As someone who spends their working life protecting others from risk, you surely have the right to bullet-proof your own career by talking to a recruitment firm that has the experience and reach to put you in touch with organisations that have the need, appetite and budget to place information security right at the top of their priorities.
Most of our clients are operating within financial services. This places them right at the frontier of cyber risk. When a robber was asked why he robbed banks, he famously answered “because that’s where the money is”. Nothing’s changed. Whether it’s pounds, dollars or bitcoins, the organisations storing or transferring them have an acute need for cyber specialists to safeguard their operations.
So if you can demonstrate experience-hardened cybersecurity skills gained on a permanent or interim basis, we feel certain that our clients will want to talk to you.
International Professional Services Consultancy
The candidated was engaged on major a DLP programme with a leading UK building society.
Global Leader in Application Security Risk Management
Major Aviation Brand
International Professional Services Consultancy
The candidated was engaged on major a DLP programme with a leading UK building society.
Global Leader in Application Security Risk Management
Major Aviation Brand
We want to talk to you. Drop us a line and tell us about yourself!
How can you be sure the person accessing sensitive information is who they say they are? Authentication has become much more complicated during the pandemic. Having the correct account credentials is no longer enough to confirm a user’s identity. So, what are organisations doing to improve information security, and how is the field of authentication developing?
The threats to information security have surged during the pandemic; this coupled with the challenge of keeping remote workers secure has led to several high-profile breaches. While IT teams have been working hard to ensure that data is encrypted, anti-virus systems are installed and firewalls are configured, none of this really matters without effective authentication. It’s the information security equivalent of leaving the front door open.
Poor authentication processes make your organisation an easy target for hackers. A hacker can gain access to a username and password via social engineering, phishing, social engineering, malware and more — all of which have increased during the pandemic. 95% of all web application attacks are because of weak or stolen credentials.
While malicious attacks are the primary concern, authentication is also important to maintain compliance with data privacy regulations. With the boundary between home and work becoming blurred, more and more employees have been accessing sensitive information on personal devices and some have even been sharing devices with family members.
Throughout some sectors, such as finance, MFA is already widely used. With the need for secure authentication of remote workers, other industries are now following suit. The reason being that MFA is extremely effective — according to Microsoft, only 0.1% of comprised accounts were those using some form of MFA. MFA significantly increases the difficulty of a successful hack. Therefore, potential attackers are deterred unless the incentive is worth the time investment.
Most commonly, MFA works like this: you login to a system using your username and password, which triggers a second authentication process before you are granted access. The second process could be a text message to your mobile or a smart card/USB key.
According to the 2020 Verizon Data Breach Investigations report, 80% of data breaches were due to compromised or ineffective passwords. Therefore, the strongest MFA approaches have been removing passwords completely. This includes secondary authentication methods that rely on a ‘shared secret’ such as one-time passwords or SMS codes, as these can be vulnerable to channel-jacking (a hacker taking over the channel which authentication attempts are sent through). Given that strong, unique passwords are often difficult to remember and manage, removing passwords also improves usability.
Biometric authentication methods such as fingerprints, facial recognition and retina scanning are often held up as the gold standard. These are easy to use and cannot be stolen like a smart card or USB key can be (although biometrics are still vulnerable to coercion). However, some employees may object to sharing private biometric data and providing devices with biometric authenticators can be expensive.
Although MFA is very effective, authentication is typically conducted once at the start of a session. MFA assumes that the user remains the same throughout the session. Some organisations with particularly sensitive data are adopting continuous authentication, where a benign background software monitors for changes in location, device or behaviour to trigger further authentication processes. Also, MFA does not usually consider the device in the authentication process. Dynamic authentication is being used to verify device identity and health by looking for factors such as unexpected screen resolution, suspicious IP addresses and CPU speed. This information will be continuously combined with predictions about user behaviour risk (and organisations can have input into defining what constitutes risk).
Overall, it seems the simplest answer to the authentication challenge is implementing MFA. It’s an inexpensive method that radically improves security without significantly decreasing usability. While developments in continuous and dynamic authentication offer added protection, attacks on systems using MFA are rare, so this more advanced approach is only necessary for organisations at high-risk of a serious breach.
According to PWC’s 2021 survey, half of enterprise executives are now considering cybersecurity in every business decision. This security-first approach can include techniques such as multi-factor authentication, artificial intelligence and more — but DevSecOps is one of the most frequently talked about solutions to increased security threats. So, what is it and is it really the answer?
