Cybersecurity may have once referred to IT departments ensuring that company machines ran antivirus and that networks were hardened against intrusion, but now it covers much more ground. In addition to overseeing endpoint security, CIOs et al must also mitigate insider threats and come to terms with the long-term effects of cloud computing, smartphones and tablets on their operations. To give a sense of the changes afoot, consider:
- The number of mobile devices worldwide is set to exceed the human population this year, nearing 8 billion. In the U.S., the typical users spends more than 3 hours a day on a smartphone or tablet, which is double the time devoted to eating.
- There are already 1.4 billion smartphones in use and 1.8 million are sold each day. The total is already almost on par with the 2 billion PCs out there, despite a multi-decade gap between the mainstream acceptance of the two technologies.
- Almost nine in 10 of the small and midsize businesses surveyed in RightScale's 2014 State of the Cloud Report said they were using the public cloud. But cloud isn't just for SMBs. Last year, Gartner predicted that half of enterprises would have a hybrid cloud – on-premises infrastructure plus a shared platform like Amazon Web Services – in place by 2017.
- The so-called consumerization of IT is often shadow IT in disguise, i.e., employees using apps and services that haven't been approved by the IT department. At many companies, the convenience of using social media and consumer cloud storage means that shadow IT is sometimes 10 times the size of known cloud usage.
- The Internet of Things, which extends connectivity beyond PCs and mobile devices to embedded sensors and wearables, is expected to be an $8.9 trillion market by 2020 with more than 200 billion connected items. As such, it would be one of the world's largest industries.
Together, these trends in mobile device adoption (particularly as enabled by bring-your-own-device policies), cloud usage and the growth of IP networks means that cybersecurity must address many new attack surfaces. It's no longer realistic to assume that employees will use only company workstations that have been thoroughly vetted for threats and secured with appropriate software.
With the time already past for taking a revised approach to cybersecurity, many enterprises are still struggling to update theirs, even as they roll out new technologies and initiatives. A 2012 Trend Micro survey of 872 IT decision makers found that almost half of respondents that allowed BYOD had experienced a data breach as a result of unauthorized network access. Protection is taking a backseat to consumerization, but why?
Lack of useful cybersecurity training may explain breaches and vulnerabilities
For many employees, cybersecurity is naturally a less interesting topic than being able to use their favorite apps inside the workplace. The problem is that many of the most popular apps for iOS and Android, both free and paid, exhibit risky behaviors, such as location tracking and single sign-on via a social network such as Facebook or Google+. For example, 56 percent of the top 200 iOS and Android apps from last winter read the device's unique identifier/UDID. These actions give a sense of how loosely enforced policies can eventually pave the way for a data breach. Personal app usage is a cybersecurity issue and should be treated as such.
Ideally, cybersecurity education would make everyone in the company aware of the risks associated with storing sensitive data on third-party services or publicly posting one's location while traveling for work. But there's a widespread lack of familiarity with cybersecurity best practices, and this deficit is present from the office floor to the C-suite:
- A 2012 ESET survey found that only 10 percent of consumers had received any security training within the previous 12 months. Sixty-eight percent had received no such instruction ever.
- Similarly, almost 90 percent of senior managers surveyed for a 2014 Stroz Friedberg study reported uploading company assets to personal cloud accounts or sharing them via email. Executives were much more likely to have taken files with them after leaving than their subordinates.
- The U.S. federal government has recently struggled to find enough highly skilled cybersecurity professionals to fill critical positions. Although the shortage can in part be attributed to a salary disparity between public and private sector, it also speaks to the need for formalized and even professionalized cybersecurity training in order to produce more individuals who can help organizations improve their defenses.
In an article for Forbes, Kathryn Dill recommended taking a straightforward approach to educating employees about risks and responsibilities. Techniques could include explaining common notifications or framing cybersecurity as something as important as locking the door to keep intruders out. At the same time, it's important to keep these educational sessions brief and to the point. A short, simple list of guidelines governing downloads and file sharing, for example, could go a long way to helping everyone understand what is and isn't acceptable.
Toward cybersecurity professionalization?
Enterprise operations are becoming increasingly digitized, creating – as the aforementioned federal government scenario demonstrates – demand for professionals who can understand and contain threats. Education of employees, from line-of-business workers to CEOs, is vital, but the growing stakes for comprehensive network security means that instruction may need to go to another level and encompass individuals with formal training.
The authors of a recent study from the Pell Center for International Relations and Public Policy at Salve Regina University argued that escalating demand for cybersecurity should push the community to professionalize it. In this sense, it would become like the legal profession, with a body analogous to the American Bar Association that would provide guidance.
"There's nothing that prioritizes different educational programs," said Francesca Spidalieri, one of the authors, according to Computerworld. "There are no standards across different specialties. There is no single organization that can take ownership of this field."