Dozens of Canadian organizations have been forced to pay cyber attackers to regain control of computer files and IT systems over the past year, CTV reported earlier this month, becoming the latest reminder of the need to implement and manage strong cyber security measures within today’s businesses. As businesses collect, share and disseminate data, the value of the information continues to be a major target for both insider and external threat actors.
“Never has there been more urgency for organizations to bring skilled cyber security professionals on board”, says Ali Khan, a senior information technology, cyber security and risk management professional.
Protecting the information of customers, employees and intellectual property is crucial for a business to succeed. A breach that unveils sensitive information related to any of these could lead to catastrophic results for any company.
Over the past two years, some of the world’s largest corporations have suffered major data breaches and been subject to scandals. As an example, Wendy’s announced earlier this month that payment card information had been stolen in 1,000 of their restaurants. Late in 2015, the world saw how the Ukrainian power grid was brought down by hackers, leaving hundreds of thousands without power. In 2014, Sony was hacked, and employee information–including salary information and Social Security numbers–were released.
This is what keeps executives up at night and as Khan suggests, they demonstrate the importance of bringing skilled cyber security professionals on board.
“Organizations, in my experience, try to keep up with the threat actors and the malicious intent behind that threat, however, within this industry, we are experiencing more of a cat and mouse game,” Khan says. “In order to be as efficient as possible and be able to protect your data and most critical assets, you have to start thinking like a bad guy and you’ve got to start to consider what the next type of attack might look like. That’s what cyber security professionals are trained to do.”
Khan suggests that companies continue to invest in programs and services to protect and appropriately safeguard themselves, however, the threats are so dynamic and ever-changing, such investments are only successful if the proper professionals are on board to pro-actively manage them, which requires skills and a very specific mindset.
“Businesses continue to do what they can, however it is imperative for businesses to keep up to date with the changing threat landscape so they continue to understand and monitor their largest business risks, which is one of the biggest challenges I see. It takes a combination of skilled resources and technologies,” Khan says.
“Companies can invest millions of dollars and deploy the best solutions, however, unless companies can appropriately configure and manage their cyber security tools and investments, threat actors will find ways to penetrate and win,” he continues.
This is where cyber security professionals become an imperative part of a company’s makeup. Cyber security professionals have the skills and knowledge to perform much deeper business risk analysis and threat risk assessments. Using this knowledge, cyber security professionals can identify and understand associated risks and take steps to manage and mitigate those risks, allowing the business to focus on its objectives.
Investing in skilled resources and bringing on the right people to carry out this work is a proactive move that could save a company a tremendous amount in the long run.
Take the case of Sony. Upon having their PlayStation Network system breached in 2011, which allowed outsiders to access credit card and personal information of customers, Sony gave all users free membership to their premium “PSN Plus” subscription service and two free games. They also provided American users twelve months of free identity theft insurance. The system outage, which lasted 23 days, resulted in $171 million in costs.
“The cost of proactive controls or being able to spend upfront to be able to avoid the aftermath of a cyber security incident is a huge ROI,” Khan agrees. “The after effects of these kind of attacks, especially if a public company, can be in the millions of dollars. There are implications on the stock market and class action lawsuits, which could be brought forward. If businesses could implement the controls to be able to mitigate those upfront, that would cost them a fraction of the aftermath costs.”
Khan also warns that attacks aren’t limited to a certain type of industry or businesses of a certain size.
“Businesses often question, why would someone attack me or why would this happen to me? The more prominent question businesses should be evaluating is when I will be attacked, will I be ready?” Khan says. “The rewards for information being exchanged on the dark web are so high that there continues to be a huge influx of new and developing threats in the market”.
This highlights the versatile role that cyber security professionals play within an organization. Their work goes beyond simply protecting against attacks. It also involves detecting vulnerabilities and providing awareness and education to all members of the organization about threats. While some attacks are highly sophisticated, others are as simple of having an internal employee open an email attachment with malware or downloading a file from a non-secure source, due to lack of training or awareness.
Khan is helping train the next generation of cyber security professionals, as he has helped build the Cyber Security Program at York University’s School of Continuing Studies.
“York University is not just taking academics and using textbooks as an outline of the program,” Khan said. “They have actually matched the academic expertise in the university with industry experts. They have taken a holistic approach to bring a realistic program out to the market, which is focused on the application of core cyber security principles.”
The program has been developed in collaboration with the Lassonde School of Engineering and aligns with the International Information System Security Certification Consortium (ISC)2 Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK).
Designed for working IT professionals, the entire two certificate program can be completed in as little as ten months. To minimize the amount of time students need to be out of the office, just one three day weekend is required on-campus per course with the remainder of the program delivered online.
Registration for the fall session is now available.