Despite cybersecurity being one of the fastest-growing industries in tech, analysis of the latest ONS Annual Population Survey reveals that women make up just 19% of cyber professionals in the UK. Yet with an estimated 1.8 million cybersecurity job vacancies at the end of 2023, the industry is also facing a major skills gap.

By partnering with Code First Girls (CFG), the largest provider of free coding courses for women in the UK, all three companies have sponsored almost 200 women to learn how to code. They are currently looking to recruit female coders across roles such as cyber analysts and junior software engineers through the CFG degree, a free, 16-week course.

A recent survey by Code First Girls of more than 1,200 women showed an increasing number are exploring pathways into tech – despite 80% reporting that a career in tech was neither mentioned nor encouraged at school. This includes roles in cybersecurity, with previous applications to GCHQ and BAE Systems’ opportunities being 300% and 420% oversubscribed.

Anna Brailsford, CEO of Code First Girls said: “To keep the UK safe, it is fundamental that the cybersecurity industry places an emphasis on employing more diverse teams to better address the security threats present today, and in the future.

“If we want to make UK security the strongest it can be, it needs to draw on the widest possible range of voices and insights. That diversity of thought is absolutely crucial to protecting the UK and guarding against threats”.

Theresa Palmer, Global Head of Diversity, Equity and Inclusion, BAE Systems Digital Intelligence, said: “It’s well established that a diverse workforce contributes to a high-performing business. With the cyber threat landscape continuing to evolve at pace, it has never been more important to embrace diversity and inclusion in the UK’s cybersecurity industry. This is what will ensure we have the range of skills and experiences required to stay ahead of cyber criminals.

“We are proud to be working with industry leading specialist organisations such as Code First Girls to bring through the next generation of female talent that will help secure our future businesses and society.” 

Hanah-Marie Darley, Head of Threat Research at Darktrace, said: “To help free the world of cyber disruption, we must make organisations more resilient in the face of growing, complex threats, accelerated by the increasing adoption of AI by bad actors. Talent is key to making this a reality. Diverse people and perspectives will help us find solutions to the challenges we will face today and tomorrow, so it is vital that we share our expertise and insight to build the next generation of technologists. That’s why we’re excited to partner with Code First Girls to help more women access the skills and opportunities to succeed in this pivotal time for the cybersecurity industry.”

The post Cybersecurity sector in drive to boost female tech talent appeared first on IT Security Guru.

As Ealing Borough’s security partner, JUMPSEC has teamed up with the council to collaborate and deliver social value to the community. This kicked off on Friday 22^nd of September, at Dairy Meadow Primary School in Southall as part of its first careers event of the academic year.

In a world where everything is going digital and children spend increasing amounts of time on the internet at young ages, it has never been more important to make sure they understand the risks online as well as the potential careers available in cyber-security.

The JUMPSEC team explained their roles within the company and the ten and eleven-year-olds were then given the opportunity to quiz them about their roles in the company. They also discussed core values and the skills needed to build a successful company.

Chris Preece, Head of Offensive Security at JUMPSEC explains: “Bringing cyber security awareness and education into schools is essential to help pupils protect themselves and to attract some of them to study cyber security or computing-related subjects in the future. It was a fun afternoon with the students, and I was impressed by their insightful questions. They asked about the challenges of my role, what I like about my job, as well as internet safety in general and how they can better protect themselves online. The children had the opportunity to speak with members of our team from different parts of the business: security, sales, and operations. We are already looking forward to the next school visit.”

Alex Feldman, Assistant Head Teacher at Dairy Meadow added: “We can’t thank the team from JUMPSEC enough for taking time out of their busy schedules. We want all our young people to dream big, but they can only do that if they are exposed to the world of work from an early age. We hope that our children can view cybersecurity as a viable option for future careers.”

Zamil Ahmed, Assistant Director of Commercial Hub at Ealing Council concluded: “A great example of how our approach to social value is working to support Ealing Council residents and communities. Thanks to JUMPSEC, Dairy Meadow Primary School and colleagues for taking part.”

