key: cord-1031134-fhvkxpyf
authors: Chapman, Phil
title: Are your IT staff ready for the pandemic-driven insider threat?
date: 2020-04-30
journal: Network Security
DOI: 10.1016/s1353-4858(20)30042-8
sha: 3e63d9f893e94aabbda603a057ea8fbcbf495441
doc_id: 1031134
cord_uid: fhvkxpyf

As this article is being written it's mid-March. The situation likely will have changed significantly by the time you read this, as it does by the day and even the hour. The World Health Organisation (WHO) has declared Covid-19 to be a global pandemic and the UK Government has stepped up its response from the ‘contain’ to the ‘delay’ phase. Public spaces and transport are noticeably quieter and many workplaces are getting emptier as staff members work from home. The Covid-19 pandemic and consequent lockdowns are hitting businesses hard. And as workforces move to remote working, IT departments are under pressure. At the same time, cyber criminals are exploiting the pandemic, with rises in phishing and other forms of attacks. The cyber security workforce, already suffering a skills crisis, may lack the soft skills required to effectively tackle these issues, many of which could be solved if the industry didn't rely so heavily on recruiting graduates and rather looked towards hiring apprentices, argues Phil Chapman of Firebrand Training.

Obviously the threat to human life is the top concern for everyone at this moment. But businesses are also starting to suffer as productivity slips globally and the workforce itself is squeezed. The UK Government's March budget did announce some measures, especially for small and medium-size enterprises (SMEs), that will make this period slightly less painful for organisations. However, as is apparent from the tanking stock market (the FTSE 100 has hit levels not seen since June 2012) the economy and pretty much all businesses in the country (unless you produce hand sanitiser) are going to suffer. There is no time like now for the UK to embrace its mantra of 'keep calm and carry on' because that is what we must do if we're going to keep business flowing.

For the IT department at large there is lots of urgent work to do to ensure that the business is prepared to keep running smoothly even if people are having to work remotely. The task at hand for cyber security professionals is arguably even larger as Covid-19 is seeing cyber criminals capitalising on the fact that the insider threat is worse than ever, with more people working remotely from personal devices than many IT and cyber security teams have likely ever prepared for.

This article will argue that the cyber security workforce, which is already suffering a digital skills crisis, may also be lacking the adequate soft skills required to effectively tackle the insider threat that has been exacerbated by the pandemic. It will first examine the insider threat, and why this has become so much more insidious because of Covid-19. It will then look into the essential soft skills required to tackle this threat, before examining how organisations can effectively implement an apprenticeship strategy that generates professionals with both hard and soft skills, including advice from the CISO of globally respected law firm Pinsent Masons, who will provide insight into how he is making his strategy work. It will conclude that many of these issues could be solved if the industry didn't rely so heavily on recruiting graduates and rather looked towards hiring apprentices.

In the best of times, every cyber-professional knows that the biggest threat to an organisation's IT infrastructure is people, both malicious actors and -much more often -employees and partners making mistakes. The problem is that people lack cyber knowledge and so commit careless actions -for example, forwarding sensitive information to the wrong recipient over email or plugging rogue USBs into their device (yes, that still happens). Cyber criminals capitalise on this ignorance by utilising social engineering tactics ranging from the painfully simple, like fake emails from Amazon, to the very sophisticated, such as CEO fraud. A contact from the industry that works at one of the world's largest consultancies recently relayed a case of CEO fraud where a cyber criminal hacked into a CEO's email server to learn the syntax he used. The hacker then sent a carefully crafted redemption request to the CEO's fund manager and was able to steal £5m.

Remote working adds a new layer of complexity to the problem. In 2018, CybSafe claimed that 32% of organisations surveyed had experienced a cyber attack as a direct result of an employee working outside of the businesses' security perimeter. 1 This statistic is probably conservative in contrast to what the reality would be now, with The International Workplace Group reporting last year that 50% of employees globally work away from the office at least two and a half days a week, which seems high, and this is shifting closer to the 100% mark, albeit temporarily. 2 Working remotely brings up the same problems as bring your own device (BYOD) -if your users are working on a personal device, is this device secured with a company-sanctioned level of anti-virus software and password protection technologies? Then, personal device or well-secured work device

As this article is being written it's mid-March. The situation likely will have changed significantly by the time you read this, as it does by the day and even the hour. The World Health Organisation (WHO) has declared Covid-19 to be a global pandemic and the UK Government has stepped up its response from the 'contain' to the 'delay' phase. Public spaces and transport are noticeably quieter and many workplaces are getting emptier as staff members work from home.

aside, what network are they connecting to? Are they relying on a virtual private network (VPN) or their home Internet service provider (ISP) capabilities, which could be more vulnerable to infiltration than your well-fortified internal network? As well, being physically away from the organisation usually results in a slower response to regular health-checks such as patching, updates and upgrades, so it must be a priority for businesses to establish regular and planned activities to ensure that all of this is looked after.

