What is the future of working professional education?

The Executive MBA Council (EMBAC) published research which addresses how business education needs to evolve to keep pace with changing demands and expectations about professional development from both students and their employers over the next five years and beyond.

working professional education

The study draws on new original qualitative research from in-depth interviews with relevant decision makers at international business schools and within major employers who invest in working professional development. It also involved a survey of over 300 individual learners who were looking to take business school courses in the next five years.

“The relationship between employees and employers has been evolving for some time, and this study opens up what that means for the future of working professional education. Economic uncertainty, online learning, lifelong development, remote working, and digital transformation in business schools and other organizations are not new.

“However, the global pandemic is accelerating these trends. Our sector will benefit from a healthy and honest debate about how future ways of learning and work can help leaders in business and business education find new answers to the problems of our time,” said Michael Desiderio, executive director of EMBAC.

Working professional education: Key findings

  • 38% of individual learners said they rated blended learning (face to face and online) as their ideal skills development path for the next five years.
  • When choosing a business school, the top requirements are flexibility in how learning is delivered (45%), how much the school embraces digital transformation (42%) and how much the program will accelerate career prospects (37%).
  • More than three quarters of employer respondents believe that business schools need to develop short, inexpensive programs that deliver relevant skills for those working and be clear about how their offer positively impacts our wider society, not just the business industry.
  • While employers agree that leadership remains an important skill for development, new leadership models are emerging that have stronger roots in “soft skills” such as emotional intelligence, more agility and conscious, continuous learning.
  • Employers also point out that as the workforce ages, one of the most frequently sought-after development programs is how to manage effectively across generations since attitudes and lifestyles can vary significantly.

Fundamental shifts in the workforce were already taking place

While the COVID-19 may have accelerated change in the workforce, fundamental shifts were already taking place. There is no one-size fits all solution with the different circumstances – economic, political and social – having a significant impact on the approach that a school decides to take.

However, it is clear that institutions will need to evolve from the focus on quantity of degrees awarded to becoming a learning partner to companies and organizations; keenly understanding the needs of both the workforce and individual industries.

Cyber risk literacy should be part of every defensive strategy

While almost 95 percent of cybersecurity issues can be traced back to human error, such as accidentally clicking on a malicious link, most governments have not invested enough to educate their citizens about the risks, according to a report from the Oliver Wyman Forum.

cyber risk literacy

Cyber risk literacy of the population

Cyber literacy, along with financial literacy, is a new 21st century priority for governments, educational institutions, and businesses.

“Cyberattacks are now one of the fastest growing crimes globally and are expected to cost organizations more than $600 billion dollars a year by 2021,” said Paul Mee of the Oliver Wyman Forum.

“The situation has become even more pressing during the pandemic as our reliance on the internet has grown. Yet many citizens still lack the basic skills to keep themselves, their communities, and their employers safe.”

50 geographies were assessed, including the European Union, on the present cyber risk literacy of its population, and the nature of related education and training available to promote and enable future cyber risk literacy.

Specifically, the Index measures five key drivers of cyber risk literacy and education: the public’s motivation to practice good cybersecurity hygiene; government policies to improve cyber literacy; how well cyber risks are addressed by education systems; how well businesses are raising their employees cyber skills, and the degree to which digital access and skills are shared broadly within the population.

How are assessed countries doing?

Switzerland, Singapore and the UK topped the list because of their strong government policies, education systems and training, practical follow through and metrics as well as population motivation to reduce risk.

Switzerland, the number one ranked country, has a comprehensive implementation document that lays out specific responsibilities along with what national or provincial legislation is required. Specific milestones are set, and timelines are assigned to ensure accountability regardless of who oversees the government.

Singapore, which is ranked second, has prioritized cybersecurity education efforts from early childhood to retirees. It established the Cyber Security Agency of Singapore to keep its cyberspace safe and secure. Its cyber wellness courses occur over multiple grades and focus on social and practical safety tips such as understanding cyber bullying.

The UK ranked third, has the most integrated cyber system because it incorporates cyber risk into both primary and secondary education. The UK’s National Cyber Security Strategy of 2016-2021 is also one of the strongest plans globally. The US ranked 10th.

Countries that rank lower lack an overall national strategy and fail to emphasize cyber risk in schools. Some countries in emerging markets are only beginning to identify cybersecurity as a national concern.

“Governments that want to improve the cyber risk literacy of their citizens can use the index to strengthen their strategy by way of adopting new mindsets, trainings, messaging, accessibility and best practices,” Mee added. “With most children using the internet by the age of four, it is never too early to start teaching your citizens to protect themselves.”