The post JUMPSEC team inspires local primary school children to consider a future career in cyber-security appeared first on IT Security Guru.

Speaking from the main stage at DTX + UCX 2023, the Lastminute.com founder headlined a show lineup including ITV journalist Sameena Ali Khan, Meta Group Director Sophie Neary and ‘People Hacker’ Jenny Radcliffe – and issued a challenge to other firms to “do the work” on diversity.

Fox said that despite the availability of 30,000 female software developers in the tech space – statistics show the sector will never achieve parity at current rates of growth.

Of course, the diversity conversation must go beyond only focusing on gender diversity. “10 million adults still don’t use tech effectively or at all – and that’s directly related to socio-economic groups,” she stated.

At the dawn of a new realm of AI and digitisation, Fox said the industry needs “leaders who are intentful and focused” on diversity and environmental matters for true change, and that the opportunity ahead is great.

“The first trillionaire will be in climate tech,” she told her audience.

“The important thing is for new business leaders to make decisions with purpose.

“I don’t see us having a catastrophic relationship with AI, I think we’ll just become more productive. People’s jobs will change in the sense they will be able to do way more [of the important stuff].”

The subsequent panel titled “Twist and Shout” discussed the importance of a diverse talent pool. with Meta’s Sophie Neary emphasising that organisations “always have a choice”.

“Talent is equally distributed – opportunity is not.

“[But] we can make the change happen. Successful companies are the ones who are optimistic.”

On the same panel, PwC’s Cloud & Digital Lead Warren Tucker pointed out that 40% of business owners didn’t believe their current model would be fit for purpose a few years down the line – and that rapid change across the sector is inevitable.

Adaptation for the new realm will extend to cybersecurity and ethics, it was revealed across the event’s dedicated cybersecurity theatres, with speakers in cyber war and cyber resilience sessions urging firms to enhance their defence systems to combat advanced cyberthreats whilst focusing on the responsible use of AI.

Renowned social engineer Jenny Radcliffe added: “I’m yet to see AI replicate what a human social engineer can do – not that AI isn’t as brilliant as it is terrifying. [But] people are the most unpredictable entity you will ever come across. Feeding off experiential learning from a machine is never going to be as intuitive as a human.”

Meanwhile, Kelsey Hightower, former distinguished engineer at Google (just 100 out of 180,000) expressed the need to make open source software sustainable for the long term and less dependent on enterprise needs.

On the hype around AI, he commented: “You can rub AI on a can opener at the moment and you would get funding. If you are asking if AI is going to take your job, what is your job?

“My mantra: Make influence key, be authentic, and share the credit.”

Across 18 stages – including case studies, panel debates and peer-to-peer roundtables on cloud, networks, cybersecurity, DevOps, software engineering, UC, AI and data, DTX + UCX 2023 also served as a stage for sector achievements. Firms marked the event with the kinds of landmark announcements and product launches that mirrored the fast pace of change and exciting developments that visitors heard from the headline speakers.

DTX + UCX Europe 2023 Content Director Dominie Roberts said: “Bringing the best tech talent under one roof is what we do – and this year we have strived to improve the richness and diversity of our programmes which we are very proud of.

“Businesses are trying to keep their culture, infrastructure and operational design up to speed with the fast pace of tech change – and it is through events like these that tech teams learn how to navigate the latest tools and adopt the kinds of scalable, sustainable and inclusive strategies that will ultimately ensure their success as we enter the next realm.”

As speaker Jon Arnold summarised as the first day of DTX + UCX Europe 2023 wound down: “Occasions like this, where we can all come together to talk about the future, are important.

“We need events like this.”

DTX + UCX Europe 2023 continues with a full lineup today (Thursday 5 October) at the London ExCeL. More information is available online here. 

The post ‘No excuses – try harder’: Martha Lane Fox at DTX + UCX Europe challenges tech leaders to double-down on diversity appeared first on IT Security Guru.

Research commissioned by Sharp Europe – a major provider of business technology products and services to SMEs across Europe, found that around one third of the businesses had their operations impacted by a cyber security breach. These breaches included phishing (31%), malware (30%), data loss (30%), and computer virus attack (25%).

