When Elon Musk’s Twitter account shared a classic bitcoin scam to almost 40 million followers last year, it looked like his account had been hacked. When similar tweets came from Kanye West, Jeff Bezos and Bill Gates, all eyes turned to the cyber security experts at Twitter.
Were the security issues down to an unpatched server? A lost or stolen laptop? A default password?
On this occasion, the cyber security problem at Twitter essentially came down to soft skills.
Cyber criminals were calling Twitter’s consumer service and tech support, pretending to be the owners of high-profile accounts who were having trouble logging in. Many Twitter employees transferred the calls to security, but some employees weren’t cyber security savvy and fell into the hackers’ trap.
The fact that a tech giant like Twitter can fall for a vishing (phishing on the phone) scam highlights the great need for soft skills like communication for cyber security experts at all levels.
Human error is thought to be the main cause of cyber security breaches
IBM Managed Security Services reviewed a year’s worth of cyber attack data to identify the weakest link in most businesses. More than 95 per cent of the time, data breaches were possible because of human error.
To err is human and the most common IT security errors include system misconfiguration, poor patch management, default passwords, lost devices and disclosure of regulated information.
But one mistake looms large as the most prevalent contributing human error. It’s when someone clicks on a link or an infected attachment in a phishing email.
How common is cyber crime in Australia?
The Australian Cyber Security Centre (ACSC) is like the physical version of a ransomware protection program that runs within the Australian Signals Directorate – the Federal Government’s firewall if you will. ACSC operates ReportCyber where individuals and businesses can report cyber crime.
The ACSC worked with the Australian Criminal Intelligence Commission and the Australian Federal Police to measure how common cyber crime is in Australia.
In Australia, a cyber threat is reported every ten minutes
Throughout the 2019/2020 financial year, there were 59,806 reports of cyber crime to the ACSC. That’s 164 per day, or one every ten minutes.
More than a quarter of the ACSC incident responses are to phishing emails, making it the most common form of attack. Almost a quarter of the attacks come through compromised systems – networks, accounts, databases or websites that have been accessed without authorisation.
If those compromised systems were accessed because of weak passwords, or other poor security practices of employees, then you can attribute half of all cyber crimes to human behaviour.
The most common type of threat is phishing emails
Phishing emails often take a scattergun approach. Cyber criminals fire off the same authentic-looking email to hundreds or thousands of email addresses, hoping that recipients will take the bait.
With COVID-19 popularising video meetings, a phishing scam used the Zoom meeting reminder to trick unsuspecting users. Even the ACSC was the subject of a phishing scam, with an email using the credentials of the organisation to convince recipients to click on a link to download bogus antivirus software.
Phishing scams can also be more targeted and employ other methods of social engineering. An employee working in the finance department of an Australian consulting firm learned the hard way just how far an adversary would go.
The employee received an email from their boss asking them to pay an urgent invoice to a stakeholder in Malaysia. Even though the email came from the boss’ personal account, (they were on a business trip in Malaysia at the time) they’d used that email address on previous business trips.
With so much supporting normality, the employee paid the $240,000 invoice. It wasn’t until the boss returned from the business trip that the success of the phishing scam emerged.
Australia’s Cyber Security strategy will invest $1.67 billion over ten years
In August 2020, the Australian Government unveiled a ten-year cyber security strategy to protect the nation's critical infrastructure. In addition to funding government cyber security upgrades, the strategy explicitly calls on businesses and individuals to do their part.
Businesses are expected to take responsibility for ensuring their own cyber security in the same way they guarantee the safety and quality of their goods and services. Australia’s Cyber Security Strategy also focuses on arming individuals with the knowledge and resources to safeguard themselves against security threats.
Overall, the $1.67 billion strategy increases demand in government, industry and the community for IT professionals with cyber security skills.
Cyber security professionals need soft skills to protect people and their data
Associate Professor Paul Haskell-Dowland is the Associate Dean for Computing and Security in the School of Science at Edith Cowan University. While he doesn’t downplay the need for technical knowledge, he highlights the importance of soft skills in meeting the demand for cyber security experts.
“We also want people with a psychology, humanities, or arts background, because we need people who can talk to other people,” says Haskell-Dowland.
More specifically, the soft skills that make better cyber security teams are:
● Communication and teaching skills
● Problem solving skills
● Networking skills
● Being a lifelong learner
Pictured above: Associate Professor Paul Haskell-Dowland, Associate Dean of Computing and Security in the School of Science at Edith Cowan University (ECU)
Communication and teaching skills
Haskell-Dowland has a clear message for any aspiring cyber security experts who think that technical skills alone will get them through.
“In order to be successful in cyber security, it is the ability to communicate that’s of utmost importance,” says Haskell-Dowland.
“We need people who can analyse, interpret, communicate, educate and champion activities to improve governance procedures and develop new approaches to cyber security that don't just rely on technology.”
This is one area of cyber security that can’t be solved with technology, automation or artificial intelligence. A large part of communicating is listening to people, to understand what they need to know and how you can help them.
“We encourage people with a psychology background, a humanities background or an arts background because they bring unique skill sets into cyber security and there is demand for those people – you can be highly successful.”
Problem solving skills
Cyber security requires insatiable problem solving skills. That was the key revelation to emerge from the Wall Street Journal’s executive forum on cyber security.
"There’s a lot of people graduating from fine cyber security programs but they’re missing that core skill set of problem solving,” explains Theresa Payton, President and Chief Executive of Fortalice Solutions.
As the former Chief Information Officer of the White House, Payton knows a thing or two about problem solving in cyber security.
Another employer on the panel points out that one of their best cyber security experts didn’t have technical skills, but they knew how to ask the right questions to solve a problem.
When it comes to the cyber security industry, you might think of a network as the system that links devices, servers and the cloud. While network security is important, the networking we’re talking about here is human to human.
“You need to engage in the community. You need to link in with organisations and be part of a global professional network of cyber security professionals,” says Haskell-Dowland.
No matter how many qualifications or certifications you have, you’ll find that engaging with the cyber security industry is the best way to maintain currency. Networking can involve meetings, conferences, competitions and workshops.
It’s also important to build up your own personal network of trusted advisors – something you can build on during postgraduate study in cyber security programs.
Be a lifelong learner
If there’s one thing we know about cyber criminals, it’s that they are constantly learning new ways to achieve their goals.
In many ways, cyber security jobs require you to be a lifelong learner and information security is a broad discipline, with many opportunities for specialisation.
“Find what gives you passion, what interests you, what’s intriguing in cyber security and make that your focus,” says Haskell-Dowland.
“When you're trying to sell yourself into the cyber security industry, that's the thing that makes you unique.”
ECU will give you a well-rounded cyber security skill set
While it’s still a relatively young professional field, ECU has already upgraded its cyber security degrees to better prepare security analysts for industry.
“Over the last few years, we've seen a significant evolution of the threats that organisations are facing and that has triggered an evolution of the courses we offer,” says Haskell-Dowland.
Cyber security education has moved on from a solely technical focus on deep networking, operating systems and information systems. A Master of Cyber Security from ECU still maintains a strong emphasis on technology but leans into the areas that improve the effectiveness of cyber security professionals.
ECU’s Master of Cyber Security includes a focus on Project Management that develops soft skills in communicating information. It prepares you to solve problems and manage risk to stakeholders, with or without technical expertise. You can also choose to specialise in governance for a deeper understanding of law, policy and ethics.
It’s about ensuring the soft skills balance with the technical skills to give you a well-rounded cyber security skill set.