SMBs’ size doesn’t make them immune to cyberattacks

78% of SMBs indicated that having a privileged access management (PAM) solution in place is important to a cybersecurity program – yet 76% of respondents said that they do not have one that is fully deployed, a Devolutions survey reveals.

size cyberattacks

While it’s a positive trend that the majority of SMBs recognize the importance of having a PAM solution, the fact that most of the respondents don’t have a PAM solution in place reflects that there is inertia when it comes to deployment.

SMBs are not immune, company size doesn’t protect from cyberattacks

Global cybercrime revenues have reached $1.5 trillion per year. And according to IBM, the average price tag of a data breach is now $3.86 million per incident. Despite these staggering figures, there remains a common (and inaccurate) belief among many SMBs that the greatest security vulnerabilities exist in large companies.

However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats – and the complacency regarding this reality can have disastrous consequences.

“SMBs must not assume that their relative smaller size will protect them from cyberattacks. On the contrary, hackers, rogue employees and others are increasingly targeting SMBs because they typically have weaker – and, in some cases, virtually non-existent – defense systems.

“SMBs cannot afford to take a reactive wait-and-see approach to cybersecurity because they may not survive a cyberattack. And even if they do, it could take several years to recover costs, reclaim customers and repair reputation damage,” said Devolutions CEO David Hervieux.

Key findings from the survey

To dig deeper into the mindset of SMBs about cybersecurity, Devolutions conducted a survey of 182 SMBs from a variety of industries – including IT, healthcare, education, and finance. Some notable findings include:

  • 62% of SMBs do not conduct a security audit at least once a year – and 14% never conduct an audit at all.
  • 57% of SMBs indicated they have experienced a phishing attack in the last three years.
  • 47% of SMBs allow end users to reuse passwords across personal and professional accounts.

These findings reinforce the need for better cybersecurity education for smaller companies.

“Conducting this survey reaffirmed to us that while progress is being made, there is a still a lot of work to do for many SMBs to protect themselves from cybercrime. We plan to conduct a survey like this each year so that we can identify the most current trends and in turn help our customers address their most pressing needs,” added Hervieux.

size cyberattacks

Protect from cyberattacks: The role of MSPs

One way for SMBs to close the cybersecurity gap is to seek out a trusted managed service provider (MSP) for guidance and implementation of cybersecurity solutions, monitoring and training programs. Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources.

MSPs have an opportunity to strengthen their relationship with existing customers and expand their client base by becoming cyber experts who can advise SMBs on various cybersecurity issues, trends and solutions – as well as offer the ability to promptly respond to any security incidents that may arise and take swift action.

“We expect more and more MSPs will be adding cybersecurity solutions and expertise to their portfolio of offerings to meet this demand,” Hervieux concluded.

Prevent privileged account abuse

Organizations must keep critical assets secure, control and monitor sensitive information and privileged access, and vault and manage business-user passwords – all while ensuring that employees are productive and efficient. This is not an easy task for SMBs without the right solution in place.

Many PAM and password management solutions on the market are prohibitively expensive or too complex for what SMBs need.

4.83 million DDoS attacks took place in the first half of 2020, a 15% increase

Attackers focused on COVID-era lifelines such as healthcare, e-commerce, and educational services with complex, high-throughput attacks designed to overwhelm and quickly take them down, Netscout reveals.

DDoS attacks first half 2020

“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” stated Richard Hummel, threat intelligence lead, Netscout.

“Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”

Record-breaking DDoS attacks at online platforms and services

More than 929,000 DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month. 4.83 million DDoS attacks occurred in the first half of 2020, a 15% increase. However, DDoS attack frequency jumped 25% during peak pandemic lockdown months (March through June).

Bad actors focused on shorter, more complex attacks

Super-sized 15-plus vector attacks increased 2,851% since 2017, while the average attack duration dropped 51% from the same period last year. Moreover, single-vector attacks fell 43% while attack throughput increased 31%, topping out at 407 Mpps.

The increase in attack complexity and speed, coupled with the decrease in duration, gives security teams less time to defend their organizations from increasingly sophisticated attacks.

DDoS attacks first half 2020

Organizations and individuals bear the cost of cyber attacks

To determine the impact that DDoS attacks have on global Internet traffic, the Netscout ATLAS Security Engineering and Response Team (ASERT) developed the DDoS Attack Coefficient (DAC). It represents the amount of DDoS attack traffic traversing the internet in a given region or country during any one-minute period.

If no traffic can be attributed to DDoS, the amount would be zero. DAC identified top regional throughput of 877 Mpps in the Asia Pacific region, and top bandwidth of 2.8 Tbps in EMEA. DAC is important since cybercriminals don’t pay for bandwidth. It demonstrates the “DDoS tax” that every internet-connected organization and individual pays.