In addition, nearly a quarter have been subject to password attacks (24%) and cloud security issues (23%). Yet nearly two thirds (61%) lack confidence in their businesses’ ability to deal with and mitigate security risks. Given this, surprisingly three out of five (60%) of UK small businesses say their IT security budget will not be increased this year.

The pan-European research surveyed 5,770 professionals responsible for purchasing IT in their SMEs, on confidence in IT security capabilities and barriers to IT security investment over the next 12 months. It found that losing money, decreased customer confidence, and negative impact on the brand are the top business concerns when it comes to the impact of an IT security breach.

Colin Blumenthal, Vice President, IT Services at Sharp Europe, comments:

“Businesses operate in a complex digital environment, which poses increasing IT security challenges for companies of all sizes. For smaller businesses, without large IT resources, the risks can feel even more daunting. Threats are constantly changing– and trying to identify and prevent them all can leave those in charge feeling concerned, confused, and frustrated.”

“Every business, regardless of size, should do everything they reasonably can to protect their data and ensure their connectivity, whether through networks or devices, is as secure as possible. Seeking expert advice can help ensure the right IT security decisions are being made, a holistic security view is being taken, and that solutions are always up to date.”

Concern is being amplified by issues such as the rise of hybrid working and employees using their own devices. Worryingly, only 53% of SMEs in UK say they have encryption in place, and nearly two thirds (58%) have a strong password policy.

For more insights and advice on cyber security for SMEs, please visit sharp.co.uk.

The post UK SME cyber threat concerns on the rise in last 12 months as a quarter admit to being breached appeared first on IT Security Guru.

Though businesses recognise the increased threat, less than one in ten (8%) of the organisations who complete cyber risk assessments do these monthly while two in five (40%) conduct them annually. The failure to regularly assess cyber risk leaves organisations vulnerable to attacks and increases the risk of breaches going undetected for prolonged periods.  

A lack of human resource is contributing to businesses not measuring and testing their cyber defences regularly enough. Almost two thirds (62%) of respondents report that their cybersecurity team is understaffed. Of those organisations with unfilled roles in cybersecurity, 39% are looking to fill entry level positions that do not require experience, university degree, or credentials.  Typically, 44% of organisations state that they require a university degree to fill entry level cybersecurity positions when they have them. 

Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said: “Our findings show that businesses are still struggling to find the right people with the right skills to manage cybersecurity. With cyberattacks on the rise, if we do not solve these challenges and address the gaps, businesses, ecosystems of supply chains and public sector bodies could be at threat from a lack of vital protection, detection, response and recovery. Businesses do not exist in isolation from their customers or the other organisations within their network, and a cyberattack on one part of the ecosystem can have consequences for everyone else. This is why holistic training is needed towards creating a safer world.” 

There are some simple steps businesses can take to tackle the cyber skills gap and improve their cyber resilience. Of those who are already making headway, half (50%) of the organisations surveyed are upskilling non-security staff, 46% are increasing the use of contractors or external consultants, and a quarter (27%) are adopting reskilling programmes.  

Cybersecurity professionals believe that hands-on experience in a cybersecurity role (97%), credentials held (88%), and completion of hands-on cybersecurity training courses (83%) are very or somewhat important when determining if a cybersecurity candidate is qualified. 

Chris Cooper, member of ISACA’s Emerging Trends Working Group, said: “If businesses are to maintain their cyber resilience in an ever-evolving threat climate, we must encourage and nurture talent in the cybersecurity industry. Employers are looking for people who already have hands-on experience, but we will only enable people to build that experience by creating more entry-level roles and investing in the right training and development for everyone in the industry, from the ground up.” 

Jon Brandt, ISACA Director, Professionals Practices and Innovation and Martin Van Horenbeeck, Senior Vice President and Chief Security Officer at Adobe will discuss these findings further in a webinar taking place on 3 October at 17:00 BST. To register, visit  

https://store.isaca.org/s/community-event?id=a334w000005hEsVAAU.  

