The Federal Government recently announced The Cyber Security Skills Partnership Innovation Fund, with grants of between $250,000 and $3 million, “to improve the quality and availability of cyber security professionals through training.”
The Government estimates $13 million will be available for round one, which closes on 11 March 2021, and it expects to kick off a second round later this year.
It is an admirable initiative and a great first step towards boosting Australia’s cyber resilience.
It would also be good to also see a program that provides subsidised training for SMEs, which would raise the general level of cyber security understanding among the wider workforce.
Consult any number of reports on cybercrime and you will find that phishing is by far the most common attack vector.
Anyone can be duped by a phishing attack, but it is safe to say the majority are not cyber security specialists, not even IT people.
They are secretaries, admin assistants, accountants - anybody who uses email or, increasingly, text messaging and social networks.
Organisations have tools and technologies to detect and block whatever malware a phishing attack is trying to inject, but these are the second line of defence.
The first line is making sure staff don’t fall for the deception.
Certainly, we need more cyber security specialists, but we also need to raise the level of cyber security understanding throughout the general workforce.
To beef up their first line of defence, many organisations provide cyber security training for staff, for example by running phishing awareness campaigns.
Some even mount mock phishing attacks.
All of these tactics aim to drive home the fact that cyber security today is everybody’s business.
However, many organisations, especially smaller ones, see this as an unnecessary expense, or not a high priority.
That is, until they get hit and then it’s too late.
Our research shows organisations are not always willing to invest in cyber security training for staff, citing cost as the biggest barrier.
A subsidy program from the government would help overcome this barrier.
There is an increased urgency to boost cyber awareness right now, driven by COVID-19.
Many employees are now working from home on less secure devices, isolated from organisations’ protected networks.
Cyber criminals have been quick to exploit this factor and establish new phishing attack angles.
Research figures show COVID exploitation by the cybercriminal fraternity has been massive.
For more than a dozen years, US telco Verizon has produced an annual data breach investigations report.
Its 2020 edition came out in May.
Just three months later, Verizon took the unprecedented step of publishing an out-of-cycle update, Analyzing the COVID-19 data breach landscape, saying, “The extreme gravity and the sheer volume of the changes taking place both in industry and society as a whole have compelled us to address the matter…”
The Government’s Cyber Security Skills Partnership Innovation Fund is a great initiative that is certain to boost the number of cyber security professionals in Australia, but it is aimed primarily at organisations in the cyber security industry, or at least the IT industry: organisations for which cyber security or training is a business, not just an essential business attribute.
In addition to increasing the availability, quality and gender balance of the cyber security workforce, the government says it expects outcomes to be, “innovative or new ways to improve cyber security skills.”
And it expects the type of projects to secure funding will be, “collaborations between organisations such as industry associations and other bodies, higher education and vocational education providers, secondary schools, local and state governments, and businesses.”
Additional grants that offer subsidised cyber security training for SMEs (regardless of industry) could present the perfect opportunity for Australian organisations to boost the level of cyber security understanding among their staff.
This would bring multiple benefits.
It would reduce the number of successful breaches resulting from phishing attacks, lax password management and generally poor ‘cyber hygiene’.
This would in turn reduce the workload on cyber security staff, who are in high demand and short supply.
It would also widen appreciation of cyber security as a profession and attract new candidates to the ranks.
With unemployment rising thanks to COVID-19 and with employment opportunities increasingly requiring digital skills, the employment prospects of individuals with cyber security training will be markedly better.
A new study by Deloitte Access Economics and RMIT, Ready, set, upskill: Effective training for the jobs of tomorrow, based on a survey of 1,078 Australians in December 2020, found that 87 per cent of jobs now require digital skills and that 156,000 new technology workers will be needed by 2025 to keep pace with the rapid transformation of businesses.
The study also found understanding of cyber security to be very low.
Forty-five per cent of those surveyed did not recognise the skill or knew very little about it.
This figure in itself shows that things need to change.
Sure, cyber security fared better than an understanding of coding, blockchain, artificial intelligence and data visualisation, all of which rated more than 50 per cent non-recognition.
But unless you need to use those skills, ignorance will harm neither you nor your employer.
That’s not the case with cyber security.
Finally, the provision of cyber training for the wider workforce, not just training cyber security specialists, is an industry in its own right.
Funding for such training would almost certainly give this industry a boost which would in turn lift the quality, availability and diversity of cyber training programs for industry.
Jon Lang is the Chief Executive Officer of DDLS, an Australian provider of corporate ICT and cyber security training.