Views and misconceptions of cybersecurity as a career path

Attitudes toward cybersecurity roles are now overwhelmingly positive, although most people still don’t view the field as a career fit for themselves, even as 29% of respondents say they are considering a career change, an (ISC)² study reveals.

cybersecurity career path

The findings indicate a shift in popular opinion about cybersecurity professionals, who have traditionally been viewed through a negative lens as roadblocks to business efficiency.

In fact, 71% of the survey’s respondents, all of whom do not work in the industry, say they consider cybersecurity professionals to be smart and technically skilled, while 51% also described them as “the good guys fighting cybercrime.” 69% of respondents replied that cybersecurity seems like a good career path, just not one they see themselves pursuing.

Obstacles to attracting additional information security workers

The cybersecurity industry is made up of 2.8 million skilled professionals, but research indicates that there is a global shortage of 4.07 million, which requires a massive recruitment effort of new entrants to the field who may not have considered the career before. The study reveals that the obstacles to attracting these additional workers may be two-fold.

First, 77% of respondents said cybersecurity was never offered as part of their formal educational curriculum at any point, making it difficult for most people to gain a solid understanding of what roles in the industry actually entail and how to pursue the career.

The second factor that may be limiting interest is a pervasive belief that such roles would require very advanced skills development that would require time and resources to achieve.

“What these results show us is that while it’s becoming even more highly-respected, the cybersecurity profession is still misunderstood by many, and that’s counterproductive to encouraging more people to pursue this rewarding career,” said Wesley Simpson, COO of (ISC)².

“The reality of the situation, and what we need to do a better job of publicizing, is that a truly effective cybersecurity workforce requires a broad range of professionals who bring different skillsets to their teams.

“While technical skills are vital for many roles, we also need individuals with varied backgrounds in areas including communications, risk management, legal, regulatory compliance, process development and more, to bring a well-rounded perspective to cyber defense.”

cybersecurity career path

Cybersecurity as a career path: Key findings

  • Conducted during a time of record unemployment amidst the COVID-19 pandemic, the study found that job stability is now the most valued characteristic in a career (61% of respondents), followed by ones that offer a “flexible work environment” (57%) and only then, “earning potential” (56%).
  • In the absence of formal cybersecurity education, perceptions about the industry and the professionals in it are formed primarily through portrayals in TV shows and movies (37% of respondents) or by news coverage of security incidents (31%).
  • 61% of respondents said they believe they would either need to go back to school (26%), earn a certification (22%) or teach themselves new skills (13%) in order to pursue a career in cybersecurity. 32% of respondents said they believe too much technical knowledge or training would be required.
  • Generation Z (Zoomers) were the least likely demographic group to cast cybersecurity professionals in a positive light. Just 58% view cybersecurity professionals as smart and technically skilled, as opposed to 78% of Baby Boomers. And only 34% of Zoomers consider them the “good guys, fighting cybercrime,” as opposed to 60% of Boomers.

Infosec pros struggle to find opportunities to improve their work skills

Cybrary released the findings from the report which examines the current challenges, perceptions, and impacts of the cybersecurity skills gap faced by IT and security teams worldwide.

security teams skills gap

Security teams and the growing skills gap

The survey questioned respondents about the employer contributions towards their skill development, their level of personal commitment to growing their skills, and the current level of organizational support and opportunities offered for skill development.

Over 800 IT and security professionals were surveyed, varying in experience, ranging from system admins to CISOs, to gather their industry insights and discovered that:

  • 68 percent of respondents report investing their own free time, outside working hours to improve their cyber skills
  • Nearly 3 out of 4 respondents agree that skill gaps exist on their teams
  • 65 percent of managers agreed that skills gaps have a negative impact on their team’s effectiveness
  • 40 percent of individuals say they spend time working to learn new job skills every day, while another 38 percent reported at least once a week, and
  • 46 percent of organizations do not confirm new hire skills for specific roles and 40 percent rarely or never assess the skills of newly onboarded team members.

“Year after year, we see the cyber skills gap hindering the performance and productivity of IT and security teams, and this survey confirms that organizations still have a lot of work to do to provide their staff with the right training, guidance, and support they need,” said Ryan Corey, CEO of Cybrary.

“Despite industry-wide recognition around this growing skills gap, there has been little movement in bridging this gap. To make progress, organizations must empower and support IT and security teams by giving them the time and resources they need to grow their skill sets within their current role. It’s truly a win-win situation, contributing to both the individual’s career growth as well as organizational goals.”

security teams skills gap

Limited support and investment in employees’ career development

While it’s clear industry professionals are committed to advancing their careers, this survey shows limited progress from organizations in supporting employees and investing in their continued career development, despite the expectation for employees to keep pace in their dynamic roles.

The survey also reveals that employers need to break down significant barriers, such as cost (33 percent) and lack of time (28 percent) that are preventing IT and security professionals from getting the skills training they need to do their jobs to the best of their abilities.

