VARs partnering on technological security skills gap but social skills gap proving harder to fix

Value-added resellers (VARs) across Australia and New Zealand are struggling to obtain adequate security skills, according to recent findings from industry organisation CompTIA, and most are looking to other firms to plug those holes rather than trying to hire staff themselves.

CompTIA, which runs regular community meetings for channel solutions providers across ANZ, surveyed attendees and found that fully 86 percent said they were suffering from a security skills gap.

Cloud security was by far the most important security skill to their businesses, named by 63 percent of respondents, while mobility (50 percent), backup/disaster recovery (45 percent) email (45 percent), education (45 percent), identity and access management (43 percent) and risk management (40 percent) were all seen as crucial skills.

Despite strong agreement around the skills the channel businesses needed, attending organisations had broadly given up on hiring their own security specialists, with 81 percent saying they were going to partner with other firms to minimise their IT security skills gap.

Yet while many of these perceived weaknesses related to technological skills, many within CompTIA's channel community were particularly concerned about issues whose remediation lay outside of the IT department – such as the ongoing role of human factors as a vector for security breaches.

“Security in the past was addressed by technology,” director for channel dynamics Moheb Moses told CSO Australia, “and partners are very good at designing technologies to block threats out. But the problem now is not technological: it is answering questions like 'how do I educate my organisation not to put passwords on yellow Post-It notes?'.

This issue is not just something we talk to IT about, but something we may need to talk with HR about.” Employees' poor password protection remains a bugbear for businesses of all sizes, with one recent study suggesting that 27 percent of US office workers would sell their business systems password to an outsider for amounts as low as $US100.

These passwords, along with a range of other information that is readily and routinely shared by many employees on social media, were empowering even small hacker groups to launch targeted attacks that had proven so highly effective, particularly against Australian targets, that many attackers were launching fewer but more focused attacks targeting CEOs for extortion and aiming to exploit weaknesses in company procurement processes.

Social media had proven to be a particular weakness in this respect, since employees were still regularly posting information on their social-media sites that is informing cybercriminals' targeted attacks.

“The proliferation of social media platforms continues to provide an extremely effective way of duping someone into releasing sensitive information or cracking login credentials,” Moses said, noting that the addition of big-data analytics platforms could take the problem to a new level by automating evaluation of the strength of social-media relationships.

“If you have some kind of big-data platform that can analyse connections, relationships, time and place and geography, you just have to think about it in a point-to-point direction and it will capture these relationships,” Moses explained.

“This would be a very logical step by someone who was serious about very targeted attacks.” No amount of security technology or internal capabilities can fight these types of attacks since they largely rely on publicly available information that employees choose to post online.

But reining in this behaviour, participants at the ISACA events agreed, can be extremely difficult even in a company that has strict guidelines about what employees should and shouldn't put on social media. “It's possible that someone may post something unwittingly through their social-media account that amy release information that the organisation may now want released,” Moses explained.

“They may say things about the organisation and not realise it is a security breach – but this is a reflection of the cultural attitude towards privacy.”