There is a great shortage of talent within the cybersecurity community. Cyber Seek reports around 700,000 open cyber positions posted in 2023, a number that continues to trend upward.
This underscores the difficulty that both public and private sector employers have in recruiting, hiring, and retaining top talent to fill these vacancies. The volume of new cybersecurity jobs created each year continues to outpace the number of professionals qualified to fill them.
This issue is so significant that it has permeated the highest levels of government. Because building a strong cybersecurity workforce will help thwart cybercriminals and keep our digital infrastructure safe and secure, the White House has directed the Office of the National Cyber Director to develop and implement a National Cyber Workforce and Education Strategy.
This will aim to expand the cybersecurity workforce nationwide by building upon existing federal initiatives to enhance and strengthen educational cybersecurity opportunities at institutions of higher education, as well as within existing workforce development programs.
Prevention Tactics
Understanding how cybersecurity breaches occur is essential to preventing them. According to Verizon’s Data Breach Investigations report from 2023, 74% of breaches (including phishing, stolen weak credentials, or pretexting attacks) involved a human element. Human element is defined as a person performing an action with a computer system that puts the organization at risk.
This can be something as simple as clicking on a suspicious link. Cybersecurity professionals will likely continue to create technical solutions to prevent attacks due to their prevalence, but they also need to address this significant issue by educating the entire workforce, not just the cybersecurity workforce.
With such a high number of breaches occurring via social engineering – a hacking tactic that manipulates people into giving out personal information online – it’s more important than ever to invest in educating the workforce and provide the necessary tools and training to prevent cyberattacks from the start.
With almost 161 million Americans in the entire United States workforce, this can be quite the daunting task, but there are some tried and true ways to teach what experts call “cyber hygiene.”
Five Ways to Educate on Cyber Hygiene
- Provide meaningful, engaging cybersecurity awareness training during onboarding. This should be baked in from the start. An organization’s cybersecurity policies are just as important as any other Day 1 training. While it would be ideal to provide this information to all employees, there should be a focus on training those who will have access to digital resources, such as email.
- Since 94% of malware is delivered by email, it’s important to share tips and tricks with employees for spotting these attacks. This includes educating them on how to spot malicious links, why they shouldn’t open unknown file attachments, and why they should always verify the sender. When receiving an email, encourage them to ask questions like “Was I expecting an email from this person?”, “Do I know what type of attachment this is?”, and “Does this seem too good to be true?”. It’s also beneficial to go beyond just email attacks and to teach employees how to spot suspicious activity in general. They should also be informed of social engineering attacks made by phone and be equipped to spot suspicious activity in non-cyberspace.
- Often, cybersecurity awareness trainings are developed by cybersecurity professionals, but the target audience of these trainings are non-cybersecurity professionals. Organizations must simplify cybersecurity for these audiences, make it approachable, and make it fun. Real-world examples will make the training more impactful. If there was a specific phishing campaign that hit your organization last year, use that as a teaching moment.
- Be sure to explain the significant impact that a breach can have on your specific organization, so new employees understand the full consequences of a breach. Additionally, be sure to target your training as much as possible. When providing phishing training to a specific department, teach employees to spot suspicious spear-phishing (targeted attempts to steal information) emails and attachments that contain jargon specific to their area of expertise.
- Finally, create diverse and engaging trainings for new employees. Different people learn in different ways, so it’s important to provide routine training opportunities in a variety of formats. Offer incentives to employees so they participate and remain engaged, and never penalize employees. For example, employees who perform well at cybersecurity awareness training might be rewarded with the opportunity to skip the next scheduled training session, an invitation to a catered lunch, or some other desirable reward.
Enhancing and strengthening cybersecurity education is essential to filling the 755,000-plus vacant jobs and strengthening the nation’s existing workforce. An organization’s employees are the frontline defenders of the networks and computer systems used every day. Preventing just one of the 74% of breaches that involve human error is a huge win for any organization.