With about half of organizations either decreasing their training budgets (22 percent) or keeping them the same (25 percent) this past year, it’s not surprising that industry professionals struggle to find opportunities to improve their skills for their work.

“The industry is overdue for a wake-up call to address the IT and security skills gap and talent shortage, especially as we enter a new era of remote work,” said Ron Gula, Cybrary Board Member.

“This vision for attracting and retaining talent can only be fulfilled if organizations continuously invest in their employee’s career and skills development. By assessing existing IT and security training programs, organizations can finally begin to empower their employees to scale their current skills and ultimately, their careers.”

Half of IT teams can’t fully utilize cloud security solutions due to understaffing

There are unrealized gaps between the rate of implementation or operation and the effective use of cloud security access brokers (CASB) within the enterprise, according to a global Cloud Security Alliance survey of more than 200 IT and security professionals from a variety of organization sizes and locations.

utilize cloud security solutions

Utilize cloud security solutions

“CASB solutions have been underutilized on all the pillars but in particular on the compliance, data security, and threat protection capabilities within the service,” said Hillary Baron, lead author and research analyst, Cloud Security Alliance.

“It’s clear that training and knowledge of how to use the products need to be made a priority if CASBs are to become effective as a service or solution,” Baron concluded.

The paper found that while nearly 90% of the organizations surveyed are already using or researching the use of a CASB, 50% don’t have the staffing to fully utilize cloud security solutions, which could be remediated by working with top CASB vendors.

CASBs have yet to become practical for remediation or prevention

More than 30% of respondents reported having to use multiple CASBs to meet their security needs and 34% find solution complexities an inhibitor in fully realizing the potential of CASB solutions.

Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have yet to become practical as a tool for remediation or prevention.

Additional findings

  • 83% have security in the cloud as a top project for improvement
  • 55% use their CASB to monitor user behaviors, while 53% use it to gain visibility into unauthorized access
  • 38% of enterprises use their CASB for regulatory compliance while just 22% use it for internal compliance
  • 55% of total respondents use multi-factor authentication that is provided by their identity provider as opposed to a standalone product in the cloud (20%)

Lack of technology skills creates a dent in remote workers’ productivity

The lack of technology skills is contributing to a dent in productivity as workers struggle to adapt to working from home over prolonged periods. Questionmark is calling on employers to ensure that their people have the necessary technical skills as remote working looks set to continue.

skills working from home

Productivity among remote workers has declined

A study found that despite a greater familiarity with technology during lockdown, productivity among remote workers in the UK has declined by 20%. Other European countries have suffered an even sharper drop in productivity. These range from -55% for France and Germany to a staggering -70% for Italy.

The study attributes much of the productivity dip to technical user error. It found that technology issues are increasingly causing workers to feel less productive.

As well as barriers to productivity, the errors and vulnerabilities that accompany widespread home working are causing a rise in security and data breaches. Across UK, US, France and Germany, 46% of employers had experienced at least one security incident since the lockdown. 51% recorded an increase in the number of email phishing attacks.

The necessity of regular skills testing and assessment

As talk of a ‘second wave’ of COVID-19 hits the headlines, many employers are reluctant to re-open offices and workspaces. If remote working is to continue to the medium term, it is vital that employees have the skills to restore productivity.

Regular skills testing and assessment of the workforce help employers understand where workers are struggling. It can enable employers to make good decisions around training and other interventions.

Lars Pedersen, CEO of Questionmark said: “At first, it looked as if remote working might last for a matter of weeks. Employers could prioritize essential functions and turn a blind eye to occasional productivity dips. But as wide-spread home working moves into the medium term, this is clearly not sustainable.

“By testing skills across the workforce, employers can pinpoint where gaps in productivity lie and introduce relevant training and support.”

Realizing cybersecurity risks does not mean sticking to the rules

72% of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints, Trend Micro reveals.

realizing cybersecurity risks

The study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee security awareness.

The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.

High level of security awareness

The results indicate a high level of security awareness, with 85% of respondents claiming they take instructions from their IT team seriously, and 81% agree that cybersecurity within their organization is partly their responsibility. Additionally, 64% acknowledge that using non-work applications on a corporate device is a security risk.

However, just because most people understand the risks does not mean they stick to the rules.

For example:

  • 56% of employees admit to using a non-work application on a corporate device, and 66% of them have actually uploaded corporate data to that application.
  • 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit.
  • 39% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
  • 8% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.

Productivity still wins out over protection

Productivity still wins out over protection for many users. 34% of respondents agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29% think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’

Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors which drive people’s behaviors.

“To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”

Rik Ferguson, Vice President of Security Research at Trend Micro, argues: “It’s really heartening to see that so many people take the advice from their corporate IT team seriously, although you have to wonder about the 15% who don’t… At the same time those people also accept their own role in the human firewall of any organization.

