Home working has exposed us all to more cybercrime. Here's how to close the breach

• Cybercrime's attack surface has increased because of the switch to home working.

• There is a growing gap in skilled cybersecurity practitioners – hence a need for more training.

• Israel is targetting the unemployed, ultraorthodox and school-age populations as cyber-employees of the future.

The COVID-19 pandemic has affected our lives across the board. The unemployment rate in many countries has crossed into the double digits, and economies have been badly hit due to the health restrictions imposed on travel and business. And people are using the virtual world – to confer, to do business, to study and to socialize – on a scale never seen before.

People’s homes have been modified to accommodate remote working, with no apparent reinforcement of their private communication infrastructures; some using their own private devices and others, end-point devices provided by their employers for home use.

From a cybersecurity perspective, the leap in the use of internet has presented cyber-attackers with a bigger-than-ever attack surface. New applications have been developed in a rush, some without adequate security measures. According to a report from cloud technology firm Datto, ransomware is still the number one threat; such attacks have increased both in number and in sophistication. The cybersecurity challenge, troubling enough prior to the pandemic, has only become bigger and wider.

Another point of concern is the growing gap in skilled cybersecurity professionals. According to a Kaspersky survey, 73% of businesses find it very difficult to hire IT security personnel. The High-Tech Human Capital Report by Israel’s Start-up Nation Central shows a rise of 16% in high-tech recruitments between 2018 and 2019, while the Burning Glass tech report on "the fastest growing cybersecurity skills on demand" estimates a growth of 164% in cybersecure application development jobs available. The State of Cyber Security Hiring Report finds that while IT job postings have risen by 30% since 2013, the number of cybersecurity posts has risen by 94% and take longer to fill. It is estimated that the global gap in cybersecurity professionals will rise to about 3.5 million in the coming three years.

With high-tech wages growing by 27% in relation to a 15% average, no wonder that cybersecurity professionals' salaries are 16% higher than IT jobs, and governments and industry are struggling to recruit them. It seems that the usual recruitment methods won’t suffice, and we need to expand our scope and look for other populations to fill the gap.

In trying to revive damaged economies, governments are pouring money into initiating public works and by supporting citizens and businesses with allowances. But fewer governments are investing in cyber-professional courses and capacity-building – which could benefit society not only by closing the cybersecurity gap, but also in bridging the social gap.

It is high time governments boarded the “cyber-train”, meaning investing in hands-on training and capacity-building. Such investment has many invaluable benefits: Converting the unemployed to become cybersecurity practitioners will help in bridging the employment gap and assist in our security posture against cyber-attacks. Moreover, such an investment will have a positive and significant impact on economies, both by preventing damage caused by cyberattacks, but also by contributing indirectly to the economy. As salaries of IT employees are relatively high, the return on investment would be much quicker. One must also not forget the social benefits of reducing inequality, and fulfilling the WEF vision of the Great Reset.

Most of the existing professional courses in cybersecurity are aimed at professionals in computer science that already have some experience in the field.

This is an immediate channel that may require less resources, yet will not suffice, and we should think of other potential populations as candidates. The Israeli National Cyber Directorate (INCD) recently initiated a programme called Cyber4s, designed to train capable young unemployed individuals with no university degree nor work experience. In a period of six months, the aim was for them to become qualified full-stack cyber-developers. The key to the programme’s success is that the syllabus was the product of joint public-private partnership, between industry, the NGO Start-up Nation Central and the 8200 Cyber Unit, a part of Israel’s defence forces. So participants had exposure to the real world of high-tech and a better chance of employment.

Other initiatives target broad groups who might be completely new to the field. One good example is the Cybersecurity Learning Hub, developed in partnership between Salesforce, Fortinet, the Global Cyber Alliance and the World Economic Forum.

Another interesting channel is the one aimed at specific target populations, such as the ultraorthodox minority. This group is generally educated in religious schools that do not follow the core subjects of maths and English as other communities do. It is a challenge to train such demographics in technological professions, yet through a dedicated nine-month course, the candidates qualified as cyber-practitioners. This case study could serve as a model for other populations who lack the requisite maths and English needed as a basis for high-tech jobs.

Third is the "cyber-club" programme for young girls – and other similar school initiatives. The alumni say that such dedicated programmes have enabled them to study more freely and empower them to strive for careers in high-tech industries.

The information technology domain is intensely dynamic. Attack patterns are being developed all the time, hence it is imperative that best practices are updated frequently. The industry innovates at a pace governments cannot keep up with. The key to a successful training programme is to take into account these variables, study the gaps, and adjust the syllabus according to current needs and to the advancements in the tactics and procedures. A solution that will bring together representatives of the high-tech industry, governments and NGOs.

The INCD has initiated a voluntary certification process for cyber-professions. The first profession to be declared is the “Cyber Practitioner”; its syllabus was defined according to the methodology of Unit 8200 and according to industry needs. Israel chose to lead by example by asking service providers for the government to be certified, thus inspiring the market to demand such certification too. Different countries may have different approaches: Some, like Singapore, require all professionals to be certified officially by law, whether working in the public or private sector.

Bringing all relevant players to the table and understanding the needs of the market is something that governments and NGOs everywhere could work towards. The vision of establishing a joint working group of governments and industry to define basic cyber-professions and the minimal syllabus requirements is something that could bolster collective cybersecurity for us all.