Violet Birtwistle
Cyber Security Assessor
Technological advancement is transforming every part of life and represents one of the biggest opportunities, as well as challenges, for organisations today.
There is a growing concern that while we all enjoy the benefits of new technologies, the digital skills gap will continue to grow if left unchecked, and businesses will become more exposed to the risk of cyber attacks which are becoming more sophisticated and intense.
The pervasiveness of technology and the digital skills gap
Technology is constantly evolving. And with every new device iteration and software update, new features and capabilities are being introduced.
The way we interact with technology is also evolving, such as the shift to touch screen technologies, the enhancement of graphical user interfaces (GUI’s) and software supporting users with disabilities.
Access to technology is increasing, too. The number of mobile phone users in 1995 was estimated to be 91 million; now it’s over 8.5 billion. When global population growth is accounted for, this is an increase from 1.58% to 109% – that’s more mobile phones in use than there are people on the planet.
Internet access is on the rise. From December 1995 to March 2021 there has been a phenomenal growth from 0.4% to 65.6% of the world population who now have access to and use the internet in some form or another.
However, as the uptake of technology grows, so too will the digital literacy gap.
According to research from the Organisation for Economic Co-operation and Development (OECD), the average person’s computer literacy is substantially low. As little as 5% of the populations living in countries such as the U.S., UK, Netherlands, Scandinavia, Japan, being scored as having proficient computer skills and as much as 26% being unable to use a computer (4).
By association, it’s clear the average person’s understanding of cyber security is also poor. How can people understand cyber security, when they don’t understand the technologies it’s protecting?
This knowledge gap presents a serious attack vector and cause for concern if left unaddressed.
Technology is transforming how societies and businesses function
The digital world changes the way we collectively operate.
Before the computer, the planet was divided into kingdoms that evolved to become the modern nation states we know today with borders and jurisdictions.
However, with the rise of Capitalism and the wide adoption of digital technology, borders have become blurred and control is more complex. Huge corporations such as Amazon, Google and Microsoft operate and have entities located in multiple nation states. These companies are no longer subject to the same rules and laws as their smaller counterparts because they are not specifically tied to one place. There is no definite authority over them, aside from the regulatory bodies that control how they can operate.
This is also the case in the digital world; data is moved across a global infrastructure and passes through numerous nation states before reaching its destination
Mindsets, beliefs and values are changing, too. A morality shift in recent years has seen diversity, inclusivity and equality become top of many peoples’ minds. Public awareness and outcry over the environmental crisis are hard to ignore, and the COVID-19 pandemic has forced us to change how we live and what we prioritise.
Nation states, organisations, and companies wanting to win the minds and hearts of the public, will need to adapt the way they operate and communicate to avoid reputational damage.
Against this backdrop, the mindset of cyber criminals and attackers is changing too.
The different types of cyber attackers
White-hat attackers – or ethical hackers – perform attacks for the benefit of improving online security. Their actions and methodology are legal, with companies paying for their services. But this does not extend to the full collective of cyber-attackers though, who represent a mix of all motives and agendas.
A grey-hat attacker, such as Hacktivist groups, is another type of cyber-attacker. Their goals are not necessarily defined which makes them harder to predict, but in general, their moral compass is more closely aligned to that of ‘good’ causes.
Lastly, there are the black-hat attackers. These are the types of cyber-attackers who attack for money or control and can become potent forces when funded by nation states or private entities to further their interests, known as Advanced Persistent Threat (APT) groups. A list of all current APT groups can be located on the Mitre organisation’s website.
The threat landscape has changed, with attacks coming from anyway location, outside of nation state jurisdiction. The global populace has been empowered through technology to voice the change they want to see, setting in stone new rule books for activist and criminal movements, as the new targets come to light.
Bringing cyber security into the heart of digital transformation
Organisations have established processes internally to help them perform their business functions in a repeated manor. These processes form the underlying foundations that employees and technology systems operate on. However, from experience assessing organisations against security frameworks, three concerns often arise:
1. There are little to no review processes implemented by organisations
2. Where processes exist, they are complex and involve multiple departments and/or decision makers’ input
3. When processes are made, they are made without support from cyber security professionals
Without reviewing processes, there is no way to implement continuous change meaning an organisation is made for the time that it was established, rather than being forward looking.
Review periods for all processes should be annual at a minimum, if not more frequent, given the speed of digital transformation.
Implementing complex processes has several challenges. If processes have too many moving parts, then automation of the process becomes difficult. If processes can’t be understood by the employees or staff who operate them, processes can’t be effectively managed and errors will start to arise, damaging the quality of the output of the process – and even an organisations’ reputation.
Lastly, it is concerning that processes aren’t made with cyber security professionals. IT departments within organisations are often understaffed, underfunded and asked to take on security responsibilities over and above their Business as Usual (BAU) activities.
Cyber security is an area that connects to technology but requires specialist expertise. This resource is limited and there is a worrying skills shortage, so more collaboration is required between nation states, organisations, companies, and experts, to ensure that the defenders have all the resources necessary to protect themselves.