global economy, you can’t afford to overlook your supply chain. A supply chain risk is your risk too. Vendor security policies are just one of the must-haves in a cyber security arsenal – yet lots of companies don’t have one. Why? Because it’s an area that sits outside of traditional risk management. It’s cyber risk management, and it affects every department at every organization to a lesser or higher degree.
Of course, we all know that this is easy to say but hard to do. We all know that people are doing their best with limited firepower. More than 70 percent of security executives believe that their budgets for the fiscal year 2021 will shrink. (McKinsey). However, I believe things can get better now that attitudes towards cyber security risk are starting to shift.
Once upon a time, cyber security was thought of as someone else’s problem. A technical issue relegated to the closet where your IT staff worked out. It was understood as purely an IT issue, given little consideration, with belief that somewhere, somehow, an engineer is “probably on top of it.”
These days cyber security is understood to be a business problem or more over the confluence of business and technology. How many sales will you lose if your website is down for three hours following a DDOS (Distributed Denial of Service) attack? How much damage would a data breach do to your brand, let alone your bottom line?
Thanks to the chaos created by the coronavirus pandemic, there has been a reported 667% rise in spear-phishing attacks in March 2020 alone, and by April, the FBI had seen a 400% increase in cyber attacks. All as cyber security budgets have been slashed.
An intriguing combination of circumstances and the consequences are stacking up:
- Ransomware damage costs alone are expected to rise to $20 billion by the end of 2021, with businesses falling victim to a ransomware attack every 11 seconds. The average ransomware payment rose 33% in 2020 over 2019, to $111,605. (Fintech News)
- Overall, worldwide cybercrime costs are set to hit $6 trillion annually by 2021. Projections expect this number to skyrocket to $10.5 trillion annually by 2025.
Human nature is amazing. Thanks to optimism bias, humans have achieved progress through unbelievable feats in the face of enormous danger. The downside of this is an erroneous belief that “it’s not going to happen to me.”
Cyber security is everyone’s problem with 95% of cybersecurity breaches still caused by human error (Cybint). Meanwhile, only 5% of folders are properly protected and for large organizations and employees have access to over 20 million files from the day they start at the company (Varonis). It is no wonder why 68% of business leaders feel their cybersecurity risks are increasing. (Accenture).
None of us enjoys turning this mirror on ourselves, however, this isn’t only an entry-level employee issue, it affects leadership folks too. People who are at top of their game and in control in their niche of expertise but at a loss when it comes to cyber security. No wonder 65% of groups used spear-phishing as the primary infection vector (Symantec).
Optimism bias also causes organizations to underestimate the number of cyber security resources they really need to prepare themselves for worst-case scenarios. With the fatigue of trying to keep up with a constantly changing environment, from new threats, tactics, and technologies, to new laws, regulations, guidelines, frameworks, and standards (Secureworld). Cybersecurity professionals are overstretched, stressed, and burnt out, more likely to miss something when it matters most. Far from ideal.
It’s encouraging that more and more organizations are acknowledging the importance of cyber security, despite the obvious challenges. But cyber security is like a game of whack-a-mole, every time you knock a vulnerability down...a new one pops up.
Whether due to the limits of education, lack of access to education, an HR oversight, or general competition for talent in a world of endless possibilities, there aren’t enough cyber security people to go around. It’s a huge challenge.
That’s why I joined mthree. I wanted to be part of an organization that was actively working to bridge the cyber security skills gap. Providing carry on education to graduates and helping remove employment barriers by working with applicants and companies' talent organizations, to give individuals the skills that matter to that company. We specialize in two solutions in particular. Firstly, enabling organizations to bring in pre-trained graduates, and secondly reskilling their existing staff.
Our cyber security practice for Alumni and Reskill includes 4 different programs: cyber risk management, application development security, cloud security and enterprise security. Aligned to industry standards, our custom curriculum is always tailored to each organization’s needs and context.
Protecting organizations from cyber-crime is a team effort. Everyone in the organization is a part of the solution, but there is also a need to bring more skilled professionals, to take the burden off overworked cyber security staff. There is more than one way to fill the cyber security void, but as long as we all remain diligent – and remember that it’s a confluence between business risk and technical risk – we will get there.
Want to find out more? Get in touch with us at firstname.lastname@example.org.