In recent years, cyber attacks against companies have been increasing in sophistication, with their damage ranging from brand damage to irreparably destroying the lives of consumers.
However, it is not merely about ensuring the safety of consumer data, but rather guaranteeing the integrity of systems as well. As the world moves into a new golden age of technology – artificial intelligence (AI) and connectivity – cybersecurity should be a main focal point.
One such nation, China, has announced a 2030 vision for AI development and seeks to achieve an unprecedented level of technological integration in its citizens’ lives.
Having everything attached together in the Internet of things (IoT) will monumentally increase the vulnerabilities present in any given network. With more nodes, connections and burden of connectivity, systems are going to have to be more secure. Rev 4.0 will usher in more calls for greater cybersecurity.
Placing more of one’s processes online, digitising what would be manual tasks, for example, places a bigger target on one’s back for attackers. Whilst the motivations of assailants cannot be controlled, companies must match their automation and digitisation of processes with stronger and smarter cybersecurity practices.
To take one criterion as an example, using big data to augment digitised processes (such as using data to predict buying trends that then feeds a factory’s production queue with quotas) presents a unique challenge. Companies have a duty to protect that data and thus must secure all transmissions of that data, ensuring all nodes on the network (from the manufacturing robots to the data controller’s terminal) are secure.
Ultimately, AI systems will rely on large datasets, hosted either locally or externally (through the cloud or otherwise) to analyse incoming data from a vast amount of sensors, from heat to motion, and make quick decisions about what needs to be done. Take a smart home AI for example.
Acting as a personal house servant, the AI will rely on cloud technology to predict outcomes using existing data about the family. Should you purchase milk every Friday, the AI could use machine learning to create a goal to remind you of it. Whatever the purpose of the AI, cybersecurity needs to be considered alongside the development.
Skills Shortage: Critical Issue
Venture capital firms invested close to US$3.1bn in 300 cybersecurity start-ups in 2016, according to research firm CB Insights, presenting large platforms for cyber development. However, whilst the ideas are plentiful, the talent is somewhat lacking. ESG research (2017) found that 45 per cent of organizations which took part stated they have a problematic shortage of cybersecurity skills.
A further study conducted by ESG in association with ISSA found that of 343 cybersecurity professionals, 70 per cent of organizations were affected by the cybersecurity skills shortage, with 63 per cent believing the shortage increases the workload for existing staff, with 41 per cent believing existing professionals rely on a culture of emergency threat response rather than cultivating security.
Such a skills gap is causing existing professionals to take on workloads that are larger than they can manage, overwhelming them and decreasing their efficiency. Consequently, there is less time for training. Furthermore, the overwhelming workload is also caused by a shortage of working staff in the area, causing professionals to target emerging threats rather than actively patrolling the company’s environment.
Ultimately, a deepening skill shortage will lead to bigger data breaches in the future as attackers become more sophisticated as Jon Oltsik, senior principal analyst at ESG, opines: “The cyber-security skills shortage represents an existential threat to our national security and this year-over-year comparison data bears out this fact. We are not making progress, cybersecurity professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous.”
On the other hand, the lack of talent is weakening several areas of cybersecurity, from threat identification to computer forensics. To combat the gap, companies should expand their recruitment area. Whether this includes looking beyond traditional universities to expanding into existing professional backgrounds with applicable skills, talent can be found in a range of environments beyond IT and training on the job can increase the talent’s sophistication in dealing with threats.
Moreover, working closely with cybersecurity firms to create specialised partnerships, talent-swaps (by having teams move in and out of offices of the other firm) and sharing working best practice is key to maintaining a key grasp of emerging trends. What’s more, simply acquiring talent is not suitable for the rapidly advancing working world – companies need targeted and pervasive training to enhance talent and integrate them into the working culture.
Combating the skills gap should be a priority for companies looking to implement new technologies that have no forerunner in the company; for example, if a company is already using AI, using a new iteration will not require as much training as using automation for the first time. Workshops and skills courses that update workers can be used for re-training on the job.
