Three in four successful cyber breaches (74%) have human error in common, according to the 2023 Verizon Data Breach Investigations Report. Human errors can contribute to privilege misuse, use of stolen credentials or social engineering tricks.
Does a lack of theoretical and practical knowledge in newly minted cybersecurity professionals also contribute to on-the-job errors? Companies depend on these cybersecurity pros to make the right decisions. How can organizations correct for that problem?
In the past two years, organizations have suffered at least one cyber incident due to a lack of qualified cybersecurity staff, security provider Kaspersky said in a new study. While hiring better trained cybersecurity staff might be one solution to the problem, there's an ongoing shortage of cybersecurity professionals. The cybersecurity talent gap -- the difference between how many open roles organizations need to hire and how many cybersecurity pros are available -- reached four million according to the 2023 ISC2 Cybersecurity Workforce Study.
Further complicating the problem is that many entry level cybersecurity pros have gaps in their knowledge, which can result in on-the-job errors, according to Marina Alekseeva, Kaspersky’s chief human resources officer.
“It’s no secret that formal training programs often struggle to keep up with industry developments, and that is especially true for the cybersecurity field,” Alekseeva said. “The fact that many employees in the market might have limited practical skills or gaps in their knowledge underlines the importance of a comprehensive on-boarding process with a focus on peer learning and means companies must pay more attention to the up-skilling of their employees.”
Common Mistakes Cybersecurity Pros Make
According to Kaspersky’s research data, some of the most common mistakes cybersecurity professionals make early in their career, include:
- Failure to update software (43%), using weak or guessable passwords (42%) and neglecting to perform backups in a timely manner (40%) are the most common mistakes made by cybersecurity professionals early in their careers.
- The use of outdated security measures was also a common mistake cybersecurity experts made at the beginning of their career.
- Initial challenges cybersecurity experts face when they join the industry may explain why nearly half of cybersecurity professionals (46%) say that it took them more than a year to feel comfortable in their first cybersecurity roles.
- While 31% of respondents managed to settle in their job within one or two years, some said the process took them two to three years (9%) or more than three years (6%).
Course Corrections
To tackle the knowledge gap and ensure a smoother integration of cybersecurity workforce into the workflow, Kaspersky recommends some preventive and reactive measures:
- At an educational level, training programs should be updated and become more flexible and agile, which can be achieved through collaboration with industry players and experts.
- Those who plan to join the cybersecurity field can acquire experience in real-life cybersecurity scenarios by completing an internship in an information security or research and development department.
- Businesses can invest in upskilling programs for their corporate staff, helping the latter get new knowledge and skills, and remain competitive.
For non-cyber workers, why is user behavior behind so many breaches? Why have existing solutions struggled to address and contain it? Education and training can help with the following missteps:
- The complexity of modern work environments can result in using or reusing weak passwords and failing to comply with corporate security regulations.
- Employees are sometimes duped by social engineering tactics, such as phishing, especially those who lack cybersecurity awareness.
- Existing solutions struggle because technical measures alone can't address unpredictable human errors and overreliance on technology can create a false sense of security.