“The problem area seems to be translating that awareness into concrete behavior. To reinforce this, organizations to take into account the diversity across the organization and tailor training to identify and address these distinct behavioral groups.

“The time to do this is now, to take advantage of the new working environment and people’s newfound recognition of the importance of information security.”

The smaller the business, the smaller the focus on cybersecurity

With 89% of small businesses moving to a remote workforce, there remains a significant gap between the perceived importance of cybersecurity protections for businesses with fewer than 10 employees and those with more than 10 employees.

small business cybersecurity

The smaller the business, the smaller the focus on cybersecurity, according to a survey of 400 small business owners, conducted by the Cyber Readiness Institute.

Larger companies are more concerned

A remote workforce during Covid-19 increased the cybersecurity concerns of just 31% of small business owners with fewer than 10 employees, while 41% of those at companies with more than 10 employees were more apprehensive of possible cyber attacks. The lower concern levels for micro-businesses has also equated to much smaller investments in cybersecurity.

Only 45% of small business owners with fewer than 10 employees have increased time, money or human capital investments as it relates to cybersecurity. Meanwhile, 80% of companies with more than 10 employees have invested more resources in cybersecurity since stay-at-home orders began.

“For malicious actors looking for vulnerable targets, small businesses remain a primary target, particularly during the Covid-19 pandemic,” said Kiersten Todt, executive director of The Cyber Readiness Institute.

“Small businesses can make themselves resilient against common attacks, such as phishing, by focusing on employee education and awareness and creating a culture of cyber readiness within the organization.”

When it comes to training, more than half of small business owners with more than 10 employees have upped the ante with increased cyber education over the past two months. Yet, just 22% of those with fewer than 10 employees have provided more cyber training and only 37% have updated cyber policies.

Additional findings

  • 49% of small businesses will still maintain at least a partial remote workforce after Covid-19 restrictions are lifted.
  • 62% of small business owners support tax incentives or federal grants for cybersecurity investments.
  • Password management and phishing attacks are the top two concerns for nearly half of all small business owners.
  • 35% of small businesses with fewer than 10 employees do not have an incident response policy.
  • More than 42% of businesses have provided additional password training or policies over the past two months.
  • 30% of small businesses have used new free cybersecurity tools since work-at-home orders began.
  • 25% of small business owners anticipate hiring new cybersecurity staff or consultants over the next six months.

Educational organizations use cloud apps to share sensitive data outside of IT control

Many educational organizations are at risk of data security incidents during the current period of working from home and virtual learning, a Netwrix report reveals.

educational organizations cloud apps

Weak data security controls

According to the survey, even before the COVID-19 pandemic, the majority of educational organizations had weak data security controls.

In particular, 54% of IT professionals in the educational sector confessed that employees put data at risk by sharing it via cloud apps outside of IT knowledge. This is the highest percentage among all verticals surveyed. The move to distance learning increases this risk even more.

Other notable findings

  • 82% of educational organizations don’t track data sharing at all or do it manually, and 50% of them suffered a data breach due to unauthorized data sharing last year.
  • 63% of educational organizations don’t review permissions regularly, and 24% of system administrators admitted to granting direct access rights upon user request.
  • 28% of respondents discovered data outside of secure locations, which is the highest number of all industries surveyed. This data was left exposed for days (40%) or months (33%).
  • Only 8% of respondents have developed cybersecurity and risk KPIs to evaluate their security posture and track success.

“Distance learning creates many challenges for educational organizations, and cybersecurity is often taking a back seat to operational resilience. The Netwrix survey shows that security processes were not ideal before the pandemic, leaving these institutions even more vulnerable to the growing number of cyber threats today.

educational organizations cloud apps

“To ensure these institutions can secure their student and employee data, IT professionals need to get back to basics. First, they need to understand what sensitive data they have, and classify it by its level of sensitivity and value to the organization.

“Second, they need to ensure that the data is stored securely, prioritizing the most important data. And last, they need to adopt healthy security practices for granting permissions in order to avoid data overexposure,” said Steve Dickson, CEO at Netwrix.

Sensitive data is piling up on enterprise devices, Windows 10 machines behind on patching

Directly after the WHO declared COVID-19 a global pandemic, an estimated 16 million US employees were sent home and instructed to work remotely, while governments around the world implemented widespread school closures impacting over 90 percent of the world’s student population, Absolute reveals.

sensitive data enterprise devices

This result placed IT and security teams under immediate pressure to quickly stand up work-from-home or learn-from-home environments to ensure continued productivity, connectivity, and security.

“COVID-19 marks the beginning of a new era where we believe the nature of work will be forever changed,” said Christy Wyatt, President and CEO of Absolute.