A complimentary copy of the State of Cybersecurity 2023 survey report can be accessed at www.isaca.org/state-of-cybersecurity-2023, along with related resources. Additional cybersecurity resources can be found at www.isaca.org/resources/cybersecurity. 

The post The State of Cybersecurity: Cyber skills gap leaves business vulnerable to attacks, new research reveals appeared first on IT Security Guru.

Researchers found that just over 80 percent of applications developed by EMEA organisations had at least one security flaw detected in their most recent scan over the last 12 months, compared to just under 73 percent of U.S. organisations. In addition, the percentage of applications containing ‘high severity’ flaws was the highest of all regions, at almost 20 percent.

“Our data shows that organisations globally are continuing to deploy a worrying number of applications with a high number of flaws in the CWE Top 25,” said Chris Eng, Chief Research Officer at Veracode. “We did, however, identify interesting regional differences, particularly in terms of third-party or open-source code usage and the ways in which vulnerabilities are introduced across the application lifecycle,” he continued.

Analysis of data collected from more than 27 million scans across 750,000 applications helped to produce Veracode’s latest annual report on the State of Software Security. This new report showcases the EMEA-specific findings from those scans and applications, including results from UK, Germany, France, Italy and across the Middle East and Africa.

Numbers alone don’t convey the consequences of hackers exploiting software vulnerabilities. With organisations across EMEA utilising an ever more complex mix of third-party software to deliver their services, the exploitation of a serious vulnerability can impact thousands of victims at once. Earlier this year, a vulnerability affecting printing software tools PaperCut MF and PaperCut NG was actively abused by threat actors. Up to 70,000 organisations in 200 countries became potential victims, and law enforcement reports found threat actors successfully compromised vulnerable entities in the education sector.

Java and Third-party Code Introduce Significant Security Flaws

The research identified notable regional differences in preferred language usage, with Java revealed to be the preferred language for developers in EMEA. Teams using Java were found to remediate flaws at a slower rate than those using .NET or JavaScript, causing many of these flaws to persist or remain undiscovered for significantly longer. Moreover, as over 95 percent of Java applications are comprised of third-party or open-source code, Java usage is a key factor in the higher percentage of vulnerabilities introduced into applications in the region. This highlights the importance of software composition analysis (SCA), which picks up flaws in open-source code, and the research found a higher proportion of flaws reported by SCA in EMEA than in other regions.

As generative AI continues to gain strong traction in software development, the risk of vulnerabilities from external sources increases. A study, presented at Black Hat in 2022, showed vulnerabilities in 40 percent of code that had been written by large language models trained on vast troves of unrefined data, including millions of public GitHub repositories. It is therefore vital organisations leverage SCA tools to find and fix flaws, empowering developers to take advantage of AI without compromising the security of applications.

Applications Become More Vulnerable Over Time

The research also showed new flaws continue to be introduced into EMEA applications at a far higher rate across the entire application lifecycle than in other regions. While EMEA organisations keep updating applications, there was less of a focus on quality. After a five-year timespan, 50 percent of applications in EMEA continue to introduce new flaws, compared to just over 30 percent for the rest of the world. Overall, the baseline chance that a flaw will be introduced in any given month was 27 percent.

As such, EMEA organisations would benefit from paying more attention to the latter portion of the application lifecycle and scanning applications more regularly. They should also prioritise security training for developers, with the research finding completion of 10 interactive security labs reduces the probability of flaw introduction from 27 percent to about 25 percent in any given month.

“This year’s State of Software Security report shines a light on the importance of security across the entire software lifecycle, as well as the urgent need to address risks posed by third-party and AI-generated code,” Eng added. “Whilst across the board globally we are still seeing a concerning volume of vulnerabilities, these figures are higher in EMEA across almost all measurements. Development teams in this region must take the opportunity to automate software security for regular scanning, and carefully consider their use of AI tools, both to increase security and empower developers.”

The Veracode State of Software Security EMEA 2023 recommends four actions software development teams can take to improve their cybersecurity posture and is available to download here.

The global Veracode State of Software Security 2023 report is available to download.

