The impact of COVID-19 on the cyber security industry has been severe, and the list of effects so far is by no means exhaustive. With businesses moving to hybrid and remote models of working, the Cloud is growing. However, with the Cloud growing, cyber security threats follow suit. The WEF has listed cyber security failure as a critical threat in the next 0-5 years. What exactly is happening, what are organisations doing to combat this, and what does this mean for the industry?
It’s no secret that cyber security threats increased in 2021. In the Malwarebytes 2022 Threat Review, any dips seen in malware and email threat detections (for both Windows and Mac) during 2020 were rebounded and surpassed in 2021. They’ve dubbed it the ‘COVID bounce’. In addition, a NetScout report announced that there were 9.7m DDoS attacks in 2021. The statistics are clear: the threat is current, and the move to cloud-based technology solutions has played its part. A Gartner 2022 report lists ‘attack surface expansion’ as one of the cyber security trends for 2022. Put simply, with so many more digital assets and platforms, including cloud applications, businesses have expanded the possible avenues and become more vulnerable to cyber-attacks.
Jeremy Fleming, Director of GCHQ, explained that recent global events, including COVID-19 and the Russian attack on Ukraine, have exposed how vulnerable we are, and identified gaps in national cyber security strategies. President Biden has even announced an 11% increase for cyber security in the US FY23 budget. Technology is a vital part of our everyday lives, jobs, businesses, and the economy; to be able to harness this digital acceleration safely, we need to invest in cyber security.
To put this into perspective even further, the Cloud Security Alliance (CSA) has launched the Countdown to Y2Q calendar. They’ve declared April 14th 2030 the day when a quantum computer will be able to break present-day cyber security infrastructure, otherwise known as the countdown to quantum destruction. It sounds dramatic, but the reason the CSA has created the calendar is to serve as a stark reminder to organisations that the threat is real. If we don’t invest in cyber security now, we’ll be victims of our own design.
Organisations can take action, however, and some have already. Some of the giants of cloud technology have acquired cyber security businesses in the last 12 months. Microsoft acquired CloudKnox Security (Cloud Infrastructure Entitlement Management technology) and RiskIQ (cyber threat intelligence and external attack surface management) in 2021, to join Microsoft Azure. Amazon Web Services (AWS) acquired Wickr, an encrypted communication technology service. Google have also just finished the acquisition of Mandiant (threat intelligence), for implementation into their Google Cloud service. These are all huge investments, both in monetary terms and in terms of sentiment, into the cyber security industry. They are setting an example for other organisations that dealing with current and imminent threats should be a priority.
In the March 2022 Moody’s report on global cyber security, there was annual growth in investment but gaps in preparedness. They also found that there were a high number of organisations, mostly public sector, that don’t have cyber security as a budget line item within their IT/Tech budget. Organisations with cyber security as a budget line item had typically made, and sustained, larger investments in cyber security. The report also found that cyber security had a higher budget and allocation of resources when the reporting structure within an organisation allowed for closeness between cyber security managers and the executive suite. If businesses want to invest in and prioritise cyber security, they should identify it as a standalone item within their IT budgets, and create more direct lines of communication between their cyber security managers and the upper tiers of their organisation.
Cyber security professionals are already in demand, with an annual shortfall of 10,000 staff in the UK alone. The upward trend in prioritisation and investment in cyber security worldwide is encouraging. However, public and private organisations may find themselves with all the tools and no one to wield them. Some programmes are already in place to encourage people to start a career in cyber security, such as the CyberFirst programme in the UK. Organisations are being encouraged to create better work environments and clear career pathways to retain security staff and support them into senior positions, but will this be enough?
Focus on Security specialise in recruitment for cyber security professionals, so if you’d like to take advantage of the demand for your skills as a candidate, or for some further market insight, get in touch with one of our consultants today.
Alternatively, if your organisation is falling victim to the difficulties discussed above, and you find yourself in need of some cyber security talent, get in touch to see how we can help.