“As this crisis took hold, we saw our customers mobilize quickly to get devices into the hands of students and employees and navigate the challenges of standing up remote work and distance learning programs. What has become resoundingly clear is there has never been a more critical time for having undeletable endpoint resilience.”

Sensitive data is building up on enterprise devices

There has been a 46 percent increase in the number of items of sensitive data – such as Personally Identifiable Information (PII) and Protected Health Information (PHI) – identified on enterprise endpoints, compared to pre-COVID-19. Compounded by the pre-existing gaps in endpoint security and health, this means enterprise organizations are at heightened risk.

Enterprises at heightened risk of data breaches or compliance violations

On average, one in four enterprise endpoint devices have a critical security application (anti-malware, encryption, VPN, or client management) that is missing, inactive or out-of-date.

With the significant increases in sensitive data being stored on enterprise endpoint devices, enterprises are putting themselves at risk of legal compliance violations and data breaches as COVID-19 cyber attacks accelerate.

sensitive data enterprise devices

Employee and student device usage continues to rise post-pandemic

The data shows a nearly 50 percent increase in the amount of heavy device usage – 8+ hours per day – across enterprise organizations, jumping to an increase of 62 percent in heavy education device usage. The average number of hours education endpoint devices are being used daily is also up 27 percent.

Patch management plaguing both enterprise and education IT teams

Device health sees slight improvement, but patch management continues to plague both enterprise and education IT teams. The average enterprise endpoint device running Windows 10 continues to be nearly 3 months behind in applying the latest patch, with that delay spiking to more than 180 days since a patch has been applied to the average student Windows 10 device – leaving students and employees vulnerable.

Half of IT pros believe their cybersecurity teams are ready to detect attacks

A surprising 51 percent of technology professionals and leaders are highly confident that their cybersecurity teams are ready to detect and respond to rising cybersecurity attacks during COVID-19, according to ISACA. Additionally, 59 percent say their cybersecurity team has the necessary tools and resources at home to perform their job effectively.

cybersecurity teams detect attacks

This presents a problem, as 58 percent of respondents say threat actors are taking advantage of the pandemic to disrupt organizations, and 92 percent say cyberattacks on individuals are increasing.

Remote work increasing data protection and privacy risk

While 80 percent of organizations shared cyber risk best practices for working at home as shelter in place orders began, 87 percent of respondents still say the rapid transition to remote work has increased data protection and privacy risk.

“Organizations are rapidly and aggressively moving toward new ways of doing business during this time, which is a very positive thing, but it can also lead to making compromises that can leave them vulnerable to threats,” says ISACA CEO David Samuelson.

“A surge in the number of remote workers means there is a greater attack surface. Remote work is critically important right now, so security has to be at the forefront along with employee education.”

More than 3,700 IT audit, risk, governance and cybersecurity professionals from 123 countries have been surveyed in mid-April to assess the impact of COVID-19 on their organizations and their own jobs.

Concerns about the wider impact

Most of these professionals believe their jobs are safe. Ten percent think a job loss is likely and 1 percent has been furloughed. However, while their own positions are stable, respondents are still extremely concerned about these wider impacts of the novel coronavirus:

  • Economic impact on my national economy (49 percent)
  • Health of family and friends (44 percent)
  • Personal health (30 percent)
  • Economic impact on my organization (24 percent)

The negative effects

While respondents report being highly satisfied with their organization’s internal communications, business continuity plans and executive leadership related to COVID-19, their organizations have not been able to avoid the negative effects, including:

  • Decreased revenues/sales (46 percent)
  • Reduced overall productivity (37 percent—more executives than practitioners think this is the case)
  • Reduced budgets (32 percent)
  • Supply chain problems (22 percent)
  • Closed business operations (19 percent)

The majority of respondents expect normal business operations to resume by Q3 2020.

“It’s hard to predict what ‘normal’ will look like in the short term,” said ISACA CTO Simona Rollinson. “What we do know is that tech professionals, including the IT audit, risk, governance and security professionals in our community, are more necessary than ever to their enterprises, and they are well-positioned to adapt and even thrive, regardless of what changes may be in store.”

Online learning surges as people look for ways to be productive at home

People around the world are learning how to work from home and stay productive in response to COVID-19, Udemy reveals.

online learning surges

As remote working becomes the new normal, the findings reveal significantly increased demand globally across every segment:

  • 425% increase in enrollments for consumers
  • 55% increase in course creation by instructors
  • 80% increase in usage from businesses and governments

The state of online learning

Online learning surges as people look for ways to be productive while staying at home. Strong global growth in top-ranking professional skills includes neural networks (61% increase), communication skills (131%), and growth mindset (206%).

Demand also correlates with shelter-in-place orders around the world. For example, the data shows a 130% growth in enrollments in the U.S., 200% in India, 320% in Italy, and 280% in Spain.

