Categories
Security

2023 prediction: Security workforce shortage will lead to nationally significant cyberattack

If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Global cyberattacks have increased by 483 percent over the last two years, and at the current rate of growth, damage from such attacks will amount to $10.5 trillion in 2025.

Against that backdrop, and despite increased spending on cybersecurity, the skills gap has widened to a canyon. According to the (IC)² 2022 Cybersecurity Workforce Study, the global security workforce gap increased by 26 percent, with 3.4 million additional workers needed to effectively secure businesses. It’s this discrepancy that I believe will lead to a nationally significant cyberattack on a major US organization this year.

As an industry, we need to preemptively address these risks, both by immediately hiring and onboarding new cyber talent and introducing new tools and resources to help simplify operations for SMBs and other thinly-stretched teams.

How to find (and keep) diverse security staff—and when to turn to MSPs

Business leaders are doing a lot of hand-wringing these days. Fears of recession, geopolitical instability, and rising tides of cybercrime compete for attention and have already impacted budget decisions for 2023. But with the average cost of a US data breach at $9.44 million—more than twice the global average—many executives are putting their eggs in the cybersecurity basket. A recent Gartner survey of CIOs revealed that two-thirds plan to increase cyber spending this year.

And yet—will that be enough? Cybercriminals don’t retreat in the face of economic trouble. If anything, they up the ante to meet their financial goals, as has been witnessed firsthand with record cyberattack volume since the onslaught of the pandemic. Cybercrime surged to meteoric heights in 2020 and 2021, and 2022 continued the upward trend with an additional 28 percent increase in global attacks. These numbers hardly do the crimes justice, as they don’t include the effect on employee productivity and morale, lost profits and investments, and irrevocable damage to company reputation.

While organizations have made major investments in cybersecurity recently, hiring additional staff members to manage complex systems, processes, and people does not appear to be a priority. In 2022, the security employment gap expanded by 40 percent to 700,000 unfilled positions in the US alone. “The cybersecurity talent shortage is one of the most significant and threatening challenges facing our industry today,” said Barbara Massa, executive vice president at Mandiant, in an article for CNN.

Indeed, an estimated 70 percent of respondents to the (IC)² 2022 Cybersecurity Workforce Study reported that their organization does not have enough employees devoted to security, with more than half saying staff deficits put their company at “moderate” or “extreme” risk of cyberattack. It’s no leap of logic to assume a significant cyberattack will take place in 2023 due to a mistake made by an overburdened employee or an incident that overwhelms an understaffed team.

Signs of impending crisis have already started to show. According to a 2022 survey by Colbalt, a whopping 90 percent of respondents who have suffered shortages or lost team members are struggling with workload management. Talent gaps can have tangible impacts to an organization’s security posture, including difficulty maintaining standards, lackluster or non-existent training deployment, and undetected vulnerabilities slipping under the radar.

When security professionals are barely keeping their heads above water, important tasks slip through the cracks, leaving infrastructure exposed to the potential for massive compromise. That’s why it’s time to start thinking differently about the security talent shortage and look for creative solutions to the growing problem.

Recruiting security staff: fewer certifications, more diversification

Historically, job listings for cybersecurity positions have placed heavy focus on prior experience, often with a legacy security institution, as well as a laundry list of technical skills and certifications. Many businesses also require familiarity with their preferred software, with dozens of programs littering job descriptions. However, rigid adherence to such qualifications is often to blame for positions remaining unfilled for extended periods.

Instead, organizations should ditch preconceived notions that security professionals must possess a plethora of niche technical skills and consider candidates with so-called “soft skills” of creative problem-solving, communication, collaboration, and critical thinking. If the candidate shows strong potential and a willingness to learn—and is a good cultural fit with other team members and employees—they can be trained to pick up the technical skills they lack.

Another habitual practice in hiring security teams is to look at the same job boards or set of schools for graduates in computer science and information technology year after year. Instead, businesses should expand their search beyond the usual places and methods. A college degree is not always necessary for someone to become a talented cybersecurity professional.

Experts recommend looking in-house at employees not currently on the security team to fill open slots. Perhaps someone in IT, Q/A testing, or customer service has expressed an interest and can be easily trained. Capture the flag, bug bounty, and other security contests are also excellent sources of highly-skilled candidates, as are apprenticeship and internship programs. Finally, SMBs might have surprising luck poaching experienced candidates who are looking to make more of an impact from enterprise businesses, though admittedly this does little to address the overall skills shortage.

