We live in the Internet of Everything -- a world of convenience where connected devices can control our homes, our cars, medical devices and so much more. With Gartner projecting 21 billion devices connecting to the internet by 2020, the attack surface is unimaginably large, and the internet of things (IoT) is essentially a playground for cyber criminals. As we’ve seen time and again, hackers will exploit new and unknown vulnerabilities, and even discover old vulnerabilities hidden in IoT devices. At some point, their successful exploitations will result in a major catastrophe.
Our quality of life today has become absolutely dependent on the resilience of IoT. However, we continue to find vulnerabilities in smart home IoT devices, medical devices, connected cars, printers and more. We simply cannot keep up with the expanding attack surface, which makes it impossible to identify, monitor and manage the entire breadth of these devices. At the same time, we’re also facing a major skills shortage and talent gap in cybersecurity. By 2021, there will be over 3.5 million unfilled cybersecurity jobs, according to a recent Cybersecurity Ventures report.
The combination of known and unknown vulnerabilities, the expanding IoT attack surface and the lack of skilled cyber experts leaves us in a dangerous position that we must address immediately. The vast majority of exploits happen because of poor cyber hygiene. Despite the proliferation of new tools and technology designed to thwart the latest threat, we still have organizations failing to do the basic level of cyber hygiene needed to stay ahead of cyber criminals. Organizations also rely on layered defenses -- endpoint security, firewalls and anti-virus -- that simply don’t apply to most IoT environments.
Even more concerning is that most organizations don’t even realize or understand that they have a profusion of IoT devices on their networks. In a recent report put out by ForeScout and Forrester, 82 percent of IT and line-of-business decision-makers said that they would not be able to identify all of the IoT devices on their networks. In order to properly protect them, they first need to be discovered. Proactive vulnerability management can help with finding and fixing these insecure devices.
Aside from using updated security architectures, proper security awareness and employee trainings can play a major role to ensure that not only our security teams, but also our staff and employees can be knowledgeable and understand cyber threats. It’s my belief that cybersecurity training is not just the cybersecurity team’s responsibility -- it is a human responsibility as well.
It is incumbent upon us in the cyber field, and at the highest levels in corporations or government agencies, to continuously train staff at all levels to understand the risks and the consequences of poor security hygiene. Let staff learn and become part of the solution. Specifically, training programs within organizations should be distinct to their role; identify critical assets; and expose employees to the impact of vulnerabilities on the organization, their job and their customers or stakeholders -- especially when their work touches an aspect of physical human safety.
Continuous learning should become a nonnegotiable requirement in every organization, at every level. It’s critical that companies participate in industry associations working in their field and vertical markets (e.g., oil and gas, or financial services) to understand key industry issues. Further, key individuals must stay abreast of applicable compliance requirements (e.g., the General Data Protection Regulation), and have an action plan in place.
In the face of so many new vulnerabilities, and a 3.5-million-person cyber workforce shortage that continues to grow, we need new ways to train people so they can really understand the impact of today’s security threats -- not only on their businesses, but also at home. The reality is that filling the cyber workforce gap isn't going to happen overnight so we need to think of new solutions and it starts with our people. With new cyber threats popping up everyday, it's critical that we train every single employee to practice proper cyber hygiene in order to keep their companies safe. Until we are able to fill those open cyber jobs, cybersecurity will continue to be everyone’s responsibility.