Development Security Operations (DevSecOps) is an approach to security that utilises an Agile framework — breaking down traditional silos to maximise speed and efficiency. Traditional silo-based approaches resulted in a production bottleneck once a completed software had been passed over to security teams, but DevSecOps overcomes this issue.
DevSecOps prioritises security from the start, continually testing for vulnerabilities throughout development and automating key security processes. Automated tools such as web application firewalls, open source software governance and intrusion detection systems are commonly used to streamline a DevSecOps approach, while cross-functional teams prevent a production bottleneck.
According to a 2020 survey by Sonatype, DevSecOps teams have fewer open source related breaches, and the majority deployed to production at least once a week. Almost half of DevSecOps teams said that they still didn’t have enough time to spend on security, but had built in more automation, meaning that security was being assessed throughout the process. Finally, the more evolved a DevSecOps team was, the higher their employee satisfaction.
As well as being faster and more secure, DevSecOps allowed for the sharing of multi-disciplinary knowledge. By working with development operations, security professionals can gain a better understanding of how the software works. This allows them to better understand the DevOps team’s priorities. For example, security professionals usually advocate for a thorough encryption approach, but DevOps are focused on software performance — which encryption can sometimes reduce. By working together, the teams can strike the perfect balance between contrasting needs.
DevSecOps offers huge potential, so why isn’t everyone using this approach? A commonly cited issue is the culture clash between a high-speed, pressurised DevOps approach and more traditional, cautious security practices. Most commonly, security is integrated with an existing DevOps team, meaning that security professionals are viewed as the outsiders. This, combined with entrenched preconceptions about security — that it is something that happens later or may even stifle innovation — can lead to conflict between teams.
Security Compass’s ‘2021 State of DevSecOps’ report also highlighted technical challenges, cost, lack of time and lack of education as issues holding back adoption of DevSecOps. In addition, while automation is an important aspect of the DevSecOps approach, the surveyed participants still felt implementation was insufficient and that they were being slowed down by manual security processes.
Clearly, successful DevSecOps adoption doesn’t just happen, it has to be nurtured. Cultural clash can be overcome by appointing a ‘security champion’ within the DevOps team who emphasises the importance of security and facilitates communication between teams. It can also help to have leadership explain the businesses case for improvement, so that teams understand the rewards for working through any teething difficulties.
It’s equally vital to invest in automation. It’s a cornerstone of DevSecOps and yet still under-utilised. No matter how hard you work to prevent potential cultural clash between teams, if integrating security into development really does slow down the process, then resentment is inevitable. Using automation to streamline security could make the difference between a successful or failed DevSecOps adoption. Finally, most developers are not taught how to write secure code — according to Forrester, even the top Computer Science courses feature little security training, so it’s important to support education in this area.
It’s clear that DevSecOps isn’t a panacea for the climate of increasing security threats. It comes with its own set of challenges and if implemented incorrectly, could end up causing more hassle than it’s worth. However, with the right attitude and commitment, you could end up with a well-oiled DevSecOps team who write secure code as second nature.
According to the BCS, neurodiversity remains an overlooked issue in the tech industry — employment rates for neurodiverse people remains low and stigma remains. However, a growing number of companies are recognising that it’s not only right to offer opportunities to all, but people who think differently provide a competitive advantage and help to create an inclusive environment for everyone. For example, both Microsoft and Dell have an established autism hiring programme. So, what are the barriers to a neurodiverse tech industry and how can organisations help?
Neurodiversity refers to the differences in thinking patterns, interests and motivations that naturally occur throughout the population. A neurotypical brain functions in the way that the majority expects. However, an estimated 15% of the UK population are neurodivergent. This is an umbrella term that refers to people who have Autism, ADHD, Dyspraxia, Dyslexia and other neurodevelopmental conditions.
Employment rates vary across conditions. For example, according to research conducted by the National Autistic Society, just 16% of autistic people are in full-time paid work and many are working in a job below their skill level. Worryingly, a recent study found that half of leaders and managers would be uncomfortable hiring a neurodivergent person. The highest level of bias was against people with Tourettes, ADHD or Autism. In addition, the majority of neurodivergent people surveyed felt their workplace was not inclusive to their needs. Up to 40% of employees in the tech industry have not disclosed their neurodivergent traits, meaning that their needs are unlikely to be supported.
