Why IT security contractors don't fear cyber warfare
They may not admit it, but IT contractors are potential beneficiaries from the growth of cyber terrorism, if they can ‘hit the ground running’ with certain competencies that are increasingly on the lips of organisations at risk, writes Stephen Walker, a manager at Venn Group.
Before we explore these competencies that our contract and interim IT staff recruiters are being urged to source, it is necessary to consider the cyber crime/terrorism threat and put it into context – both globally and for organisations in the UK.
By doing so, I will show that while the typical IT contractor may have the fast-paced recruitment market to keep up with, cyber security contractors also have to keep up with e-criminals and their techniques. This criterion, or competency, is in our client briefs for certified security consultants.
The cyber crime/terrorism threat in 2014
Eugene Kaspersky, a leading expert on cyber terrorism, said this month that a “major, global attack is imminent.” He outlined how businesses are worryingly underprepared for the threat posed by the mysterious network of criminals who operate in the darker corners of the internet.
This isn’t a new threat, but it is getting worse and more brazen. One crime syndicate has even taken to offering a luxury sports car to the hacker who can come up with the most innovative scamming technique, in what appears to be a perverse ‘employee of the month’ contest.
The threat posed by the internet to the UK, its consumers, corporations and critical infrastructure doesn’t just come from Ferrari-toting criminals holed up in remote parts of the world. Recent UK reports have stated that a wide range of the nation’s IT professionals are being targeted by foreign intelligence agencies, looking for domestic personnel who can help them obtain sensitive data from British companies.
With the threat from electronic crime and terrorism seemingly coming from all angles, how can IT contractors’ end-clients develop effective strategies to combat it?
A glistening IT security chain is only as strong as its weakest link
The first thing that’s needed is a profound shift in the teaching of the subject. Many IT security experts say the best cyber defence is a result of both technical measures and human behaviour.
This combination is something the best cyber security contractors know well. But the marriage between technical provisions and human conduct is a union that more organisations need to understand, promote and embed. As has always been the case, a company’s entire online security, perhaps painstakingly developed by a contractor who’s since moved on, can be undermined in seconds, simply by an end-user employee downloading unsecured files.
So staff not fully understanding the threats of online crime or terrorism is still an issue for organisations. But so too is the outfit’s willingness to recognise that they’re not just managing their own defences – they’re likely looking after an interconnected ecosystem of suppliers, partners and consumers, all of whom fall under the organisation’s responsibility.
Taking this holistic approach requires cyber security teams to constantly be updating a front-line understanding of all potential threats, and their associated safeguards, so dangers can be protected against. It also requires all parties in the contractual chain (and all those plugged into the IT network) to have sound cyber security knowledge that evolves as the dangers do. More important perhaps, organisations need to create a corporate culture that encourages conscientious online behaviour that creates the least possible amount of risk for them.
Cyber teens, Onion Routing and up-skilling permies
Fortunately for cyber security teams and contractors, who are increasingly being expected to ‘up-skill’ those in the organisation whose cyber security awareness is lacking, the government is taking action.
In particular, the coalition is planning on developing cyber security skills in 11-14 year-olds, with cyber security apprenticeships to be offered to the top performers. This is a welcome move because like almost every other area of crime, the criminals in the digital space are generally one step ahead of the law. By developing competencies in younger people, the UK has a chance of being armed with workers who have a good understanding of the cyber security landscape in as little as a decade.
For now however, and aside from slack online behaviour by employees, much of the threat comes from gangs of cyber terrorists based in hard to access jurisdictions. This creates a relatively risk-free platform to attack from, and means law enforcement agencies have no real power to do much about it. Current estimates from EC3, the focal point of the EU’s fight against cybercrime, put the percentage of cybercrime activity coming from Russian-speaking territories at 85%. However, many believe the increasing spread of internet coverage in Africa could drive criminal organisations to relocate, potentially meaning cyber terrorists could become even harder to track down in the future.
Not that they’re easy to find now of course. The majority of online attacks stem from the deep web, which requires an anonymous IP address to access it. This so-called ‘onion routing’ means that the vast majority of criminals can hide their activity underneath multiple layers of encryption which allows them to continue unprosecuted.
What cyber warfare means for IT contractors and their clients
What’s much clearer to gauge is that organisations mustn’t hang around and wait for the so-called ‘cyber warriors,’ wherever they may be located, to mature into employable adults. Outfits need to act with urgency; quickly take on and rapidly deploy experts with a full understanding of the cyber security landscape and hope that they share their nuggets of wisdom with the workforce as a whole.
There also needs to be more of a focus placed on ‘Real-Time’ action. Organisations need to build processes to identify and neutralise threats as they happen. This ‘pro-active’ approach will require IT contractors to develop and embed these systems, and they may have to help permanent members of staff, not with the systems perhaps, but maybe in educating them about online behaviour that minimises exposure to criminal and terrorist threats.
End-users having to take on a cyber security developer or systems integrator to install Real-Time safeguards is just one of many examples of how IT contractors could potentially benefit from the growth in cyber crime. In addition, if businesses do want their digital divisions to develop anti-terrorism strategies, then this too will require IT contractors, as there are definitely not enough IT permies with cyber terrorism expertise to go around.
Yet the role certainly isn’t as simple as it used to be. It's no longer just about preventing attacks and many end-user staff probably still think installing an anti-virus software and setting up a firewall will be enough protection, but it isn’t. This is where experts are needed to educate end-users (and their staff) about the very real threat posed to them. Otherwise, the UK isn’t just risking an imminent attack -- as outlined by Mr Kaspersky -- it’s positively encouraging one.
In review -- competencies the best cyber security specialists possess:
- An active awareness of the need to complement new technical measures with matching provisions on human behaviour
- An ability to educate end-user staff as part of creating an environment conducive to conscientious online conduct
- Taking a holistic approach to IT security, recognising the many separate parties using the central network and helping form technical and human/staff policies accordingly
- Developing IT security knowledge in all such parties, further to your individual knack of staying up to date with the latest threats (such as Onion Routing)
- An understanding of Real-Time defences, knowing how to build such software/ systems and, where possible, being able to integrate them with existing technologies.