  • People in the U.S. are gravitating toward creative skills like Adobe Illustrator (326% increase)
  • The Spanish are focused on investing (262%)
  • People in India are learning business fundamentals (281%) and communication skills (606%)
  • Italians are taking courses on copywriting (418%) and Photoshop (347%)

The state of learning within organizations

COVID-19 has translated into increased reliance on online learning as companies shift to remote work and move away from travel and in-person events and training. There has been an immense surge in enrollments in courses related to telecommuting (21,598% increase) and virtual teams (1,523%), as well as decision making (277%), self discipline (237%), and stress management (235%).

The state of online teaching

There is also an increase in course creation as experts around the world are looking to share their knowledge as well as supplement their income through online teaching. Categories with the highest surge in new courses include office productivity (159% increase), health and fitness (84%), IT & Software (77%), and personal development (61%).

46% of SMBs have been targeted by ransomware, 73% have paid the ransom

Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals.

paying ransom

Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack. And nearly a fifth of the total group said they feel their organization is unprepared for a ransomware attack.

The research is based on a survey of more than 500 C-level executives. CEOs represented 87% of the group. Almost all of the remainder was split between CIOs and CTOs.

“Ransomware is not a new phenomenon,” said Russell P. Reeder, CEO of Infrascale. “However, it is surprising how many businesses are unprepared for a ransomware attack. It is shocking that during a time in which the world should be coming together in the fight against COVID-19, criminals are preying on unsuspecting people and organizations for personal – usually financial – gain. And, in many cases, these bad actors are actually benefiting.

“With appropriate strategies using preventative measures like internet security and education, and protection measures like data backup and disaster recovery, you should never have to worry about paying ransomware.”

B2B orgs were more likely to be ransomware targets than B2Cs

Business-to-business (B2B) organizations were more likely to have experienced a ransomware attack than business-to-consumer (B2C) entities, according to the Infrascale survey results. Representatives from more than half (55%) of the B2Bs said they had been hit by ransomware.

But B2C organizations clearly are not immune to the ransomware risk. The research showed that more than a third (36%) of this group said they have been victims of ransomware attacks.

Time and resources often stand in the way of ransomware prevention

The majority of SMBs (83%) said they do feel prepared for a ransomware attack, with 10% more B2Bs (87%) expressing that sentiment than the B2C group (77%). However, 17% of the SMBs participating in the survey said they do not feel that their business is prepared for a ransomware attack.

Those SMBs that said they feel unprepared to contend with ransomware attackers indicated that time and resources are their next biggest enemies in this battle.

Almost a third (32%) of the SMBs said they simply have limited time to research ransomware mitigation solutions. The same share said their IT teams are so stretched that they feel their organizations don’t have the adequate resources to address the ransomware threat.

“There’s no question that the time and talent of IT professionals are at a premium today,” said Reeder. “But there are many solutions, with varying levels of protection, available to help businesses address ransomware.

“Many qualified third parties can do much of the heavy lifting in terms of implementation and setup. That makes it easier than ever for businesses to protect themselves from ransomware and avoid rewarding criminals by paying out costly ransoms.”

Paying a ransom offers no guarantees

A lack of ransomware protections is likely to cost these SMBs later. And, in some cases, SMBs may already have experienced the hassles and financial losses that ransomware creates.

The research shows that 78% of SMBs in the B2B category already have paid a ransom in a ransomware attack. The majority of B2C SMBs (63%) said they have done the same.

More than a quarter (26%) of the SMBs that said they have never paid a ransom said they would consider doing so. Of that group, 60% said they would pay ransom to get their files back quickly. And 53% said they would pay ransom to protect their company’s public image around data protection and recovery efforts.

SMBs that are open to paying a ransom might want to start saving now, as this is not an inexpensive proposition. Forty-three percent of SMBs said they have paid between $10,000 to $50,000 to ransomware attackers. Thirteen percent said they were forced to pay more than $100,000.

Paying a ransom does not guarantee that an organization will recover any or all of its data. Seventeen percent of the survey participants who said they paid ransoms to their ransomware attackers indicated they recovered only some of their organization’s data.

Those still unprepared should take steps toward prevention, education

The good news is that 72% of the SMB survey group said their organization currently has a plan in place to mitigate a ransomware attack. And the research suggests B2Bs (80%) are better prepared on this front than B2C organizations (62%).

However, 28% of SMBs said they do not have a plan to mitigate a ransomware attack. That puts these organizations – and their customers and other stakeholders – at significant risk. But these organizations can get started now to protect themselves from costly ransomware attacks.

“The best protection, of course, is prevention. And education is the key to its success,” said Reeder. “If something looks nefarious, it usually is. However, criminals are becoming increasingly sophisticated at making their attacks look legitimate. And again, at a time where people are in search of information and answers, the public’s fake-filters are at an all-time low.