It’s important to firstly point out that stereotypes around neurodivergent behaviour are unhelpful and often cause unrealistic expectations. For example, the idea that autistic people are maths or computer savants. However, there are many benefits that go beyond superficial abilities including:
Software and data quality engineering start-up, Ultranauts, is a fantastic demonstration of a company leveraging the power of a neurodiversity. 75% of the workforce are on the Autism spectrum. The small company is now winning contracts from Fortune 100 companies over established global IT consultancies. The company’s founder credits their success to their neurodiverse workforce, saying that, ‘with different learning styles and information processing models, to collaborate and focus on attacking the same problem, we’re just going to be better at it.’ Crucially, Ultranauts also worked hard to create an inclusive culture that supports neurodivergent people.
Importantly, hiring neurodivergent people has a positive effect on the entire workforce by fostering a culture of inclusion. Accommodating individual needs is a wonderful thing that everyone can benefit from by encouraging both innovation and empathy within the organisation.
Many neurodivergent people will require accommodations in their workspace. For example, Autistic people who suffer with sensory processing disorder may benefit from adjustments in lighting and noise (however, it’s important to highlight that variation exists — one autistic person could be over-sensitive and another under sensitive). ADHD people who experience periods of hyper-fixation accompanied by distractibility may benefit from a flexible schedule. In addition, making interviews neurodiverse friendly will support fair assessment practices and encourage hiring of neurodiverse candidates.
Finally, many neurotypical people overestimate their knowledge of conditions such as Autism and ADHD. Awareness training can help build understanding and avoid further workplace barriers being created for their neurodivergent peers.
Several major employers, such as Twitter and Facebook, have announced that remote work will continue indefinitely. For those who enjoy the flexibility and lack of commute that working from home offers, this will be welcome news. For others who thrive in an office environment or who lack a suitable home-working space, a remote future could be a nightmare. There are also growing concerns about what remote work will mean for training, teamwork and sustaining company culture.
The hybrid office is being touted as a solution, where employees split their week between their home and the physical office space. However, this comes with its own set of problems. For example, there is concern over a two-tier system arising between office and home workers, and a possible breakdown in communication as a result. Luckily, there are a number of innovative new technologies being designed — could they help build a hybrid office that people want to be part of?
One of these new technologies is Yonderdesk, a custom digital workspace. One of the main issues with a hybrid office is that it lacks the ‘sense of togetherness’ created by physically being in the same space. This means employees miss out on socialising and are less likely to ask their colleagues quick queries. Yonderdesk is a digital floor plan that can mimic the organisation’s actual office space. Employees are given an avatar and a desk, so that it’s easy to see where your colleagues are at (e.g., in meetings, available or working on a task). Digital floor plans have been a key element of online games, such as Habbo, for years because they are fun, engaging and make people feel like they are having a shared experience, so it will be fascinating to see whether ideas like Yonderdesk prove popular.
On a more tech-heavy futuristic note, there is plenty of development in virtual and augmented reality technology. Digital start-up, Spatial, are working on augmented reality filters that create the illusion that your co-worker is right in front of you (similar to Pokemon Go). The avatar has facial expressions and can even sit down on a chair. It also works on existing virtual reality headsets, but Spatial are particularly excited by the idea of lightweight glasses, which are likely to be far more practical for everyday use. In addition, Spatial allows your avatar to interact with virtual tools. In their words, ‘Your room is your monitor, your hands are the mouse.’ There are plenty of other virtual reality meeting applications, such as the ones on this list, but Spatial is one of the most immersive.
A more controversial development is the increase of monitoring software, sometimes known as ‘Tattleware’. Some of these products can be used without employee knowledge to spy on emails, software use and more, which can have serious data privacy implications and undermine trust. Given that, on average, people have been working longer hours during the pandemic, it seems unwise to use monitoring software in this way. However, when used ethically and transparently, such tools can provide a rich understanding of employee behaviour that can improve productivity, engagement and prevent fatigue and/or burnout. For example, software like Time Doctor has time-tracking features that can help employees and managers gain a better understanding of how long tasks actually take, which can be fed into future estimates and used to reshuffle schedules.
Last but not least, collaboration tools. If you haven’t done this already, finding and implementing effective collaboration tools is vital to successful remote and hybrid working. You are probably most familiar with services like Slack — instant messaging chat rooms are a great way for employees to show their availability and engage in more casual conversations. Take this further with tools like Donut, a slack channel that makes introductions with a random employee every couple of weeks and encourages virtual or in-person meet-ups. This helps build a cohesive company culture by structuring those random encounters from the pre-pandemic days.
