It seems that every week there’s a news story about a hacking attack on a household name. The hacking of Ashley Madison highlights just how serious a data breach can be, with the company’s CEO stepping down and the company’s future looking uncertain. Despite the current high profile of cybercrime and hacking, it’s still an unfamiliar topic to many businesses, but there is a growing realisation this is an issue they need to upskill on, especially with a recent study placing the average cost of a cyberattack at $15 million per organisation.
One of the biggest challenges facing businesses is understanding just what the threat is. Essentially, a hacking attack is when a third party attacks the IT infrastructure of a business, with the aim of causing some kind of harm. This can range from accessing and leaking sensitive information, to deliberately taking the organisations essential systems offline. The attackers usually carry out their attack by exploiting a vulnerability in the target’s IT infrastructure. However, one of the reasons these attacks are becoming more prevalent is that there is more exposure and accessibility than ever. Whether it’s a piece of software that hasn’t been recently updated, or an employee’s mobile phone or smart watch, each of these represents a potential access point into the corporate network. As a result, it’s the end-user themselves that often represents the weakest element of an organisation’s cyber security defences. The problem is that as we’ve become a more digitally savvy workforce, we’ve also become complacent, meaning very few people fully understand the threat of cybercriminals and how they carry out their attacks.
This is where the skillset of ethical hacking can make a real difference to a business. Ethical hacking is essentially where someone uses the techniques of a malicious hacker to identify the weak points in an organisation’s cybersecurity, and uses that knowledge to improve its defences. However, ethical hacking doesn’t just cover this kind of penetration testing. With the right skills in place, ethical hackers can advise businesses on all aspects of digital security, and make the organisation much more resistant to attacks. This advice can range from showing programmers and app developers how to make their code harder to hack, to providing other members of staff with advice on choosing passwords that are harder to guess, or how to not fall for phishing emails. It’s clear that having access to a qualified ethical hacker is becoming an increasingly important part of how firms protect themselves from malicious external attacks.
There is currently a massive skills gap in this space, with the Information Systems Security Certification Consortium (ISC2) claiming there will be a shortage of 1.5 million trained professionals by 2020. Clearly, given the growing importance of security and ethical hacking as a skill set, this is a worrying trend, and could leave many businesses more vulnerable to attacks. However, as ethical hacking as a concept becomes more widely known, there are greater opportunities for upskilling IT staff already in the organisation, and recruiting new employees that have these skills.
This is where the HR department is in a great place to help tackle the problems of cybersecurity and facilitate the IT department to protect the wider business. The first step is ensuring existing staff have the learning opportunities available to upskill on ethical hacking. While there are a number of training courses out there, it’s not enough to just send someone on a day long course. Ethical hacking is a constantly changing area, and it is far more effective for learners to have access to an online course when they need answers to their questions. At the same time, this on-demand approach much more closely matches how IT professionals want to learn.
The HR department should also be thinking how it can bridge the gap between the IT department’s knowledge of cyberattacks and how this can be translated into training for the wider organisation. As PwC revealed in a recent study, 34 per cent of compromises in an organisation’s cybersecurity originate from employees themselves, whether maliciously or not. As a result, it is very important for every employee to know how to prevent themselves from putting the company at risk, whether it is through a weak password, clicking on an unsafe link or using an unauthorised personal device in the office.
The problem of cyberattacks isn’t going away - in fact it is intensifying as an increasing amount of data and systems is digitised on an organisation’s networks. It’s only by fully understanding the threat and ensuring everyone has the necessary skills and knowledge that a business can protect itself from the threats that cyberattacks represent. The HR team is ideally placed to support this and ensure the skills and learning opportunities are there to combat this growing threat.
By Denise Hudson Lawson, Enterprise Learning Architect, Pluralsight