Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, September 1st, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Today is International Women in Cyber Day. The chief operating officer of a cybersecurity company will join to discuss what it means to her.
Then David Shipley will be here to discuss the news, including a cybercrime report from the Canadian government, the seizing of the infrastructure that distributed the Qakbot malware and the latest analysis about the crippling compromise of Barracuda Networks ESG email gateways.
In other news, more American organizations are admitting being victimized by the vulnerability in Progress Software’s MOVEit file transfer application. One of the latest is Chevron Federal Credit Union, used by many employees of the Chevron energy corporation. When the hacking was first revealed the credit union didn’t think it was affected. But a new analysis of systems shows that information on just over 90,000 people was stolen.
So far over 1,000 public and private organizations around the world have admitted their data was stolen either directly from their MOVEit servers or through data processors handling their information.
Some ransomware news this week:
The amount of personal data lost by a ransomware attack that hit Gaston College of North Carolina in February was revealed. Over 191,000 people are being notified their names and Social Security is now in the hands of crooks.
Information on over 18,000 people was stolen in a March ransomware attack on MV Components of Illinois. The metal manufacturer says data stolen includes names and drivers licence numbers.
And in a regulatory filing this week cloud hosting provider Rackspace said the costs of cleaning up a recent ransomware attack is about US$10.8 million.
Over 16,000 people who bought goods on an e-commerce platform for artisans and farmers called Serrv International are being notified their payment card data was stolen. It was taken in a 12-month-long systems compromise.
And administrators of Citrix NetScaler application delivery controllers are being warned to patch their systems to close a critical vulnerability.
(The following transcript has been edited for clarity)
Howard: Before I bring in David Shipley for our usual discussion of the news, as part of International Women in Cybersecurity Day I’ve invited Kathryn Cameron, chief operating officer of Beauceron Security, to discuss the importance of the day. First, tell us a bit about yourself.
Kathryn: I am a previous HR professional who joined a cybersecurity company and never looked back. I think what’s exciting about the field is the continuous amount of problem solving. There’s always a new way to support an organization in improving their cybersecurity hygiene, and always new ways that attackers are trying to get in. So it’s just an ever-changing field and a lot of opportunity for continuous learning and professional development.
Howard: Why celebrate women in cybersecurity?
Kathryn: It’s historically been a very underrepresented field. We’ve make a lot of progress over the past decade. In 2013, only 11 per cent of cybersecurity jobs were filled by women. In 2022 they’re reporting that up to 25 per cent of roles were filled by women. So we’re making a lot of wonderful progress, which is important to take the time to celebrate and recognize. On the flip side, 25 per cent is still not 50. So there’s still a lot of opportunity to continue to bring more people with diverse backgrounds into the field and help us better protect organizations and protect ourselves online.
Howard: What do you hear from women in the profession when you talk to them? Do they feel that their opportunities are increasing or do they feel a lot of frustration?
Kathryn: I think the opportunities are continuing to increase, as well as the general awareness of how having a diverse team can really benefit an organization. There’s always frustrations and challenges. I think when you look at what type of jobs postings are available or the types of skills that recruiters are often trying to filter candidates out, you’re often limiting your candidate pool by adding in some restrictions that aren’t fully necessary to do the job well. But these are easy ways to filter out candidates rather than figure out who has the skills and aptitudes and [then] you can teach them some more of the technical side of the role.
Howard: What can IT and security leaders do to make women feel more welcome?
Kathryn: It all goes back to corporate culture. When you think about how organizations can attract a more diverse team, it’s recognizing that you need to make the field as accessible as possible. So recruit people who are interested, excited, keen, and you can teach them the [technical] skills. I would say one thing that — especially throughout the pandemic — has proven to be more impactful on keeping women in the workforce, and in particular in cybersecurity, is looking at how we can improve the flexibility for a lot of roles. Whether it be work from home or flexible hours, those are things that women tend to really gravitate towards and value in employment opportunities
Howard: And what can women in cybersecurity do to make their careers as meaningful as possible?
Kathryn: I think this is a really exciting time to be in cybersecurity because of the opportunity to bring a whole new generation into the field. Young women and girls are graduating and are going through school right now learning about cybersecurity. Those are courses when I was going through high school that were never available to me. By introducing these topics at a younger age and presenting them with opportunities of cybersecurity doesn’t just look like one thing. There are lots of different roles and opportunities in the field. As long as you like problem-solving, there’s probably a role for you. And [for those in the profession] having an opportunity to share their experience and their stories and their career path of how they’ve ended up in cybersecurity can be really inspiring to that next generation of young girls and women entering the workforce.
Howard: I want to bring in David Shipley. As an employer, what do you hear from IT and security leaders about women in IT?
Howard: I often hear a very strong and genuine desire to hire more women alongside other important diversity and equality initiatives within an organization. But a common theme I often hear is that there’s just not enough candidates. The challenge of going from 25 per cent women in cybersecurity to a more balanced 50 per cent over the next decade or so will require a couple of things: First, starting as soon as possible, we need to see even more programs like the Girl Scout program in the United States teaching essential cyber skills and similar programs at the middle school and high school level to foster and support young women who want to see what this field is like and if there’s a place for them. Second, we need to continue to highlight strong role models and examples of cyber expertise across the entire spectrum, not just the more technical roles like cryptography, instant investigation, programming and architecture, but also critical and acutely needed fields featuring other skills such as change management, security awareness, governance and strategy.
I think Kathryn made a really good point about highlighting the various winding career paths. She started off as an HR professional and now is the second in command of a growing cybersecurity company. Third, employers need to seek passion and train for skills. Take a look at your security awareness program as a good example and find women who are opting into additional non-mandatory online learning courses. And by the way, if you’re not providing that ability to opt in for non-mandatory learning, you’re massively missing out. Then see if those individuals are interested in professional development opportunities. Some of the best new cyber talent I’ve met over the last few years include women who were in non-cyber roles who, once they had a chance to move into roles in cybersecurity awareness management or more, thrived and were a huge asset to their organization.
(We move on to discuss the Canadian Centre for Cyber Security’s report on cybercrime, the dismantling of the Qakbot distribution infrastructure and attacks on Barracuda Networks’ ESG email gateway. To hear that part of the episode play the podcast)
The post Cyber Security Today, Week in Review for the week ending September 1, 2023 first appeared on IT World Canada.