TL;DR
We spend a good amount of time on this blog focusing on the career side of cybersecurity: What are the skills you need to thrive? Which certifications are most important? What do you need to know to master your next interview? But cybersecurity is more than just a job — it’s a national concern. The US National Security Agency puts it even more bluntly: “Cybersecurity is national security,” they write. “It’s integrated into everything we do to keep the United States safe.”
Of course, anyone keeping up with the news will already be well aware of this. Recent prominent stories include the furor over how TikTok collects and shares usage data, as well as Biden’s last-ditch efforts to mandate cybersecurity rules for software companies. But as with so many other aspects of cybersecurity, the most important developments are often happening behind the scenes. So, beyond the headlines, what is really happening in the cybersecurity landscape? What are experts actually concerned about?
A government that lags behind
Although the US has long been known as a technology leader, it has long lagged behind other countries when it comes to federal cybersecurity regulations. In fact, as Jason Edwards, a Cybrary instructor with over 30 years of experience in the industry, pointed out, we are still relying on laws written nearly 40 years ago. “If you were convicted of hacking, do you know which law you’d be charged under?” he asked. “The Computer Fraud and Abuse Act, enacted 1986.”
In an industry where so much can change so quickly, this glacial pace of legislation is worrying. It can give digital thieves and other bad actors plenty of space to exploit gaps in the law. In an effort to offset this somewhat, administrative agencies, states, and even individual companies have tried to fill in these gaps and create their own sets of cybersecurity rules. However, as Edwards pointed out, this can lead to excessive bureaucracy — and lots of confusion.
“We don’t have a unified theory of everything when it comes to cyber,” he said. “And that can be dangerous for companies. They’re operating on the internet, in multiple states, and they’re going to have to deal with all these different laws.”
The rise of ransomware
While ransomware itself is nothing new, its recent surge in popularity among cyber criminals has caught people’s attention. Recent reports indicate as much as a 56 percent rise in ransomware groups in just the first half of 2024 alone — and that’s after ransomware payments surpassed $1 billion for the first time in 2023.
One reason for this uptick? Kehr mentioned the rise of ransomware-as-a-service. “RaaS has definitely emerged more recently,” he said. “All these different marketplaces and vendors [on the dark web] are now selling it.” This has lowered the bar for many hackers and made launching ransomware attacks much more accessible. In many cases, it can be as simple as making a purchase.
For Edwards, the problem of ransomware’s recent increase connects back to the lack of a unified government policy. “There are no rules around it. It’s really up to the company whether they pay or not.” While some companies will draw a line, many others will make the payment just because it will help them get back to work faster. This lack of clarity can make it difficult to know what’s best to do. “That's definitely an area of policy that I don't see anybody taking on,” Edwards said. “Either you do it or you don't. What's the rules about ransomware payments?”
Although he admitted to being able to see both sides of the argument, Edwards said he believes that companies shouldn’t pay unless it’s absolutely urgent, such as an attack that could cause a massive shutdown. “But you should have the FBI or some kind of national justice organization authorize that payment,” he said. “And then afterwards there should be sanctions for your company on why you got yourself into that place to begin with.”
Whether or not this would be the best approach, Edwards was adamant that there should be more of a conversation around this topic: “We need to have this debate going into the future.”
A lack of awareness training
Closer to home, but no less significant, is what both Kehr and Edwards identified as a persistent lack of cybersecurity awareness training amongst businesses. “I just don't think we can't go far enough when it comes to awareness training,” Edwards said. “It's something very simple to do. Yet a lot of companies don’t do it.”
Research bears this out. In one report, half of organizations admitted that they only conduct security awareness training once a year or once a quarter at most. This lack of training can make employees much more vulnerable to the evolving threat landscape, potentially exposing their company to costly data breaches and other attacks. To mitigate this, it is vital that more organizations institute continuous security awareness training.
“Everytime a CISO bulletin goes out,” Edwards said, “there should be some kind of training that goes along with it. If you embed it into your culture, you're not going to have [for example] ransomware attacks.”
Kehr emphasized that this security training shouldn’t just be limited to employees. It’s also important that cybersecurity professionals have ongoing access to training as well. “What I look for are companies that invest in their people,” he said. “They should have platforms where there is constant training. That always keeps me on my toes because I'm learning about the latest and greatest vulnerabilities to whatever technology is out there.”
This long into his career, he said, it’s what’s allowed him to maintain his edge. “It’s what keeps me fresh.”
Stay ahead of the cybersecurity landscape with Cybrary
There may always be new threats and vulnerabilities out there, but one you don’t have to worry about is how to stay current with all of them. Cybrary’s extensive course catalog gives you all you need to stay on track. Browse through our full catalog or request a demo for your team to start accessing our curriculum — including our knowledgeable Cybrary mentors.
