Data is one of our most valuable commodities, helping organisations better understand their customers, spot trends and work more efficiently in real-time. TalkTalk was just one of last year’s big names that learnt the hard way what can happen if you leave your customer data unprotected, with losses resulting from its data breach estimated at £30m to £35m. Companies can often feel daunted by the sophistication of malware that brings financial losses such as this, not to mention the damage to trust and reputation it can cause. Even powerful government networks are being taken down by third party DDOS (Distributed Denial of Service) attacks. However, arming your business with the right means to protect itself can often be simpler than you think.
The most vulnerable point of access to any company is its employees. Whether this is a piece of software that hasn’t been recently updated, or an employee’s mobile phone or smart watch, each of these represents a potential access point into the corporate network. Even simple things like logging onto public Wi-Fi networks with your company laptop or smartphone to streaming the latest episode of Homeland, could be putting an entire organisation’s IT infrastructure at risk. IT security shouldn’t just be the priority of the CSO or IT department; it should be a priority for all, from the CEO to the receptionist.
This is where the skillset of ethical hacking can make a real difference to a business. Ethical hacking is essentially where someone uses the techniques of a malicious hacker to identify the weak points in an organisation’s cybersecurity, and uses that knowledge to improve its defences. However, ethical hacking doesn’t just cover this kind of penetration testing. With the right skills in place, ethical hackers can advise businesses on all aspects of digital security, and make the organisation much more resistant to attacks. This advice can range from showing programmers and app developers how to make their code harder to hack, to providing other members of staff with advice on choosing passwords that are harder to guess, or how to not fall for phishing emails. It’s clear that having access to a qualified ethical hacker is becoming an increasingly important part of how firms protect themselves from malicious external attacks. Google even has its own team of dedicated ethical hackers, and rewards people who spot vulnerabilities in its products, as it did with a Russian hacker who spotted a flaw in YouTube.
Speaking to Pluralsight author and industry expert Dale Meredith, he said there is currently a massive skills gap in this space, with the Information Systems Security Certification Consortium (ISC2) claiming there will be a shortage of 1.5 million trained professionals by 2020. Clearly, given the growing importance of security and ethical hacking as a skill set, this is a worrying trend, and could leave many businesses more vulnerable to attacks. However, as ethical hacking as a concept becomes more widely known, there are greater opportunities for upskilling IT staff already in the organisation, and recruiting new employees that have these skills.
This is where the IT department can empower all staff to protect the wider business. The first step is ensuring existing staff have the right tools and learning programmes available to upskill on ethical hacking. While there are a number of training courses out there, it’s not enough to just send someone on a day long course. Ethical hacking is a constantly changing area, and it is far more effective for learners to have access to an online course when they can keep refreshing their knowledge as new threats emerge. At the same time, this on-demand approach much more closely matches how IT professionals want to learn – learning at their own pace in any location.
Security shouldn’t end with the IT department and it should work with the HR department to help raise awareness of these security issues and bridge the knowledge gap. As PwC revealed in a recent study, 34 per cent of compromises in an organisation’s cybersecurity originate from employees themselves, whether maliciously or not. As a result, it is critical for every employee to know how to prevent themselves from putting the company at risk, whether it is through a weak password, clicking on an unsafe link or using an unauthorised personal device in the office.
If 2015 has taught us anything, it’s that cyberattacks are here to stay. As attacks become increasingly sophisticated, the skillset of employees should follow suit. It is vital that businesses look to understand the threats that are out there and are prepared to arm themselves with the right skills to better protect the whole company.
Denise Hudson Lawson is a enterprise learning architect at Pluralsight