Can training prevent the next major cyberattack?

by Brett Henebery03 Jul 2017
Last week, a global cyberattack crippled computer systems across multiple continents for the second time in less than a month.
The latest ransomware attack – called ‘GoldenEye’ – struck across the globe yesterday, taking down servers at Russian oil giant Rosneft and computers at multinational businesses, including the Australian offices of a global law firm.
The way the malicious software works is by encrypting computer files and demanding a ransom in the ‘virtual currency’ bitcoin before access is restored.
So with the smoke having only just cleared, what is being done to prepare organisations and their learners for an all-but inevitable repeat of these attacks?
L&D Professional spoke to Nick FitzGerald, a senior research fellow at ESET – a global IT firm based in Slovakia – to find out how organisations can prepare for the next strike – and what kind of training should be delivered to minimise impact.

LDP: Why are organisations currently experiencing a skills gap in cybersecurity training? And is this an issue that you see being addressed by Australian organisations in an effective and timely way?

NF: Until quite recently, specific IT security classes, much less whole courses, have been quite rare at university level. Australia’s Queensland University of Technology (QUT) was one of the international leaders in this regard, with its Information Security specialty within Computer Science in the Engineering School.

Still, with what was seen as such a narrow speciality, and with so little apparent professional demand for such qualifications, there were relatively few graduates, so few people to educate and train others.

In the last few years there has been an explosive growth in general awareness of the rather poor state of security in computer systems, and that such systems now touch so many sensitive areas of our lives.

Some kind of tipping point was reached, and whole industries that had previously all but ignored what we now tend to call cybersecurity, have realised that they quite literally cannot afford to ignore it any longer, and are now trying to recruit more and more staff from a rather small pool of experienced and/or qualified candidates.

Adequately addressing this skills gap will take some time.

The recently updated Australian cybersecurity strategy document has a considerable focus on increasing tertiary IT security training, and the government recently announced funding to specifically increase resources for teaching more security specialists in programmes at a couple of large universities.

Like all good things, doing this well will take some time and it would be foolish to think there can be a quick-fix.

LDP: In your view, what kind of training is needed to win the cybersecurity fight?

NF: Honestly, I don’t think that the quality of most existing tertiary cybersecurity education is the source of the skills gap problem.

The problem is that, at least until quite recently, there has not been much incentive to specialise in this field.

That is changing – there is a great deal of news media and popular culture attention on cybersecurity issues and hopefully that will shape attitudes of more school students to realise that there are plenty of interesting jobs in this field.

Related stories:
Staff lacking crucial cybercrime training – report
Cybersecurity training gets $1.9m boost
After WannaCry: cybersecurity training tips