In June’s cybersecurity news, the cyberskills gap is growing and social engineering schemes like phishing attacks remain a top threat vector — especially during high-profile events such as the World Cup.

All this is just a reminder that people are the weakest link. Without enough security professionals to train the next generation of tech-savvy employees, companies are at risk.

Many of the topics we covered in June include actionable advice to help both security leaders and aspiring IT professionals navigate the evolving cybersecurity career pathway — not to mention tips to stay safe online while rooting for your favorite soccer team.

Cybercriminals Score Big on Social Engineering Schemes

High-profile sporting events draw threat actors looking to capitalize on lax cybersecurity, reinforcing the critical role of security experts in educating users and improving network defense.

During this month’s World Cup in Russia, fans, athletes and venues are all under increased threat. Fans in the stands could be duped by insecure Wi-Fi networks, for example, while those at home should be wary of fraudulent emails promising tickets or other World Cup-related windfalls.

IBM X-Force researchers recently observed attackers out in full force with phishing campaigns, including:

  • Financial scams: Using the brand name and logo of popular sponsors, criminals claim users have won prize money. They’re then directed to a malicious site and asked to prepay a small fee by providing their financial information. Instead, the fee disappears and the windfall never materializes.
  • Social engineering efforts: Other threat actors are masquerading as World Cup organizing body FIFA. Using blurry logos and long-winded text, they attempt to convince users that they’ve won an online lottery. The attackers then ask for contact details, which they will likely use for long-term social engineering scams.
  • Fake goods: Attackers are also sending out emails selling everything from knock-off soccer jerseys to auto parts. Best case: Buyers get low-quality replica apparel. Worst case: They get nothing while cybercriminals make off with their credit card or banking information.

Athletes, meanwhile, may be compromised by nation-state or malicious actors who support competing teams. To maintain security at the World Cup, soccer franchises should consider employing a team chief information security officer (CISO), creating secure team networks and asking players to reduce their social media use immediately before and during competition. Venues should be prepared for large-scale cyberattacks and employ trusted security vendors to help identify threats and isolate systems as required.

Promoting Security Education to Close the Skills Gap

These days there simply aren’t enough cybersecurity professionals to go around. As a result, organizations are looking for ways to widen the funnel and encourage security education.

The Girl Scouts of America are hoping to bolster the ranks of science, technology, engineering and mathematics (STEM) professionals by giving young girls the opportunity to engage with new technologies. According to Kymberly Miller, senior director at Girl Scouts of Northern California, who participated in a recent SecurityIntelligence podcast, many girls shy away from trying new things by age six.

Girl Scouts’ leadership, recognizing that “understanding cybersecurity and knowing how to prevent hacks is a life skill,” created the STEM badge program. This program offers a mix of hands-on experience and direct reinforcement from instructors to boost girls’ confidence and help pave a new cybersecurity career pathway.

In another recent podcast, Pete Herzog, co-founder of online learning platform Hacker Highschool, and Heather Ricciuto, academic outreach leader at IBM Security, noted that the earlier students are equipped with cybersecurity knowledge, the better. While some critics argue that knowledge of hacking techniques is dangerous, Hacker Highschool focuses on giving teens enough information to recognize technology threats in their everyday lives. The goal is to encourage students to use their knowledge for good and develop the skills to help make the world a safer place.

Speaking of safety, the evolution of business campuses into digital-first, barrier-free learning environments comes with a unique set of security challenges. Doors may be left unlocked and intellectual property left on full display as hundreds of professionals share lunch and trade ideas over Wi-Fi and in person. Needless to say, this creates a potentially hazardous security environment.

While IT professionals can’t fight the transition to open campus environments, it’s possible to limit total risk by:

  • Changing Wi-Fi: Segment corporate Wi-Fi across buildings or quadrants and use separate private cloud servers for guest Wi-Fi to reduce the chance of a network breach.
  • Letting IT teams roam free: Give IT professionals Raspberry Pi, high-gain antennas or access to Metasploit, and let security teams run wild to discover where flaws exist.
  • Leveraging artificial intelligence (AI): Threat modeling on an open campus requires an open mind — and potentially an artificial one. Advances in AI now offer the potential for fluid threat monitoring that adapts to emerging situations rather than relying on static predictions.

Creating a New Cybersecurity Career Pathway

To address the growing cybersecurity skills gap, companies are changing the way they assess and recruit potential hires. The biggest shift here lies with “new collar” jobs: Organizations are recruiting candidates that may lack traditional college degrees but possess the necessary skills to work in cybersecurity to help alleviate the talent shortage. If prospective candidates are driven to explore, adept at solving problems, ready to learn and willing to work with others, they’ve already laid the groundwork to leap into cybersecurity. Given the emergence of new training programs, such as IBM’s P-TECH, there’s more opportunity than ever for motivated employees to launch security careers.

Consider the case of cybersecurity activist Cris Thomas, who goes by the pseudonym Space Rogue. He’s now the global strategy lead at IBM X-Force Red, a group of white-hat hackers who exploit corporate vulnerabilities to help companies improve network security.

Their work is simple and effective: Recently, an IBM X-Force Red team tailgated its way into corporate offices by dressing like other staff members while carrying a box of donuts along with their testing gear. Once inside, they set up shop in an empty conference room, put up a sign saying they were conducting a network test and then penetrated the company network unchallenged. For Space Rogue, it’s all about educating organizations and elected officials alike to help limit the impact of cybersecurity issues.

Won’t You Be My Neighbor?

The cybersecurity career pathway can be lonely at times. Unlike other professions that have well-defined certification processes, job descriptions and skills requirements, IT security is constantly changing — forcing experts to fight fires with minimal C-suite support and without comprehensive training.

For this reason, community is a valuable lifeline for cybersecurity experts. New initiatives like the IBM Security Community enable IT experts to easily connect with each other to troubleshoot, share learning, discuss defensive strategies and even provide emotional support.

From early education efforts to new collar hiring initiatives and the emergence of security communities, it’s clear that there’s a critical shift underway in the cybersecurity field. As threats continue to evolve and the IT talent gap grows, stay tuned to see how these efforts play out in the ever-intensifying war against cybercrime.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…