The post Research reveals 80% of applications developed in EMEA contain security flaws appeared first on IT Security Guru.

According to the survey, 44% of organisations are insured and 15% plan to purchase a policy within the next 12 months. Before being offered a policy, organisations typically need to go through a security audit by the prospective insurer.

“The insurer’s audit will highlight security gaps in the IT ecosystem and provide recommendations on how to overcome them. In some cases, implementing additional security controls is mandatory to even qualify for a policy. In addition, some organisations choose to invest in more security measures because it reduces the cost of the insurance policy,” says Dirk Schrader, VP of Security Research at Netwrix.

We asked respondents what requirements they had to meet in order to qualify for a policy. The most requested measure was multifactor authentication (MFA), named by 63%, followed by patch management (55%) and regular security training for business users (47%). In addition, 38% said they had to meet requirements for identity and access management (IAM), while 36% revealed they had to implement privileged access management (PAM) controls. Indeed, according to Gartner®,“Insurers often require organisations to deploy a PAM tool, along with MFA for administrative access, to mitigate the risk of breaches and malware events.”⁽¹⁾

“When addressing the requirements or recommendations from an insurer, it is vital to assess the dependencies between the requested controls. For example, in order to require MFA for access to particular types of data, it is necessary to know where sensitive and regulated data resides, as well as to have control over user and administrative privileges,” says Ilia Sotnikov, Security Strategist at Netwrix.

To learn more about security trends, check out the complete 2023 Hybrid Security Trends Report.

⁽¹⁾Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, James Hoover, Michael Kelley, Brian Guthrie, Abhyuday Data, 5 September 2023.

The post Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost appeared first on IT Security Guru.

In EMEA, insurance is by far the most attacked sub-vertical of financial services with 54.5% of all web attacks, which represents a 68% increase year over year. Insurance companies hold a huge amount of personally identifiable information, which makes them an attractive target for cybercriminals in contrast with other financial services organisations that hold mostly financial data.

The report also finds that as a region, EMEA experienced the most DDoS attack events (63.5% of attacks worldwide), which is nearly double the number in North America, the next top region (32.6%). The United Kingdom tops the list in EMEA at 29.2% of DDoS attack events, followed by Germany at 15.1%. Akamai surmises that the attacks on the European banks that are allies of Ukraine are financially and politically motivated by Russia’s continued war in Ukraine and are the primary reason for the increase in attack events in EMEA.

Other key findings of the report include:

• Between January 2022 and June 2023, DDoS attacks on financial services in EMEA equated to 1,466 of the 2,590 attack events across all verticals in EMEA and resulted in a 40% increase year over year in DDoS attacks when comparing Q2 2022 with Q2 2023
• DDoS attack events against the gambling, commerce, and manufacturing verticals in EMEA each also exceeded all other regions combined
• 24% of the scripts used by financial services organisations in EMEA come from third parties, which is notably lower than in other verticals (36%)

“As cybercriminals continue to follow the money, financial services remains a hugely attractive target. At the same, this is one of the most regulated sectors and hence it is essential for companies to align their security strategy with emerging laws and regulations,” said Richard Meeus, Akamai’s Director of Security Technology and Strategy, EMEA. “The High Stakes of Innovation: Attack Trends in Financial Services aims to provide insights that will equip this sector with the tools needed to improve security for their customers.”

The post Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023 appeared first on IT Security Guru.

The benefits of exercise are clear, and this extends to practising a cyber incident response plan. While practise might not make perfect, it does build resilience. An organisation that rehearses their incident response plan is better placed to respond to cyber attacks and can get back up and running again quicker than those who don’t.

Organisations wishing to join the CIE scheme will be assessed against the NCSC CIE Standard. CREST and IASME will both manage the assessment, onboarding, monitoring and offboarding of providers assured under the Cyber Incident Exercising scheme on behalf of the NCSC. The organisations were selected for this role because they both meet the NCSC’s high standards and offer a choice for potential providers and different routes into the scheme.

