The average data breach in the UK costs an organisation £3 million. That’s the average cost, with some breaches costing businesses a lot more. Nationally, UK cybersecurity is now worth £8.3 billion and is staffed by 43,000 full time employees. However, despite this positive growth, there aren’t enough people to fortify organisations against cybercrime. With such potential massive costs, you would think that ensuring such a breach can’t happen would be at the top of many executive’s minds. Yet recent research has uncovered that nearly two thirds of UK businesses suffer from cyber-complacency.
A lack of communication between the cybersecurity team and the board and wider employee base is largely to blame for this. The biggest vulnerability to the organisation is the insider threat. (ISC)² found that the global skills gap grew by 33 per cent in 2018; 65 per cent of firms have a shortage of cyber-staff; and the UK needs to increase its workforce by 291,000 people to plug the gap.
If the answer lies in correctly staffing, what can businesses do to ensure they minimise the cyberthreat to their organisation?
Many working in cybersecurity today have graduated from university with a relevant degree that teaches them “how to drive”, ie. giving them knowledge, but they lack critical practical skills, and soft skills like communication. As constant, quality communication, as well as policy, is one of the most effective ways to defend the business, these skills are crucial. However, I believe they are better taught with digital apprenticeship training. If possible, this training must come at the start of a cyber-pro’s career and be ‘topped up’ during their career to help them up-skill as technology and the cyberthreat continues to evolve.
Apprenticeships are the answer because the pool of cybersecurity grads is small, partly because university is inaccessible to many, so hiring strategies need to urgently move away from exclusively hiring graduates if we are to deal with this crisis. Opening cybersecurity up to more apprentices will not only create a larger and more diverse workforce, it will also better equip individuals to tackle the modern cyber-threat because apprenticeships provide technical skills training and real-world experience.
Applying best practices
Any cyber-pro will agree that hands-on experience and people skills are fundamental when dealing with the biggest vulnerability in any organisation: its employees. The biggest threat to an organisation’s cybersecurity is its people. Whether this threat is malicious or, more likely, accidental, much of the cybercrime activity performed today looks to exploit people as a way of infiltrating the network. From a data protection point of view, some of the biggest threats to data loss come from incredibly basic mistakes which only occur because employees lack any cyber-knowledge - for example, moving data onto a personal network in order to work remotely, or even just forwarding sensitive information to the wrong recipient over email.
The other two factors making the insider threat more dangerous than ever before are the sophistication of social engineering, such as phishing, smishing and vishing, and the proliferation of BYOD in the workplace. A lack of education and policy around email hazards and bringing unsecured tech into the workplace means that many employees are acting in a very damaging matter without having a clue that they’re doing so. Activities like reading confidential work emails on a personal smartphone using a coffee shop’s WiFi can put an organisation’s cybersecurity in grave danger.
InfoSecurity Europe recently ran a Twitter poll where 40 per cent of respondents agreed that human skill and expertise are the most important elements of a successful cyber-resilience approach. When undertaking an apprenticeship, the learner gains a deep understanding of how their organisation works - not just the network, but also the business and its culture. This means that when putting a cybersecurity policy together, they can develop something that is bespoke to their business specifically (for example, having special measures in place if certain teams often work from home). It also means education and general cybersecurity communications (such as sending out warnings about a sophisticated new phishing campaign) can take place in the company’s tone of voice and via a medium employees are most likely to read. By learning these skills on the job at their first organisation, it will also mean they’re able to apply best practices to businesses they work at later in their career as well as knowing if they need to flex for communications to work more effectively.
The value of apprenticeship
Of course, I’m not going to argue with the fact that technical knowledge is of paramount importance - cybersecurity professionals must have deep knowledge of systems architecture, be able to identify a plethora of attacks so that they can understand and be able to implement the most cutting edge defences available - as well as mitigate against issues if and when they arise. But, when debating the value of a university degree versus a digital apprenticeship covering cybersecurity from a technical perspective, I’d argue that an apprenticeship comes out tops because they enable you to learn theoretical skills and implement them in practice, meaning you benefit from real world experience.
Good cybersecurity professionals are technical masters with an always-learning mentality and open minds. They know what to look for in a system and what to do when things go wrong. Great professionals combine these skills with a deep knowledge of your business specifics. In addition to what, they know exactly where to look for vulnerabilities, and of business processes around them.
This means the best security professionals are the ones you already have, the ones who can grow while looking out for vulnerabilities within. That’s why cyber-apprentices can be such precious resources in any business.
It’s all very well me singing the praises of digital apprentices in building high quality cyber-pros, but if you’re coming from a business perspective you may be thinking - but what about the resources needed to implement them? Yes, apprenticeships do require a time and money investment, but arguably no more than a good graduate scheme would and aside from rapidly developing a more rounded professional, they also bring other benefits to the organisation’s bottom line.
The average cost of an apprentice for a company amounts to £18,000 for a one-year programme. With that, each apprentice will learn three to four digital certifications, as well as getting a full year’s worth of mentoring while working and developing those all important practical skills at the same time. This approach exposes them to every nook and cranny of your systems while at the same time equipping them with the skills they need to spot threats from within. Aside from this being far less than you’d pay for the average graduate, apprenticeships are valuable in another, less-obvious way: retention.
You wouldn’t trust an uninsured driver
Paying for apprenticeship qualifications needn’t come from your HR budget. The Apprenticeship Levy is a compulsory UK tax on organisations whereby those with an annual pay bill in excess of £3 million keep aside 0.5 per cent of the bill minus an additional annual “levy allowance” of £15,000 which they must spend on apprenticeships.
You wouldn’t trust an uninsured driver to get behind the wheel of your car, and nor should you want an unskilled worker in charge of preventing cybercrime within your business. With the increasing cost of cyber-breaches in the UK, and an available pot of money that, for many organisations, goes untouched, there has never been a better time to bring in new apprentices or upskill existing employees.
Phil Chapman, Senior Cybersecurity Instructor, Firebrand Training