To make matters worse, hackers are producing scams taking advantage of the Covid-19 pandemic -with Check Point finding that coronavirus-related domains are 50% more likely to install malware onto your system. 3 Some attackers have even designed specific websites that encourage visitors to download an application that will keep them updated on the latest Covid-19 news. When you download the file, a map of how the disease is spreading pops up, but a malicious binary file (using software known as AZORult) has been installed in the background. AZORult is known to steal victims' browsing history, cookies, ID, passwords and crypto-currencies. 4 The situation is so dire that even the WHO has provided a six-step guide as to what to look out for, which includes verifying email addresses, heightened awareness around providing personal identifiable information (PII), not feeling pressured to supply and respond in these times of urgency and reporting anything that doesn't feel right. 5 Cyber security teams must make sure that strict measures and policies are in place to ensure the highest level of security when staff are working from home. And if this isn't a common practice already, now is the time to implement it -and quickly. Top strategies include requiring multi-factor authentication to log into company portals, and requiring all personal devices to be equipped with employer-provided security software and the latest software updates prior to permitting any access to remote systems. But, of equal importance is ensuring that staff are equipped with the essential cyber skills needed to avoid scams -and that they follow company policy because they understand why strict measures are in place. And, funnily enough, to deal with and teach people, you need people skills!

Before discussing the importance of people skills, it must be acknowledged that something the cyber security workforce is missing is people. UK cyber security is now worth £8.3bn and is staffed by 43,000 full-time employees. 6 However, despite this, as we're all aware, there are not enough people to fortify organisations against cybercrime, with the average data breach costing businesses £3m. 7 The International Information System Security Certification Consortium, or (ISC)² -a non-profit specialising in training and certifications for cyber security professionals -found the global skills gap grew by 33% in 2019. Some 65% of firms have a shortage of cyber staff and the UK needs to increase its workforce by 291,000 people to plug the gap. 8 Many organisations will assume that, because the job is technical, cyber security professionals must have a university degree to qualify. However, this simply isn't the case and is part of the reason why we are struggling to fill the cyber security skills gap -there aren't enough cyber security graduates to defend against the UK's cyberthreat. The solution lies with an incredibly underestimated group of people. Apprentices become fantastic cyber security professionals, who have the technical skills that graduates have, as well as arguably better soft skills because their learning process requires them to get real-world experience working with people.

Apprentices gain a deep understanding not just of the network, but also the 

business and its culture. This means that, when putting a cyber security policy together, they can develop something that is bespoke to their business. It also means education and general cyber security communications can take place in the company's tone of voice, via the medium that employees are most likely to read. This sounds simple, but sadly many businesses view education, policy and communication as an afterthought. And, as discussed earlier, this is especially important at the moment when remote working and Covid-19-themed hacks are making the organisation especially vulnerable.

Of course, technical knowledge is critical. Professionals must understand systems architecture and be able to identify attacks and implement relevant defences (as well as mitigate against issues). But apprenticeships can still come out tops because they enable individuals to implement new skills immediately, allowing them to put into practice what they've learned. Apprenticeships must not be underestimated -they are arguably the best option out there to develop the truly rounded professionals that the modern workforce needs.

A business concern may be that the difference with an apprentice is that the organisation has to help train an individual from scratch as there is a chance they'll have no cyber security knowledge whatsoever. This is a legitimate concern because apprenticeships do require investment in time and money, but arguably no more than a good graduate scheme would.

To expand on this, the average cost of an apprentice for a company amounts to £18,000 for a one-year programme. With that, each apprentice will study towards three to four vendor certifications, as well as getting a full year's worth of mentoring while working and developing those allimportant practical skills at the same time. This approach exposes them to every nook and cranny of your systems while at the same time equipping them with the skills they need to spot threats from within. Aside from this being far less than you'd pay for the average graduate, with salaries starting around the £28,000 a year mark, apprenticeships are valuable in another, less-obvious way -retention.