Dr Emma Philpott MBE, CEO of IASME says, “We are really looking forward to working with companies of all sizes and in all areas of the UK to deliver this important scheme. We feel strongly about ensuring that the scheme is accessible for smaller cyber security companies to become assured providers and we encourage you to contact us to discuss becoming a provider if this is something that interests you.”

Rowland Johnson President at CREST explains “We are delighted to be helping deliver this important new scheme for the NCSC by assessing and onboarding Assured Service Providers.  With rising cyber attacks on enterprises of all types, effective cyber incident response is one of the most important parts of building cyber resilience. This will give all organisations who want to test their incident response, access to Assured Service Providers who can support them.”

The Cyber Incident Exercising scheme provides assurance of companies which deliver two types of cyber exercises to organisations that want to test their existing cyber incident response plans:

Table-Top – discussion-based sessions where participants talk about their roles and responsibilities, activities and key decision points (following their organisation’s incident response plan) in relation to a pre-agreed scenario.

Live-Play – more in-depth sessions in which participants execute their roles and responsibilities to respond to events in a real world cyber scenario. Activities are tailored to the organisation and take place in close to real-time, providing a realistic simulation of a cyber event. Live play exercises are best suited to mature organisations looking for in-depth validation of plans.

The scope of the CIE standard covers exercises designed to simulate incidents which have a significant impact on a single client organisation. It does not cover incidents spanning multiple organisations or Category 1 and Category 2 incidents as defined by the UK’s Cyber Attack categorisation system.

The new CIE scheme will launch officially later this year when exercising providers have been assured and on-boarded, ready to offer services.

Notes for editors

For more information from the NCSC go to CIE Scheme standard

For more information about the scheme and how to apply go to:

https://iasme.co.uk/cyber-incident/

https://www.crest-approved.org/membership/ncsc-cyber-incident-exercise-scheme/

The first Assured Service Providers for the scheme will be available soon. They will be listed on the website of the relevant Delivery Partner and on the NCSC website once they are available.

The post CREST and IASME announce partnership with the NCSC to deliver Cyber Incident Exercising scheme appeared first on IT Security Guru.

The significance of secure access on business performance is paramount. Seamless connectivity to applications instils operational efficiency, enabling workforces to function at their best. cyberelements.io ensures rapid setup and access to IT/OT systems, a process that takes mere minutes for end users and IT service providers. The platform seamlessly integrates remote access for regular users and PAM for critical users, whether internal or external to the organisation.

“cyberelements brings a new era in access security by making it not only effective but also accessible to businesses of all sizes,” comments, Chris Walsh, Managing Director of ABC Distribution. “This partnership underscores our commitment to delivering innovative solutions that empower organisations to enhance their security posture.”

Traditional cybersecurity tools often present challenges in configuration and integration, leading to gaps in protections. While detection and response solutions are vital, the cornerstone of defence lies in Zero Trust principles. Industry experts agree that Identity and Access Management (IAM) and Privileged Access Management (PAM) should converge in a unified platform to ensure the enforcement of robust Zero Trust security policies.

Jonathan Fussner, Head of cyberelements, said, “After a decade in the cybersecurity domain, our team is proud to introduce the first Zero Trust access security SaaS Platform in Europe. We understand the daily challenges faced by CISOs and CIOs, and our platform addresses these concerns head-on. Easy, swift, and secure access is pivotal to driving business performance.”

With cyberelements, businesses can establish secure access for all users, both regular and privileged, in a matter of minutes. This approach embraces the Zero Trust paradigm, considering identity and context as the new security perimeter, revolutionising access security in the European market.

ABC Distribution brings a wealth of experience in supporting vendors from initial market entry to mainstream adoption. The company’s expertise extends to working with both innovative startups and established challengers in the technology landscape. 

The partnership between ABC Distribution and cyberelements sets a new standard in access security, offering organisations a streamlined and robust solution to protect their digital perimeters.

To discuss how you can secure your business with cyberelements, visit the team at International Cyber Expo 2023 (26-27 September 2023) at Olympia London on Stand L40.

The post Cyberelements Partners with ABC Distribution Partners to Revolutionise Privileged Access Management in Europe appeared first on IT Security Guru.