Ultimately, CEOs should look to re-train rather than hire fresh talent if the skills can be learned on the job as better company experience with new knowledge would outweigh new skills without company or work knowledge. A major impediment to generating business value is companies treating business and IT departments as entirely different organs of the company. For years, firms have hired IT specialists to maintain their networks. Not communicating efficiently leads to a lack of shared understanding. Ensuring that IT specialists regularly communicate with their business compatriots to ensure cross-pollination of ideas is key.
Cybersecurity has suffered from a lack of prioritisation – either resulting from other interests garnering more attention or CEOs not understanding their role in promoting security, this could be caused by the unclear responsibility that has been put on companies to hold cyber standards. CEOs need to consult experts and facilitate better tech adoption by securing their internal infrastructure.
CEOs would do well to understand how the Internet of Things and cybersecurity will impact their business model, from incorporating routine maintenance and updating to regularly consulting experts for ways to secure networks. As the IoT comes to fruition, there will be better technologies available, cutting down expenditure and effort. Staying afloat of these developments will catapult CEOs to the forefront. However, simply treating this as another ‘factor’ in business would be to create a grave injustice; security now underpins all business. Setting up clear policies for data handling and security will help keep things running smoothly.
China: Tightening Cyber Standards
China is also suffering from a talent drought. In pursuit of its larger 2030 AI dream, China has cultivated research areas to better develop practice and AI, including the recruitment of cybersecurity professionals. Yet, at the moment, China is still lagging behind in talent acquisition.
On the legal front, however, the message is different. The Standing Committee of the National People’s Congress, on November 7, 2016, formally passed China’s first comprehensive, all-inclusive security regulation for cyberspace and took effect June 1, 2017. China’s approach of using the law as a cyber regulatory tool is attached to its using the internet to build up a domestic information economy and secure network infrastructure that directly benefits national economic development and political stability.
By applying tight controls over its domestic internet to advance its economic, political, and military interests, the approach to what is required shifts from protecting consumers’ data to preventing attacks that threatened party objectives. For China, protecting domestic structures is at the heart of cyber law reform and one can certainly see such a move in the latest pronunciation of CSL.
The advent of these new laws has prompted responses from both domestic and international companies, notably Apple, who recently opened a new data centre to comply with laws surrounding the hosting of Chinese data. Furthermore, EY expects its headcount of cybersecurity professionals in China to grow, with Paul van Kessel, global head of cybersecurity services at EY, stating that EY is in, ‘a hyper-growth mood.’ Such a hyper-growth mood comes at a time when greater pressures are mounting on foreign firms, particularly those that deal heavily with domestic Chinese data.
The Second Draft of the E-Commerce Bill confirms the cybersecurity stance and supplements the earlier bill. The issue however, is not that a restriction applies with the data localisation, as that has been known for months. Rather, it is the fact that because the cybersecurity law considers, ‘any company selling goods or services to Chinese consumers as being a covered domestic operation,’ foreign companies beyond China may be liable for security screening of any data collected from users in China. This is certainly a contributing factor for Amazon’s sale of specific operating assets of Amazon’s Web Services in China to Beijing Sinnet Technology. Sinnet has clarified such a move was carried out in further compliance with the local laws and regulations.
Primarily, auditing your company’s cybersecurity to highlight weaknesses and provide solutions to fix them is a key starting point for firms covered by China’s new extra-territorial laws. Further, overlapping projects in preparation for several cyber initiatives, including Europe’s GDPR and China’s new cybersecurity law, will save companies time and money. On this point, complying with China’s law presents unique challenges and could be argued to be costly in the beginning, yet the cost of being unable to access the Chinese market could be far higher.
For companies seeking to combat the skills shortage, recruiting cybersecurity professionals from IT and elsewhere, whilst simultaneously investing in better training will kickstart the drive to better cyber standards. Maintaining talent with career development advice and services, as well as ensuring high levels of job satisfaction, will enable the company to become competitive and retain talent.