“Next, of course, are protection strategies,” Reeder added. “Picking up on a potential attack in advance is ideal to prevent it from happening. However, if an organization is compromised, near-immediate remediation is top priority – and it shouldn’t be in the form of paying a ransom.

HECVAT toolkit helps higher education institutions assess cloud adoption risks

Higher education institutions are increasingly adopting cloud-based solutions in order to lower costs, improve performance and productivity, and increase flexibility and scalability.

HECVAT

Before settling on a solution, though, they must assess it for security and privacy needs, including some that are unique to higher education.

To help them do that more expeditiously, EDUCAUSE – a US nonprofit association that aims to advance higher education through the use of information technology – has created HECVAT: the Higher Education Community Vendor Assessment Toolkit.

About HECVAT

“The HECVAT provides a suite of questionnaires about information security and privacy controls to help higher education institutions appropriately assess third party and cloud services,” Brian Kelly, Director of the Cybersecurity Program at EDUCAUSE, told Help Net Security.

The intended audiences for the HECVAT are colleges and universities and the third-party service providers they contract with. Its benefits for the former are obvious, and for the latter, it reduces the burden that service providers face in responding to requests for unique security risk assessments from higher education institutions.

“The main benefit of the HECVAT is a consistent and shared framework for risk assessments that is being widely adopted across higher education,” Kelly pointed out. “Once completed, the HECVAT can be used by multiple institutions.”

The tool comes in various versions:

  • Full: A robust questionnaire used to assess the most critical data sharing engagements
  • Lite: A lightweight questionnaire used to expedite process
  • On-Premise: A unique questionnaire used to evaluate on-premise appliances and software

Before initiating a risk/security assessment if a product an/or service uses sensitive data, users should use the Triage tool to determine assessment requirements. All of those resources are available here.

A number of cloud providers have already completed the HECVAT questionnaire and those assessments can be accessed here.

Future plans

“The HECVAT was first released for use in October 2016. In 2019, the word ‘cloud’ was changed to ‘community’ to better reflect the spirit and intent of the toolkit and its expansion beyond the cloud,” Kelly explained.

“As adoption and use grow, the EDUCAUSE member-led Higher Education Information Security Council (HEISC), Internet 2, and the REN-ISAC will continue to collaborate and work on the HECVAT to meet the needs of the higher education community. While established amongst information security practitioners, we’ll be promoting the HECVAT’s use to university business officers, risk managers and procurement groups over the next year.”

What students think about university data security

Only 32% of students agree they are aware of how their institution handles their personal data, compared to 45% who disagree and 22% who neither agree nor disagree, according to a Higher Education Policy Institute (HEPI) survey of over 1,000 full-time undergraduate students.

university data security

Perceptions about university data security

Just 31% of students feel their institution has clearly explained how their personal data are used and stored, compared to 46% who disagree and 24% who neither agree nor disagree.

When students were asked whether they are concerned about rumors of university data security issues, 69% of students stated they are concerned. Around one-fifth of students (19%) are unconcerned and 12% are unsure.

65% of students say a higher education institution having a poor security reputation would have made them less likely to apply, compared to around a third (31%) who say it would have made no difference and 4% who said it would have made them more likely to apply.

Only 45% of students feel confident that their institution will keep their personal data secure and private, while 22% are not confident. A third (33%) are unsure.

93% of students agree they should have the right to view any personal information their higher education institution stores about them, 5% neither agree nor disagree and only 2% disagree.

Keeping private data private

When it comes to sharing health or wellbeing information with a student’s parents or guardians, almost half (48%) of respondents say it would be fine for institutions to do so. A further 19% said they neither agree nor disagree and a third (33%) disagree.

Comparatively, only a third (35%) of students were supportive of parents or guardians being contacted about academic performance issues at university, compared to almost half of students (48%) who are opposed and 17% do not take a stance on this issue.

Rachel Hewitt, HEPI’s Director of Policy and Advocacy, said: “Students are required to provide large amounts of data to their universities, including personal and sensitive information. It is critical that universities are open with students about how this information will be used.

“Under a third of students feel their university has clearly explained how their data will be used and shared and under half feel confident that their data will be kept secure and private. Universities should take action to ensure students can have confidence in the security of their data.”

university data security

Michael Natzler, HEPI’s Policy Officer, said: “Students are generally willing for their data to be used anonymously to improve the experience of other students, for example on learning and mental wellbeing. Around half are even happy for information about their health or mental wellbeing to be shared with parents or guardians.

“However, when it comes to identifiable information about them as individuals, students are clear they want this data to be kept confidential between them and their institutions. It is important that universities keep students’ data private where possible and are clear with students when information must be shared more widely.”