Be cybersafe: Don t click on that link

Ransomware and scam emails are two of the largest threats. Photo / Getty Images

There are more than a million cybersecurity jobs open globally, with the number growing by the month as organisations struggle to find trained and experienced people who can deal with the constantly changing threats.

Isaca, the independent global non-profit association devoted to cybersecurity, estimates the world will be short of two million professionals by the turn of the decade.

They are some of the most sought-after IT staff, but where will they come from?

Peter Bailey, general manager of Aura Information Security, says, in a sense, cybersecurity specialists are born, not made. Courses and degrees are offered by almost all of New Zealand's universities, but a lot of it comes down to aptitude, persistence and experience.

Being able to work methodically, being detail-oriented and an eagerness to understand technical issues all help. It's not just understanding the vulnerabilities inherent in technology but also in people, as so many of the attacks rely on some form of social engineering or psychology.

Bailey studied English literature, getting into IT through working in advertising as it was making the transition to websites and information architecture.

Aura, a subsidiary of state-owned network infrastructure company Kordia, has about 30 staff.

"Most of the team have degrees in computer science, but there are also some who just have an interest in programming and networks, they did the work in their own time, got into groups and blogs that discuss security issues and have a natural curiosity about how things are put together," Bailey says.

"The other side of cybersecurity is making sure organisations have their policies and processes in order. We have guys that came through military intelligence or consulting and, through being involved in process and policy development, they got interested in security."

Aura principal virtual security officer Barry Brailey came out of the military, which trained him in intelligence and security.

"Roles were surprisingly easy to get into because most of my peers thought security was boring," he says.

Cybersecurity professionals need to combine knowledge of information systems, how business works in the online environment, the psychology and motivation behind cyber-criminals and attacks, and have a knack for identifying and solving problems.

Because of a shortage of experienced staff locally, Aura often hires senior consultants overseas.

More junior staff can be sourced locally and trained up in the team.

Former hackers won't be hired.

"If they have done naughty stuff we can't bring them on because we do government work, so we need to reach those guys and girls in high school to talk to them," Bailey says.

If people have a genuine interest in the subject and want to develop their skills, penetration testing (or pen testing) is an acceptable way to learn.

There are well-established protocols and many software companies pay bug bounties to testers who tell them about a vulnerability in a piece of software or a system.

"Some of the people who work for us do bug bounty stuff in their own time for a bit of extra cash," Bailey says.

On the cash side, an intern or new graduate can expect to start at about $50,000, with pay jumping up once they prove themselves. Senior consultants earn $110,000 to $140,000.

"Cybersecurity is not cheap, so it tends to be bigger firms who invest in it," says Bailey.

He says ransomware and scam emails are two of the largest threats, and also something that can be dealt with using policies to stop people clicking malicious links.

However, the tactics of the scammers can be very sophisticated, with websites meticulously copied so users don't realise they are being led to dummy pages.

"People trust, especially New Zealanders, so we click through these things," he says.

"The more we interact online the bigger the threats will be. Once the internet of things comes into its own, it will increase the attack surface — the ways the hacking can get in."

Bailey says many people don't realise cybersecurity is a career option beyond coding and network maintenance.

Lech Janczewski teaches information security at the University of Auckland to about 140 undergraduates and 40 postgrad students. He is also chairman of the New Zealand Information Security Forum, which runs a monthly breakfast where experts talk about issues relevant to the field.

He warns most of the people who claim to be information security gurus are cowboys, and people should look for qualifications such as the internationally recognised Certified Information Systems Security Professional (CISSP), which he teaches.

"My students ask, if I pass your course, should I do the exam. I say don't do it because the course is just an introduction — you then have to master the so-called book of knowledge, which is a 1200-page book," Janczewski says.

That's why the CISSP organisation says people need three years in the field before sitting the exam.

"If you want a career in information security, you must be convinced this is your career path and not just IT generally," he says.

Last year was the year of ransomware, with an incredible increase in ransom attacks against various organisations.

The WannaCry ransomware worm, in particular, had a major impact, taking down hospitals and medical practices within Britain's National Health Service.

"I don't feel pity for those subjected to those attacks because if you are a big hospital and you don't have a back-up in case your files or records are encrypted, it means you have not done a proper job," says Janczewski.

For smaller firms, which can't afford the professionals, he says they will be relatively safe if they live by strict rules which are relatively easy to implement.

Just don't click on that link.