Greg Foss, Senior Threat Researcher, VMware Carbon Black, looks at people shortages in an unusual talent marketplace.
As rapid globalisation and technological change have shaped the world’s job market, skill shortages have become a growing problem for employers. To this point the UK Government Department for Digital, Culture, Media and Sport (DCMS) recently released a report on the UK cybersecurity labour market which revealed that approximately 653,000 businesses (48%) have a basic skills gap and approximately 408,000 businesses (30%) have more advanced skills gaps, in areas such as penetration testing, forensic analysis and security architecture.
Here at VMware Carbon Black we recently undertook research entitled: 2020 Cybersecurity Outlook Report which investigated the modern attack landscape, how defenders are responding and touched on skills, behaviours, resources and budgets of both IT and security teams.
No big surprise, our survey respondents reported keenly feeling a skills and resourcing gap. I caveat this by saying that we undertook the research before the global COVID-19 pandemic and I think if we were to now layer onto this the need to mobilise your security operations team to work remotely, other challenges of shifting to a distributed environment, as well as labour being impacted as employees self-isolate, or worse still become ill, and you can start to see how this skills and resource picture is going to rapidly worsen.
To this point, our research showed that nearly half (49%) of both IT and security respondents reported being understaffed, with security respondents noting their specific teams are on average 48 percent understaffed and IT teams saying they are on average 26 percent understaffed. This talent gap continues to be a theme across the IT and security landscape. According to our study, 79 percent of respondents said finding the right security talent is either “very challenging” or “extremely challenging” and 70 percent reported the same level of challenge for IT talent.
We found that this issue is further magnified by the C-suite’s perception of IT and security staffing. Only 31% of C-suite respondents said their IT and security teams were understaffed while 61% of VP and below respondents said these teams were understaffed. This 30-point delta suggests that the C-suite may be out of touch with the day-to-day IT and security resourcing needs of the organisation.
However, there is some good news: our research found that as security continues to grow in relevance and importance, budgets have also increased for 80% of the survey respondents. Both security and IT have seen increased investments in the last year. Among survey respondents 77% said they purchased new security products, 69% reported that they had increased security staff, despite the skills shortage, and 56% reported an increase in IT staff.
So based on this and the current exceptional times that we find ourselves in, what tips and advice can we give to these resource-stretched teams, to improve their security posture and enable them to fight back against the attackers and change defender behaviour? And while that answer often depends on individual circumstances (recommendations for consumers, SMBs and large enterprises may differ), here are three quick wins that everyone can implement.
Stay on top of patching and regular software updates. Both individuals and organisations should stay abreast of the latest patches and updates from software vendors. Patches often resolve weaknesses and security vulnerabilities within products. Patching lessens the risk that a hacker can take advantage of a previously existing weakness. For organisations, IT Ops teams need to be able to patch and configure devices remotely. Security solutions should allow you to identify vulnerabilities, install patches and validate configuration remotely via the cloud, giving your team the confidence that every endpoint is up to date on the latest policies and secure.
Use multi-factor authentication (MFA). Multi-factor authentication adds an additional step to the process of accessing critical data. The first step being a username and password, and the second step being additional verification (like a pin or a push). MFA is becoming increasingly popular for many services we access daily. Enabling multi-factor authentication ensures that the user logging in as an employee is truly who they say they are. MFA also lessens the risk of poor password hygiene. Still, as a rule of thumb, passwords should be truly random, 16-character phrases containing upper- and lower-case letters, numbers, and symbols.
Leverage a VPN. With so many employees working remotely now, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public Wi-Fi can be a gamble as it only takes one malicious actor to cause damage.
As with any situation where infection is a possibility, a healthy amount of scepticism is always warranted. Be wary of emails coming from unknown sources, particularly if the requestor is asking you to click on a link or an attachment. When in doubt, pick up the phone and call someone to ask if their request is valid.
And finally, it has never been more important for teams to collaborate and work together. Whether you are in the security or the ops team, organisations should empower teams to tackle security as a team sport, working together overcome skill and resource issues to fight back against the odds in these exceptional conditions.