Forced by the pandemic to adapt, many businesses have had to step on the gas to push through their digital efforts in the past 15 months or so. Remote working is a challenge, particularly for cybersecurity.
For many businesses, this has meant abandoning the “fort” that is their offices and data centres and connect remotely from home. Suddenly, they are out of their comfort zone.
While it may be relatively easy to add more seats to a VPN (virtual private networking (VPN) service, it is by no means more secure.
Nor is the experience great if staff have to connect to a data centre first before getting onto the cloud to access collaboration tools like Zoom or Office 365.
Many businesses know that hybrid work is the future. Infrastructure built on zero-trust, where everyone has to be checked to gain access to a digital resource, is the way forward.
Getting there, however, isn’t that easy. One key issue is the manpower crunch when it comes to skilled talent in key areas such as cloud computing and cybersecurity.
In 2021, this is an even more pressing issue. A Sophos study earlier this year revealed that nearly 60 per cent of businesses in Singapore find the lack for cybersecurity skills a challenge, up from 51 per cent the year before.
The picture is similar across the world. In a separate study last year by the non-profit industry organisation, (ISC)², 56 per cent of cybersecurity professionals believed their organisations were at risk because of cybersecurity staff shortages.
Interestingly, 40 per cent of the cybersecurity experts surveyed also identified cloud computing security as a skill they wish to develop in the next two years.
In other words, if you’re moving to the cloud and need a skilled hire in both cloud and cybersecurity, the number of candidates you can field is even smaller.
And when there is a global shortage of skilled expertise, those businesses that can’t pay for the manpower often suffer from it, said Sumit Bansal, managing director for ASEAN and Korea at cybersecurity firm Sophos.
“The talents are going be expensive,” he told Techgoondu. “Not everyone can afford to have them in house.”
It doesn’t help that cyber criminals are becoming more sophisticated, now increasing the potential damage they can cause by not only locking out victims through ransomware but by revealing customer data or embarrassing corporate information they have managed to steal.
CD Projekt Red, which made the popular Cyberpunk 2077 game, has had the game’s source code exposed along with staff data, after they were auctioned online by hackers.
Some criminal gangs are also teaming up, with affiliates working on various parts of an attack, from early penetration tests to the crafting of a ransom and finally, the collection and distribution of the reward.
While these gangs don’t typically trust each other, they have found ways to show proof of each others’ expertise, for example, in hacking an organisation in the past, and work together efficiently, said Andrey Yakovlev, a security researcher at IntSights, which tracks cyber threats on the Dark Web.
Popular targets today include government agencies, such as a recent ransomware attack on the Washington DC police in the United States, he noted.
So, what can businesses that are rapidly digitising do, as they move more to the cloud and embrace hybrid workstyles? Experts admit this is challenging.
Training takes time. The Cyber Security Agency in Singapore has been building up young talent through programmes that include mentorship and cyber “sparring” to emphasise real-world skills.
Skills that are needed also change rapidly. Cloud computing, for example, requires new knowledge that needs to be acquired over time.
Sophos’ Bansal said one way forward for businesses that can’t afford the in-house manpower is to sign up for a service that manages the cybersecurity as a subscription and carries out the cleaning up and forensics should an attack occur.
His company, Sophos, offers one such offering, aimed at mid-market businesses. Among the customers it has helped are an international school that was hit by ransomware recently.
The job scope varies from company to company but it has included cleanup for malware as well as maintaining a healthy environment that reduces risk.
And increasingly, businesses that have rushed through their digital efforts but can’t afford to hire the cybersecurity manpower needed might have to buy such services to cope with new threats.
Ultimately, the strategy remains the same – make yourself a more difficult target so that cybercriminals will look for an easier one that better rewards their time. This often means getting your basic IT right before even thinking about a sophisticated cyber defence.
Yakovlev pointed to hygiene factors such as avoiding the use of the same passwords and closing ports that do not need to be open to make it harder for hackers to break in.
At some point, it will be very demanding to overcome certain security measures and people may be more aware of vulnerabilities like spoof e-mails, so many hackers will move on to something else less difficult, he said.
One example is the devastating Colonial Pipeline hack last month, which closed off fuel supply to a large part of the United States. It was carried out with one stolen password that was exposed on the Dark Web.
However, what this has done is to make other organisations sit up and take note of their own vulnerabilities, said Yakovlev.
All they needed to do to lower their risks isn’t niche skills, at least in this example, but ensure basic cybersecurity hygiene like turning on two-factor authentication, he noted.