In June’s cybersecurity news, the cyberskills gap is growing and social engineering schemes like phishing attacks remain a top threat vector — especially during high-profile events such as the World Cup.

All this is just a reminder that people are the weakest link. Without enough security professionals to train the next generation of tech-savvy employees, companies are at risk.

Many of the topics we covered in June include actionable advice to help both security leaders and aspiring IT professionals navigate the evolving cybersecurity career pathway — not to mention tips to stay safe online while rooting for your favorite soccer team.

Cybercriminals Score Big on Social Engineering Schemes

High-profile sporting events draw threat actors looking to capitalize on lax cybersecurity, reinforcing the critical role of security experts in educating users and improving network defense.

During this month’s World Cup in Russia, fans, athletes and venues are all under increased threat. Fans in the stands could be duped by insecure Wi-Fi networks, for example, while those at home should be wary of fraudulent emails promising tickets or other World Cup-related windfalls.

IBM X-Force researchers recently observed attackers out in full force with phishing campaigns, including:

  • Financial scams: Using the brand name and logo of popular sponsors, criminals claim users have won prize money. They’re then directed to a malicious site and asked to prepay a small fee by providing their financial information. Instead, the fee disappears and the windfall never materializes.
  • Social engineering efforts: Other threat actors are masquerading as World Cup organizing body FIFA. Using blurry logos and long-winded text, they attempt to convince users that they’ve won an online lottery. The attackers then ask for contact details, which they will likely use for long-term social engineering scams.
  • Fake goods: Attackers are also sending out emails selling everything from knock-off soccer jerseys to auto parts. Best case: Buyers get low-quality replica apparel. Worst case: They get nothing while cybercriminals make off with their credit card or banking information.

Athletes, meanwhile, may be compromised by nation-state or malicious actors who support competing teams. To maintain security at the World Cup, soccer franchises should consider employing a team chief information security officer (CISO), creating secure team networks and asking players to reduce their social media use immediately before and during competition. Venues should be prepared for large-scale cyberattacks and employ trusted security vendors to help identify threats and isolate systems as required.

Promoting Security Education to Close the Skills Gap

These days there simply aren’t enough cybersecurity professionals to go around. As a result, organizations are looking for ways to widen the funnel and encourage security education.

The Girl Scouts of America are hoping to bolster the ranks of science, technology, engineering and mathematics (STEM) professionals by giving young girls the opportunity to engage with new technologies. According to Kymberly Miller, senior director at Girl Scouts of Northern California, who participated in a recent SecurityIntelligence podcast, many girls shy away from trying new things by age six.

Girl Scouts’ leadership, recognizing that “understanding cybersecurity and knowing how to prevent hacks is a life skill,” created the STEM badge program. This program offers a mix of hands-on experience and direct reinforcement from instructors to boost girls’ confidence and help pave a new cybersecurity career pathway.

In another recent podcast, Pete Herzog, co-founder of online learning platform Hacker Highschool, and Heather Ricciuto, academic outreach leader at IBM Security, noted that the earlier students are equipped with cybersecurity knowledge, the better. While some critics argue that knowledge of hacking techniques is dangerous, Hacker Highschool focuses on giving teens enough information to recognize technology threats in their everyday lives. The goal is to encourage students to use their knowledge for good and develop the skills to help make the world a safer place.

Speaking of safety, the evolution of business campuses into digital-first, barrier-free learning environments comes with a unique set of security challenges. Doors may be left unlocked and intellectual property left on full display as hundreds of professionals share lunch and trade ideas over Wi-Fi and in person. Needless to say, this creates a potentially hazardous security environment.

While IT professionals can’t fight the transition to open campus environments, it’s possible to limit total risk by:

  • Changing Wi-Fi: Segment corporate Wi-Fi across buildings or quadrants and use separate private cloud servers for guest Wi-Fi to reduce the chance of a network breach.
  • Letting IT teams roam free: Give IT professionals Raspberry Pi, high-gain antennas or access to Metasploit, and let security teams run wild to discover where flaws exist.
  • Leveraging artificial intelligence (AI): Threat modeling on an open campus requires an open mind — and potentially an artificial one. Advances in AI now offer the potential for fluid threat monitoring that adapts to emerging situations rather than relying on static predictions.

Creating a New Cybersecurity Career Pathway

To address the growing cybersecurity skills gap, companies are changing the way they assess and recruit potential hires. The biggest shift here lies with “new collar” jobs: Organizations are recruiting candidates that may lack traditional college degrees but possess the necessary skills to work in cybersecurity to help alleviate the talent shortage. If prospective candidates are driven to explore, adept at solving problems, ready to learn and willing to work with others, they’ve already laid the groundwork to leap into cybersecurity. Given the emergence of new training programs, such as IBM’s P-TECH, there’s more opportunity than ever for motivated employees to launch security careers.

Consider the case of cybersecurity activist Cris Thomas, who goes by the pseudonym Space Rogue. He’s now the global strategy lead at IBM X-Force Red, a group of white-hat hackers who exploit corporate vulnerabilities to help companies improve network security.

Their work is simple and effective: Recently, an IBM X-Force Red team tailgated its way into corporate offices by dressing like other staff members while carrying a box of donuts along with their testing gear. Once inside, they set up shop in an empty conference room, put up a sign saying they were conducting a network test and then penetrated the company network unchallenged. For Space Rogue, it’s all about educating organizations and elected officials alike to help limit the impact of cybersecurity issues.

Won’t You Be My Neighbor?

The cybersecurity career pathway can be lonely at times. Unlike other professions that have well-defined certification processes, job descriptions and skills requirements, IT security is constantly changing — forcing experts to fight fires with minimal C-suite support and without comprehensive training.

For this reason, community is a valuable lifeline for cybersecurity experts. New initiatives like the IBM Security Community enable IT experts to easily connect with each other to troubleshoot, share learning, discuss defensive strategies and even provide emotional support.

From early education efforts to new collar hiring initiatives and the emergence of security communities, it’s clear that there’s a critical shift underway in the cybersecurity field. As threats continue to evolve and the IT talent gap grows, stay tuned to see how these efforts play out in the ever-intensifying war against cybercrime.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…