Paying for apprenticeship qualifications also doesn't need to come from your precious HR budget. The Apprenticeship Levy is a compulsory UK tax on organisations whereby those with an annual pay bill in excess of £3m keep aside 0.5% of the bill minus an additional annual 'levy allowance' of £15,000 which they must spend on apprenticeships. 9 Basically, organisations have a pot of money which, for many, goes untouched when it could be used to bring in new apprentices or upskill existing employees.

In terms of implementing these schemes so as to have a strategy that produces the most well-rounded cyber-professionals, Christian Toon, CISO at Pinsent Masons, believes that training apprenticeships are a key part of a wider, layered approach to cyber defence within the organisation.

With regards to bringing in apprentices for the first time, he says: "It's important to broaden your recruitment approach. Your organisation may have a recruitment rule, such as only hiring from red brick universities, but to find apprentices from all walks of life you need to move away from traditional funnels. Look out for people showing a willingness to learn -some of the best apprentices I have found have been via online forums like Twitter. Put a post out via your organisation's profile and see what sort of responses come back to you -you will soon find that people who aren't necessarily qualified but have a real passion for technology will emerge."

Once you've found apprentices and brought them into your organisation, Toon acknowledges that there can be challenges, but flexibility is key.

"Organisations must make allowances for the development of people and of course this takes time and resources," he says. "Especially if you are hiring younger people who have never worked in an office before, patience is absolutely essential and setting aside time for your apprentices to spend time studying as well as learning practical skills is key. In terms of giving them real-world experience, there are two ways to do this efficiently.

"First, allow them to help on tasks where they will see a demonstrable change -for example, blacklisting domains. Second, give them projects to work on independently: even better if these projects allow them to break something. I recently challenged an apprentice to work on a vulnerability assessment because with the rise of the IoT we've seen some new wifi networks pop up on our network. The apprentice had to scan and identify the networks, profile Apprentices gain a deep understanding not just of the network, but also the business and its culture.

them to see what data was beaconing from them to identify their owners and finally, if compliant with the Computer Misuse Act, they could try to break any networks that weren't meant to be there."

He concludes with a call out to the industry.

"I don't come from a traditional university-educated background," he says, "so may be more passionate than others about the importance of supporting young people who want to get into digital roles but may find university an inaccessible route. Training more people doesn't just benefit them, it benefits the entire industry. As Jack Lemmon said: 'No matter how successful you get, always send the elevator back down'."

The cyber security industry must start valuing apprenticeships as equal to, if not better than, a university degree. This argument may be controversial, especially seeing as the majority of the cyber security populace at this stage probably do come from a university background. We most definitely should not stop hiring graduates but it is of critical importance that we widen the hiring pool to also include apprentices, and those from other departments that have upskilled via digital apprenticeships.

This unique way of learning the trade equips people with both the hard and soft skills needed to fight insider threat-centric cybercrime, which is especially important at the present when Covid-19 is pushing more people than ever to work remotely. We will get through this tricky period and the cyber-challenges it is throwing at us, as long as we don't ignore the cyber security skills gap and keep educating fantastic professionals who can defend the UK and the world against mounting cybercrime. 

In 2020, we're already seeing threats morph more and more rap-idly. Standardised attack methods are being automatically synthesised into multiple, even individually customised attack vectors based on results from prior attacks. Rapidly changing attacks customised to individuals are relegating standard signature-based threat detection to basic

Enterprises are increasingly aware of how essential it is to have efficient tools in place to monitor for cyber security and performance issues. However, the selection process can be daunting and some organisations are not clear on the key features to look for in a network-monitoring tool.

A third of cyber attacks exploit unsecure remote working'. ITPro

How remote working increases cyber security risks

Coronavirus domains 50% more likely to infect your system with malware'. The Next Web

Hackers are using coronavirus maps to infect your computer'. The Next Web

Beware of criminals pretending to be WHO'. The World Health Organisation

UK's booming cyber security sector worth £8.3 billion'. UK Department for Digital

Kaspersky reveals magnitude of British business cyber-complacency'. Software Testing News

Cyber security skills gap reaches all-time high'. Firebrand Training Blog

Guidance: Apprenticeship funding: how it works'. Education & Skills Funding Agency