NCSC CEO Calls for International Standards on IoT Security | Ransomware is Being Used as a Precursor to Physical War | Global Cyber Security Workforce Grows to 4.7 million
Article by Christopher Lauder, Client Engagement Executive, Rela8 Group
NCSC CEO Calls for International Standards on IoT Security
In a speech at Singapore International Cyber Week, the CEO of the National Cyber Security Centre, Lindy Cameron, has said that connected devices must be made secure by design to realise the enormous potential of smart cities.
“At every level, individual households, businesses, cities and local governments are keen to reap the benefits of ‘smart devices.’ The benefits are obviously compelling. They provide a range of critical functions and services to us all. This should be an opportunity, not a threat.”
However, she noted that as these technologies are increasingly used to exchange, process and store sensitive data, as well as control critical operational technology, they are becoming “an attractive target for a range of threat actors" and that "the threat posed by nation states is particularly acute.”
To counter this danger, IoT devices must have security built in from the design stage. Cameron highlighted a number of recent standards and legislation adopted in the UK to ensure smart device manufacturers are implementing security-by-design principles into their products. This began with a 13-point Code of Practice that the NCSC developed for the IoT industry in 2018, which was updated in May 2022.
Cameron also highlighted UK government-backed Digital Security by Design (DSbD) initiative, which is working to secure underlying computer hardware, preventing most vulnerabilities from occurring. She said that countries across the world need to work together to implement these approaches to be effective:
Summing up, Cameron called for the introduction of “clear workable international standards" that will allow the industry to guide technology towards a safer future that can securely realise the full potential of these emerging technologies. She argued that if this didn’t happen, smart cities will offer “an ever-increasing attack surface and proliferation of vulnerabilities for our adversaries – both states and criminals – to exploit.”
Ransomware is Being Used as a Precursor to Physical War
Ivanti have released their Ransomware Index Report Q2–Q3 2022 where they have revealed that Ransomware has grown by 466% since 2019 and is increasingly being used as a precursor to physical war.
The data also shows ransomware groups continuing to grow in volume and sophistication, with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits.
The Ivanti report has also highlighted 10 new ransomware families compared to the previous quarter: Black Basta, BianLian, BlueSky, Play, Hive, Deadbolt, H0lyGh0st, Lorenz, Maui, and NamPoHyu. These bring the total to 170.
From a geographical perspective, Russia has been at the forefront of the malware families discovered, with 11 advanced persistent threat (APT) groups, followed closely by China with eight and Iran with four.
According to the Ivanti report, hostile governments increasingly use state-sponsored threat groups to infiltrate, destabilize and disrupt operations in their target countries. In many of these attacks, ransomware is being used as a precursor to physical warfare, as shown in the recent Russia–Ukraine war. Srinivas Mukkamala, Chief Product Officer at Ivanti, had this to say:
"IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. Organisations that continue to rely on traditional vulnerability management practices, such as solely leveraging the (National Vulnerability Database) NVD and other public databases to prioritize and patch vulnerabilities, will remain at high risk of cyber-attack."
Global Cyber Security Workforce Grows to 4.7 million
One of the world’s largest non-profit associations of certified cyber security professionals, (ISC)², has highlighted a stark increase in the shortage of cyber security professionals as it announced the findings of its 2022 (ISC)² Cyber security Workforce Study.
The study reveals the global cyber security workforce is currently at an all-time high, with an estimated 4.7 million professionals, however, despite adding 464,000 more cyber security professionals this year, the data revealed that 3.4 million more cyber security workers are needed to secure assets effectively.
70% of respondents report their organisation does not have enough cyber security employees. And more than half of respondents with workforce shortages feel that staff deficits put their organisation at a ‘moderate’ or ‘extreme’ risk of a cyberattack.
For organisations looking to mitigate staff shortages, the research suggests that initiatives to train internal talent, rotating job assignments, mentorship programs, and encouraging employees outside of IT or the security team to join the field were the most effective.
At the same time, the report finds that 72% of respondents expect their cyber security staff to increase somewhat or significantly within the next 12 months – the highest predicted growth rate when compared to the last two years (53% in 2021 and 41% in 2020). Clar Rosso, CEO of (ISC)², said:
“As a result of geopolitical tensions and macroeconomic instability, alongside high-profile data breaches and growing physical security challenges, there is a greater focus on cyber security and increasing demand for professionals within the field.”
“The study shows us that retaining and attracting strong talent is more important than ever. Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective.”
The study highlighted 'corporate culture' and 'diversity, equality and inclusion' as key areas for improvement:
- 75% of respondents report strong job satisfaction and the same percentage feel passionate about cyber security work, yet 70% of respondents still feel overworked
- 68% of employees with low employee experience ratings indicate workplace culture impacts their effectiveness in responding to security incidents
- Over half of workers say they would consider switching jobs if they are no longer allowed to work remotely
- Just 28% of study participants report their organisation actively listens and values the input of all staff
Diversity, Equality and Inclusion
- 55% of employees believe diversity will increase among their teams within two years
- Nearly 25% of respondents below age 30 consider gatekeeping and generational tensions as top-five challenges for the next two years, compared to 6% of workers 60 or older
- 30% of female and 18% of non-white employees feel discriminated against at work and only 40% of respondents state their organisation offers employee DEI training