In the technology arms race, skilled professionals may be the weak link. IT tools have evolved to better protect data and detect threats. Now, IT departments’ greatest weakness appears to be a shortage of employees with the right skills to implement these tools. In this week’s CIO Corner, we take a look at what CIOs are talking about on Twitter including the OurMine hacker collective targeting CEOs and celebrities, the growing cybersecurity skills gap, a massive hack of 9.3 million patient health records, and how the gig economy may help organizations fill the 4.5 million open cybersecurity positions.
Many new IT software tools claim to automate or outsource IT activities. Public cloud services relieve IT of many traditional infrastructure reliability and security responsibilities. While technology may free employees from many tasks involving daily upkeep, IT departments are under pressure to reallocate resources so that they can better meet business objectives and defend against a new generation of cyber threats.
State-sponsored hacking organizations and new breeds of malware receive a lot of attention from the information security community, but less sophisticated attacks can be equally devastating. Even well prepared targets have difficulty defending against compromised account attacks. This broad designation can apply to anything from a leaked Gmail password to the Bangladesh Federal Bank’s stolen currency transaction password. The rise of cloud services accessible from the internet has made compromised accounts into a popular outlet for cybercrime, and mega-breaches facilitate these threats by dumping hundreds of millions of passwords online.
The widespread exposure of account credentials online has spawned a group of hackers specializing in accessing public figures’ social media accounts. The organization OurMine took credit for hacking the accounts of Mark Zuckerberg and Sundar Pichai, among others, attributing their success in multiple cases to passwords revealed in the LinkedIn data breach that were reused across other cloud services. The attacks could likely have been prevented with multi-factor authentication, but all too often security is simply not a priority for busy executives.
— John L. Shea (@johnlshea) June 28, 2016
The pattern of mega-breaches branched out from password thefts with a huge dump of sensitive medical records. Initial reports put the figure at 650,000 patient records, but the hacker subsequently increased the stockpile to 9.3 million records. Online criminals prize medical records because they provide information used for identity theft and also enable them to target vulnerable people who may not discover fraud in their accounts due to a serious illness. Although the hacker claimed to have used a zero-day vulnerability to steal the records, the healthcare organizations should have had some control in place to limit access from any single entity, especially to millions of records.
Hacker puts 650K U.S. patient records up for sale https://t.co/557WfsJPri
— Bryan M. Sastokas (@bsastokas) June 28, 2016
Zero-day vulnerabilities aside, many data breaches come down to a preventable weak link somewhere in a company’s defenses. Much of the risk from advanced persistent threats comes from the amount of time attackers remain present within an organization’s systems, scouting out further vulnerabilities and covering their tracks. Alert fatigue has turned security tools from allies to antagonists: 31.9 percent of IT workers ignore security alerts because they receive too many false positives. As much as additional IT staff might help solve the problem, ineffective monitoring tools are equally to blame in this case.
— David Chou (@dchou1107) June 28, 2016
A growing IT talent shortage is a concern for CIOs who wish to modernize infrastructure but may lack the skilled workers to execute on their plans. Rapidly emerging technologies like cloud can require new skills that even experienced IT workers lack. In this environment, IT departments not only need to attract new talent but also develop new skills in existing employees. The two most popular strategies for closing the IT professional shortage involve building employees’ skills: increasing training of internal existing security teams and hiring more junior IT professionals to train. Education takes time, however, so CIOs may need to look into more immediate fixes for the short term.
The trend of outsourcing IT’s most menial tasks will ultimately open up opportunities for professionals who master the latest technologies. Naturally, certain skills are more easily outsourced than others. The top future-proof IT skills include technical skills like coding and big data analysis, but also soft skills like communicating with personnel outside of IT. In other words, tomorrow’s IT professionals must be proficient in cutting edge technology and be able to translate their work to layman’s terms.
— Stephen Landry (@landryst) July 5, 2016
— Joanna Young (@jcycio) June 28, 2016