Why Empowering End Users May Be the New Cyber Security Killer App

Why Empowering End Users May Be the New Cyber Security Killer App

Over an eight-year period, according to a study by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021. Despite industry-wide efforts to reduce the skills gap, the gap remains and tech giants like Microsoft are announcing plans to create millions more jobs globally.

In the U.S., the cybersecurity workforce has more than 1.1 million workers — with around 770,000 more yet to be filled, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce.

Nationwide, there are just over 90,000 CISSPs (Certified Information Systems Security Professionals), according to CyberSeek, but more than 106,000 job openings require the CISSP certification, the cyber security industry’s highest standard. In the case of CISMs (Certified Information Security Managers), there are 40,000 job openings but only 17,000 people holding the credentials.

The U.S. Bureau of Labor Statistics projects that “information security analyst” will be the 10th fastest growing occupation over the next decade, with an employment growth rate of 31 percent compared to the 4 percent average growth rate for all occupations.

The shortage of security professionals has a significant impact not only on organizations that struggle to fill the ranks, but also on their IT teams who have to cope with the pressures brought by understaffing.

Being a cybersecurity professional is stressful. On top of constant concerns about imminent threats – and the risk of missing them before they have caused irreversible damage – professionals also report a lack of security awareness among their organization’s staff in general and a lack of buy-in regarding security best practices at the executive level to contribute to increased stress.

“When it comes to keeping organizations safe, it is a team sport,” said Osman Erkan, founder and CEO of DefensX, an innovator in cloud-first cybersecurity solutions which enlist all employees to contribute by providing easy-to-install and use software apps for browsers on any device. “It is simply not sustainable to ask already strained IT and security teams to do more – neither is it cost-effective to keep hiring more staff. What is working today is automation and AI and helping workers help themselves.”

Erkan said that, while organizations should invest in building their teams’ professional knowledge and supporting them in earning important certifications, those organizations should also invest in ways to spread out the responsibility and insist that workers use simple and affordable tools to prevent them from clicking on nefarious links, through phishing attacks and social engineering.

“Our education programs have been very popular, in that we host virtual training meetings to educate entire cyber teams, with fresh data on new threats and ways to ameliorate those threats,” Osman said. “We celebrate Cybersecurity Awareness Month every October, as awareness is precisely what we do – we make individuals and teams aware of threats before they become problems.”

“Security analysts have not always been popular,” Erkan explained. “They’ve been perceived in the past as inflexible bureaucrats – the people who say no – but that has changed as individuals become more aware of the threats those teams have been trying to defend themselves and their company against. Educating the broader workforce on the importance of cybersecurity has gone a long way to boost the morale of cybersecurity forces and the perception of the value they bring to the organization.”

According to Gartner, 98% of external attacks over the last few years were carried out over the public Internet, and, of those attacks, 80% were targeted directly at end users through their browsers.

A remote browser isolates the user’s browsing activity from the end user’s device and from the enterprise’s networks and systems. This effectively creates an ‘air gap’ between inevitable attacks and the enterprise network, in effect restricting the ability of an attacker to establish a foothold, move laterally within the organization and breach other enterprise systems to exfiltrate data.

“Attackers generally break into the network by means of social engineering to deliver targeted malware to vulnerable systems and people,” Erkan explained. “Once they are in, attackers stay quiet to avoid detection, then map out the organization’s defenses from the inside. This makes it possible to deploy multiple parallel kill chains to ensure success. Attackers usually target unprotected systems and capture information over an extended period. This captured information is sent back to the attack team’s base to be analyzed for further exploitation, fraud, or worse.”

Especially given the massive growth of remote working, employees, contractors, partners, and customers are using browser-based applications for productivity. Whether using Office 365, Google Drive, Slack, Zoom, or many dozens of other collaboration and communications applications, browsers remain open throughout the workday with many tabs open at the same time.

“This happens on desktops, laptops, tablets, and smartphones, and whether those devices are issued by the organization, or owned by the end user, without remote browser isolation, attackers now have the potential to breakthrough browsers as they become acquainted with the whole system.”

In an e-mail, the user clicks on a link, which is assumed safe, given investments in e-mail content security. That link opens a web browser, and there is always the possibility that the user’s device may get infected as part of a phishing attack. Even pop-up blockers are not enough to protect under certain attacks. For instance, a user may click on a link on their device, but the pop-up blocker blocks access, and often the user does not notice. However, the browser has already executed code that could lead to an infection.

DefensX, founded in 2018 in New York, is transforming the nature of cyber security by liberating users with an “application to content” approach. With its patent-pending unique threat isolation technologies, its platform seamlessly protects users from the web and SaaS application content-borne threats, who work from anywhere, on any device, and over any network.



Edited by

Erik Linask