A quarter of a billion data breaches were reported in 2017, with the likes of Equifax, Verizon and Wonga hitting the headlines. This has served as a reality check for organisations and forced IT security – specifically the protection of core intellectual property, assets and customer data – to the top of the boardroom agenda. Damage to corporate reputation and financial losses from cybercrime – now topping £291bn annually – have left businesses reconsidering how best to manage their security information, infrastructure and personnel when it comes to defending against cyberattacks.
Businesses are struggling to keep pace with the cyber security arms race, as hackers become more diverse and attacks more complex. At the same time, there are greater threats to deal with. Technologies such as Big Data, Internet of Things (IoT), AI and robotics are disrupting firms faster than ever before, and while they all present their own opportunities for innovation, some of these developments can leave organisations more vulnerable to cyberattacks. Organisations need to combat this by building up an effective arsenal of security skills and supporting technology across the business.
Bolstering defence – the specialist skills most in-demand
The industry is facing an escalating digital skills crisis and IT security is a major part of that – by 2021, there will be three million unfilled jobs in cyber security worldwide. Businesses are challenged to both keep pace with the wave of new technologies that are continuously emerging and to prepare for ever more prominent cyber threats.
Despite the need to bolster businesses’ defences, new research reveals that demand for permanent IT Security staff has actually dropped 10 per cent in the past year (from Q4 2016 to Q4 2017). However, when it came to remuneration, salaries for these positions rose by 4 per cent during the same period. The average salary for a cyber security role in the UK is now £60,004 – much higher than the likes of Mobile (£53,240) and Web Development (£46,154). While employers need fewer recruits overall, they are willing to pay a premium for the IT Security specialists they do hire.
As a result, competition among IT security professionals for these lucrative roles is fierce, with candidates battling it out for fewer specialist posts. Candidates looking to fill these permanent positions must make sure they are equipped with the most in-demand skills on the security market. Currently, businesses are looking to hire individuals with specialist penetration testing, security architecture and security operations and biometrics skills. But there is also a growing need for security teams to have high-end qualifications, such as CISSP (Certified Information Systems Security Professional), SIEM (Security Information and Event Management), IDAM (Identity Access Management), and ArcSight.
Strengthening the cyber security force in the short-term
In what is being dubbed “the year of regulation” businesses must be able to demonstrate that they have cyber security policies, procedures and skills in place, as failure to comply with the General Data Protection Regulation (GDPR) could leave them facing significant fines.
In the race to become compliant, businesses are looking to contractor support to drive this forward. The same research showed that, despite the decline in permanent IT Security roles, the market saw a 24 per cent year-on-year increase in demand for IT Security contractors over the same period (Q4 2016 – Q4 2017). However, even with this surge in demand, IT Security contractors saw a 13 per cent decrease in day rates (Q4 2016 – Q4 2017). This pattern is the reverse of what the market looks like for permanent cyber security roles. It’s possible that this is the result of businesses focusing their immediate attention on plugging short-term gaps with a high volume of talent ahead of the looming GDPR deadline on 25th May.
By allocating contractors to lower value, higher volume tasks, companies can also free up more time for permanent IT Security staff and their teams to focus on more complex, specialist workloads. However, the focus on contractors must not detract from the longer-term view. Businesses must equally ensure they are upskilling permanent staff with the security skills needed to tackle emerging cyber threats.
Investing in the right people to conquer compliance
These permanent employees, who have long been focused on digital protection alone, must also now consider the wider business implications of cyber security. There is no denying that new regulations such as GDPR and the Directive on security of network and information (NIS Directive) will bring new challenges. Businesses will need to ensure that they are storing, securing and processing data properly and will be required to report a data breach within 72 hours. They will also be expected to conduct in-house evaluations of their data protection processes and policies, with companies processing large amounts of data required to appoint an independent data protection officer (DPO).
While bringing in contractors may be an effective tick-box approach to compliance, organisations must not forget the long-term view. Maintaining compliance with GDPR is not a one-off, and businesses must ensure that they can demonstrate compliance for the coming years. This means engaging their entire workforce to ensure a long-term solution. It’s key that all employees across all departments are aware of their responsibilities in relation to GDPR and have the right skills and knowledge to remain compliant in their day-to-day activities.
Employees - the weakest link in cyber security defence
This is especially true when you consider the fact that people are often the weakest link when it comes to cyber security. If hackers can get through to untrained employees, they are much more likely to be successful in breaking into the organisation. Research shows that careless or untrained staff members are the most likely access point for cyber criminals.
As a result, improving employee awareness of data security, specifically in large organisations, has become paramount in recent years. Businesses may have bolstered their cyber security defences to protect their core assets, IP and data, but even the most advanced systems do not account for a lack of employee awareness.
As a result, IT Security must become the responsibility of every employee within the company. And this is another way that organisations can effectively use IT contractors. Expert contingent staff can be utilised to train and upskill permanent staff across the business with the cyber security tools they need to protect against emerging threats; without adding more expensive permanent headcount. This will also help to increase employees’ awareness of security, as well as their own accountability to protect the business, ultimately helping to strengthen defences against cyberattack.
The IoT chink in the business armour
With the number of connected devices set to grow to over 20 billion by 2020, organisations now face the challenge of securing vast amounts of data moving across their network, whilst under increased risk of attack from ever more sophisticated cyberattacks. Last year, for example, hackers stole data from a casino by hacking into a fish tank connected to the Internet. And the number of malicious programmes attacking IoT devices has more than doubled in recent years.
Every connected device that is linked to a business presents a new window of opportunity for cybercriminals to take advantage of. And this has not been helped by an increasing number of employees bringing their personal connected devices into the workplace.
What’s more, the introduction of cloud computing has given rise to flexible working, with companies now challenged to manage and protect personal devices being used by employees remotely. Organisations who simply ignore the evolving expectations of their employees and don’t have the right security policies in place will only leave themselves open to attack.
With the millennial generation making up the majority of the current workforce, we can expect increased flexible working and telecommuting to become commonplace. Having a fully-fledged and confident IT team that can tackle any aspect of this working environment will be essential.
Employers are focusing on their short-term security priorities at the moment – with eyes firmly fixed on compliance. However, the cyber issues that boardrooms across the UK face today are much bigger than this. The Government estimates that digital skills will be needed for 90% of jobs in 20 years’ time and security is fast becoming a crucial part of that. As employees become more of a target for cyber attackers, businesses should capitalise on the presence of expert contractors to train up their wider employee base and complement their more specialist recruiting efforts. With these tactics in place, businesses will give themselves a fighting chance of not just winning the short-term battle, but also the long-term cyber security war.