In addition to expanding skill and location parameters, it’s crucial for businesses to diversify their cybersecurity teams. With fresh perspectives, a diverse IS department can not only look at a problem from new angles but address multiple issues stemming from multi-dimensional adversaries. Diversifying security teams means adding members with different skill sets and backgrounds, including those traditionally excluded from the industry.

Women are a growing, yet still underrepresented group in cybersecurity, cornering just 25 percent of the global security workforce in 2021. Hiring managers can look to nonprofits, such as WiCyS, CybHER, Inteligencia, and the Diana Initiative to connect them with women looking to enter the field. The SANS Institute also offers the CyberTalent Immersion Academy for Women, where candidates receive world-class training and certification.

Businesses should also conduct outreach to tap into Black, Indigenous, and people of color (BIPOC) and LGBTQ+ communities for potential job prospects. A September 2021 study on diversity and inclusion in cybersecurity found that only 4 percent of US security professionals self-identify as Hispanic and 9 percent as Black.

To court ethnically and culturally diverse applicants, add language to job descriptions that explicitly states interest in groups often left out of hiring pools. Let candidates know the company fosters a welcoming environment for all and encourages professional development of its cybersecurity talent. In addition, look for organizations matching diverse hopefuls to job openings, such as CyberSN, Secure Diversity, and Blacks in Cybersecurity.

Retaining security staff: show them the money

Cybersecurity as an industry suffers from a retention problem. A study from the Kapor Center estimated that high turnover has cost the technology sector more than $16 billion annually. At the heart of such turnover: toxic workplace culture. Nearly 40 percent of employees surveyed said that unfairness or mistreatment played a major role in their decision to leave their company.

It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff. Other strategies include:

  • Having a succession plan in place so employees can envision and make reality their career growth within the business.
  • Establishing a mentoring program to allow junior personnel to shadow senior staff and picture what the next stage of their career might look like.
  • Offering security staff opportunities to be involved in the planning stages of projects so they feel their voice is heard.
  • Giving employees ample time off for well-being, including mental health and personal days, to avoid burnout.
  • Allowing flexible in-office hours, including a hybrid or remote work schedule to keep competitive offers at bay.

Finally, of critical importance to attract and retain quality employees is offering a competitive salary. Currently, the median salary for cybersecurity professionals in the US is $135,000, according to (ISC)². The study also shows that 27 percent of security workers enter the sector for the high earning potential and strong compensation packages.

Salaries should increase to keep up with both market trends and increasing responsibilities related to the growing sophistication and frequency of cyberattacks. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16 percent to well over six figures, according to a 2021 report from Dice, a tech recruiting platform.

To MSP or not to MSP

Organizations of every size are in the crosshairs of cybercriminals, but SMBs disproportionately feel the weight of cyberattacks. A 2022 Devolutions report found that 60 percent of SMBs have experienced at least one attack in the past year, and 18 percent have endured six or more. However, 44 percent of respondents indicated they do not have a comprehensive, updated incident response plan in place. Alongside choppy economic waters, 2023 could shape up to be a perfect storm for SMBs who haven’t shored up cybersecurity defenses.

SMBs traditionally have fewer resources than enterprises but are at the receiving end of more attacks. Top threats against SMBs include phishing, credential theft, and ransomware, the latter of which can render a small business bankrupt if not properly thwarted. SMBs need robust security protections, but over 40 percent have no internal IT personnel, and most of these businesses are staffed with just one generalist on call.

The growing complexity of securing ever-widening digital threat surfaces while maintaining industry, national, and international security and privacy regulations has driven many SMBs to turn to managed service providers (MSPs) as a lifeline.
MSPs allow small businesses to cost-effectively supplement or stand in for a full-fledged security team to protect against infections and reduce exposure to threats.

Many SMBs, recognizing that MSPs can be critical partners in helping them overcome security challenges, are planning to increase investment in managed IT and security solutions this year. The widespread and growing need for process digitization, cloud migration, post-COVID collaboration, analytics, compliance, and all-around better security are creating strong demand from SMBs for external expertise in cybersecurity.

SMB investment in MSP solutions will not only provide a shield against the onslaught of digital threats in 2023, but help organizations achieve their business goals while improving collaboration and engagement. Whether your organization has budget to hire a diversified security team or requires an MSP to handle complex security needs, ensuring you have skilled professionals to manage and deploy comprehensive protections will keep your business thriving in the new year and many years to come.

For more information on Malwarebytes’ Managed Service Provider Program, check out our dedicated MSP portal.

Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/