We All Need To Be Robocops
Former US president Bill Clinton has collaborated with best-selling thriller writer, James Patterson, to write a novel about cyberterrorism. This is the basic theme of their new book The President is Missing. We’ve come a long way from when jet fighters, weapons of mass destruction or biological warfare were the go-to global menace.
Computer hacking may not carry the same threat of physical violence, but it’s potentially every bit as disruptive as more traditional tactics.
According to the World Economic Forum Global Risks Perception Survey 2017–2018, large-scale cyberattack is number three in the top 10 risks most likely to occur. A massive incident of data fraud or theft follows at number four, with cyberattack appearing again as number six on the ranking of the impact of these threats to countries or industries.
The biggest problems that cybersecurity experts raise are the insufficient supply of digital security skills and a lack of general awareness at board and senior management levels. This is despite headline-grabbing global and local attacks over the last few years, including last year’s discovery that 2.2 million unique email addresses and more than 60 million South African identity numbers were exposed on a public server, the source of which is still unclear but appears to be a third-party data broker.
One problem is that companies only realise that they have an internal skills gap after they have experienced a security incident. It’s a bit like realising your home’s burglar bars are too flimsy only after a break-in has occurred.
“[It is] unlikely organisations will realise that their employees should have the necessary skills until the damage has been done,” says Doctor Grace Leung, deputy head of Information and Cybersecurity at the University of Johannesburg. ›
“We actually needed these skills over 10 years ago when the ECT (Electronic Communications and Transactions) Act was promulgated and indicated a need for cyber inspectors to assist the police in conducting investigations involving cybercrime,” Leung says.
To make matters even more challenging, cybersecurity is a moving target: Last year ransomware attack – in which hackers disable computer networks until a ransom is paid by the organisation – was the trending threat.
This year, security experts are also seeing a rise in “cryptojacking” – hidden malware that uses a host server to mine for cryptocurrencies. Staying abreast of the threat landscape is challenging even for highly experienced professionals.
Rising to the challenge
While it is hard to quantify the skills gap itself, apart from a consensus that it is significant, it is clear that education and training have some catching up to do. Today, typically, students only have access to cybersecurity specialisations at post-graduate level, so it takes four years or more for them to enter the workplace.
“Universities have not picked up the escalating problem and need to play catch up,” says Professor Elmarie Biermann, director of the Cyber Security Institute. “Companies can’t wait that long.”
Another challenge is that there is no clear career path to becoming a cybersecurity professional as you might find with traditional jobs such as accountancy.
“There is no dedicated learning path in organisations on how to upskill IT people or get someone else the skills,” says Biermann. “Companies don’t know the skills associated with the job.”
There is also a danger of stereotyping these skills as only hardcore technical capabilities. “It is less about specific technical knowledge and more about difficult to teach traits such as curiosity, a desire to find out about things, persistence and a desire to uncover things,” says David Emm, principal security researcher at global cybersecurity company Kaspersky Lab. One of Kaspersky’s professionals is a trained archaeologist, for instance.
Once digital security experts enter the market they are snapped up. According to research house Gartner, globally the mean salaries for cybersecurity professionals are set to rise this year – continuing a three-year trend. Plus, the unemployment rate for security professionals is pretty much zero, so it takes longer to recruit new talent as they aren’t looking for new opportunities.
Countries like South Africa, in which the majority of people are only just starting to use the internet, are particularly at risk of cyber threats. Digital newbies of all ages come up against experienced cybercriminals.
“This potentially means a lot of naive users who represent a fertile hunting ground for criminals who target easy victims to maximise their gains,” says UJ’s Leung. “It could explain why South Africa has been ranked highly in terms of countries exposed to cybercrime.”
Given all the benefits of being online for economic development, this makes closing the digital security skills gap even more critical. Specialist cybersecurity skills include cyber forensics, which involves collecting, analysing and reporting on a security incident in a way that is legally admissible. Ethical hacking assesses a system for vulnerabilities and then secures it against malicious damage Security administration checks that people have done what they need to do.
Digital technology is so tightly woven into the fabric of any organisation and our lives that everyone in an organisation, and online for that matter, needs to be aware. Siloing cybersecurity into one place in an organisation is a bit like saying only traffic cops need to know and follow the rules of the road.
“Cybersecurity is a shared responsibility,” says Leung. “If you are working with data on a computer, you should possess some degree of skill that helps you ensure that this data is not compromised.”
This includes everyone from the programmer who decides to leave private data unsecured on the internet to the accounts payable clerk who falls for a spear phishing scam where, for instance, a legitimate invoice from a supplier gets replaced by a spoof invoice and the money is paid into the criminal’s bank account. Or the on-the-road salesperson who doesn’t secure their smartphone, even though they have unfettered access to the organisation’s cloud-based CRM system via the phone.
With Gartner predicting the global number of unfilled cybersecurity jobs rising from 1 million this year, to 1.5 million by 2020, this is not something that organisations can relegate to the bottom of their to-do list. And, while remembering that cybersecurity is as much a human issue as it is a technology one, this is something that CIOs could use as their ticket to the boardroom table.
More than 20% of Wi-Fi hotspots in FIFA World Cub 2018 host cities across Russia do not use encryption and authentication, making them potentially unsafe for fans to trust with valuable personal data such as financial transactions, according to Kaspersky Lab. Bigger cities were less safe, with almost 4 out of 10 Wi-Fi hotspots reported as open in Saint Petersburg.
Did you know?
Cybersecurity is not only a concern for big companies. While Standard Bank’s insurance could absorb a R300-million hit, an SME could potentially be crippled by a R500 000 phishing attack.
Shepherding future digital skills
It’s not just security skills that are in high demand in the digital world, there are opportunities in all areas for people who have received the right training. All of the big tech companies have programmes designed to help people across the continent find careers in IT, not just because they want to do good, but because they need future employees.
Google, for example, offers a mix of face-to-face and online training tools through which it hopes to reach 10 million people across Africa in fields as diverse as computer science and journalism. Microsoft’s Virtual Academy 4Africa covers business computing basics.
SAP’s Skills for Africa programme, meanwhile, recently graduated 30 students in Johannesburg in June. It was the first of SAP’s programmes to focus specifically on cloud computing. The students will go on to 12-month paid internships within the SAP ecosystem at eight companies including EOH, BMW, T-systems and Gijima.
Through a mix of classroom and e-learning as well as practical exercises, the students, unemployed recent graduates often from previously disadvantaged backgrounds, learn IT and business skills, culminating in a global SAP certification. The two-month course is free for the students and funded by software and technology solutions provider SAP, its participating customers and local government funding such as MICT SETA in South Africa. Although employment is not guaranteed after the internship, eight out of ten graduates stay within the SAP ecosystem.
“As many as 375 million workers will need to learn new skills and change jobs by 2030 as automation and exponential technologies change the world of employment forever. With millennials accounting for 75% of the global workforce by 2025, it is essential that organisations invest in digital skills development now if they wish to have access to scarce skills and remain competitive in the future,” says Cathy Smith, managing director of SAP Africa.
The pan-African SAP Skills for Africa programme was launched in 2012 to link skills development to job creation via guaranteed internships. Almost 600 students have been trained in Kenya, Morocco and South Africa.
“Unskilled jobs around the world are disappearing, and lifelong learning is becoming a prerequisite to success in the digital age. Some studies estimate that 10% of new jobs will be in occupations that don’t exist yet,” says Smith.