[BreachExchange] Is Cybersecurity Skills Shortage Really the Cause of Data Breaches?

[Destry Winant]

https://www.cpomagazine.com/2018/11/12/is-cybersecurity-skills-shortage-really-the-cause-of-data-breaches/

Facebook, Under Armour, Ticketfly, Panera. What do these companies
have in common? They’ve all suffered significant data breaches in
2018. The frequency and magnitude of cyber attacks seems to be
growing, and even the threat of massive fines allowed for under
privacy legislation such as GDPR doesn’t seem to be having much of an
impact. And when you consider that there’s a growing shortage of
cybersecurity professionals, it’s tempting to draw a connection
between the two, to say that there aren’t enough cybersecurity
professionals to adequately protect and harden and monitor computer
systems today, whether they are on premises or in the cloud, and that
this is the root cause of the data breaches.

I would argue that this is a myopic view. On a fundamental level, the
argument does hold. But the reality is much more complex. The breach
problem is being driven by an evolving, expanding attack surface, with
evolving and expanding mechanisms for accessing this attack surface.
If I hack a phone, or an app, it’s highly likely that I’ll be able to
get into a database. Even five years ago, this wasn’t possible.

It’s important to recognize that the number of data breaches is
increasing rapidly, and that the primary driver behind this growth is
the amount of data available online. There’s more data, and so there
are more breaches. When there is more data than ever before, in more
places than ever before, there’s a much bigger attack surface. There
are also more possible routes into organizations than ever before,
including mobile devices and IoT devices, and more people who use
these varied ways to access data than ever before. It’s inevitable
that the size of the attack surface has attracted more attention.

Another misconception is that it’s infrastructure and data that’s
being hacked. Instead, we need to think of it as people being hacked.
Instead of going after the infrastructure that houses the data, or the
data stores themselves, cybercriminals are increasingly going after
people and the way they access data.

We see this with the continuing rampant proliferation of
spearphishing. Instead of one-to-many attacks, cybercriminals are now
focussing on one-to-one attacks. When successful, these attacks grant
access to credentials, devices, personas, that ultimately allow an
organization to be breached. It’s no coincidence that spearphishing
attacks focus on executives, people who are extremely busy and who
receive regular urgent requests for assistance.

Another attack vector is breaches aimed at third-party suppliers to
gain access to organizations. One well-known breach of Target occurred
when criminals were able to access the vulnerable network of an HVAC
provider. Due to a lack of proper network segmentation controls,
access to the HVAC provider was used to gain access to Target’s POS
systems, and from there, the criminals gained access to sensitive
customer data.

While the size of the problem may not be directly related to the
skills shortage, it is exacerbating that shortage. Today, more than
ever, especially in Canada, there are more cybersecurity programs at
more academic institutions than ever before. The number of programs
has expanded dramatically in the last ten years, and it’s now possible
to get an advanced degree in cybersecurity. But it’s still not enough.
Yes, the talent pool is growing. Unfortunately, the problem is growing
faster.

Cybersecurity work is interesting and dynamic. Because of the skills
shortage, it certainly pays well. So why is there still a dire
shortage of cybersecurity professionals? In a nutshell, for many
individuals, the reasons to become a cyber criminal are more
compelling than those for becoming a cybersecurity professional.

There are three main reasons to enter the talent pool. First, there
are high paying jobs. Second, there are many jobs available. Third,
the focus of economic activity is shifting from manufacturing to
technology. Now, let’s consider the breach problem. It’s driven by
rampant capitalization: financial capital, political capital,
intellectual capital, and personal capital. For many people, these are
much more powerful motivations than going to school with the goal of
becoming a cybersecurity professional. The principal driver behind
cyber crime is that it offers an opportunity that can be capitalized
immediately, at low cost, and with a high degree of success. For an
18-year-old in India, university may not even be an option. Going onto
the dark web and downloading a free ransomware toolkit is much more
attractive, and it offers the chance to get paid within 24 hours.

Another important issue to consider is the prevalence of stolen or
hacked operating systems. In many disenfranchised countries, a
significant percentage of operating systems are not genuine installs.
As such, they will not receive operating updates. As a result, the
size of the attack surface in these countries is growing even faster
than it is elsewhere. Defenses against cyber attacks may be shored up
regularly in North America and Europe, but the global botnet is
constantly growing. This is also contributing to the growing data
breach problem.

When you consider the size of the attack surface, its complexity, and
the fact that it’s growing at an unprecedented rate, and you consider
the various motivations for engaging in cyber crime, it’s easy to see
that the shortage of cyber warriors is actually a very small factor.
Here in Canada, we perceive that people with cyber skills have a
choice. They can choose the dark path, or the light path. But that
choice is a luxury, born of a stable, thriving economy. Many people in
the developing world don’t have that choice. For them, the dark path
is the only way forward. I would argue the problem of data breaches
isn’t a cybersecurity or technology problem—it’s a socio-economic and
geopolitical problem. The way things are trending, this problem is
going to get worse before it gets any better.