Clearly, it will take time to build a hybrid office that suits your organisation. Exploring new tools is a great way to avoid complacency and ensure the hybrid office experience is something your employees want to be part of.
For many, the adaption to working from home has been a challenge. Maintaining productivity while also facing health, financial and family concerns can be stressful enough — so understandably many employees would rather not add information security to their list. However, you would have been hard pushed to have missed the sharp rise in data breaches last year. Under the GDPR and Data Protection Act of 2018, companies must protect data in a way that ensures ‘appropriate security’ by using ‘appropriate technical or organisational measures’ — and COVID-19 doesn’t provide an exemption. What can organisations do to keep data safe in such difficult circumstances?
Many organisations already have remote working policies in place (93% according to a study by OpenVPN), however, 25% of these companies have not updated these policies in over a year. Hackers will easily exploit out-of-date systems, so now is the ideal time to update policy, which will also provide the opportunity to remind employees on proper remote working procedure. Additionally, ensure that existing security measures are working as intended. For example, most organisations will use a virtual private network (VPN) for employees to access company data via an encrypted connection. However, many corporate VPN’s have vulnerabilities IT teams do not regularly patch or do not allow for constraints like lack of bandwidth, which may stop the VPN working properly. Many companies, including Dell, have said that evaluating their VPN was a top priority during the pandemic.
A recent study by IBM concluded that the current workforce, who have been rushed into remote work, poses a significant risk to information security. 52% of surveyed newly working-from-home employees reported using their personal devices for work (often without new tools to secure the device) and 45% have not received any new security training — yet 93% felt confident that their company would keep personal identifiable information safe. This suggests that employees are underestimating the security risks of working-from-home and IT teams may be overestimating employee knowledge of information security. Therefore, IT may be unaware of the risks employees are actually taking, such as sharing devices with family members, which means that data could be downloaded and unknown software installed with the employee’s company credentials entered. It’s important to both enforce regular training on how to keep data safe and repeatedly communicate the business consequences of failing to follow policy.
On a related note, being realistic about the risk employees pose to a security system means limiting the potential damage. Employing multiple layers of security, such as multi-factor authentication and encryption, will help businesses stay safe. Encryption is specifically mentioned by GDPR when outlining what constitutes appropriate technical and organisational security measures — the reason being is that even if a breach occurs, the data will be unreadable. It’s crucial that all devices used for work (including phones and tablets) are encrypted. Plenty of widely used software, such as Microsoft Office or Adobe Acrobat, also provides an option to encrypt files — it’s a good idea to get into the habit of encrypting everything. Then, in the potential situation that a device is remotely or physically accessed by an unknown person, the data stays safe.
While many businesses are juggling a number of concerns during the pandemic, it’s essential that information security remains a priority. GDPR means data must be kept safe at all times by evaluating security systems, understanding the risks your employees take in home-working situations, and responding to this with training and failsafe measures like encryption. Given the financial and reputational consequences of a data breach, it’s vital that businesses are proactive in ensuring information security.
Diversity remains a key issue for the technology industry. According to a recent BCS report, 18% of IT professionals have BAME backgrounds. BAME people are also less likely to hold senior positions — only 9% are directors and 32% are supervisors (for comparison 43% of white employees have a supervisory role). The lack of diversity becomes even clearer when considering specific ethnic groups. For example, black women make up just 0.7% of the technology industry — a representation rate that is 2.5 times lower than in other industries. Clearly, the technology industry is still struggling to achieve true diversity, so what can companies do about it?
It’s easy to say the right thing, harder to put this into action. Setting targets, continually measuring diversity and reviewing progress helps organisations to commit to change. For example, some big companies like Facebook and Pinterest have tried to use the ‘Rooney rule’ where at least one woman and one person of colour are interviewed for director positions within the company. However, progress has been limited and concerns about it being a ‘diversity tickbox’ exercise have been raised. More recently, it’s been emphasised that targets need to be set at all levels of seniority, and that there needs to be external accountability for failure to meet targets.
On the other hand, sometimes companies fail to say enough. Statements of diversity support are important to attract new staff and ensure existing employees are reassured by an inclusive company culture — both those with BAME backgrounds and beyond. For example, Unilever recently pledged their support for a campaign working to end discrimination against hairstyles associated with racial, ethnic and cultural identities. Given that this kind of discrimination often happens in the workplace, a major employer taking a stance sends out a powerful message.
Many people from under-represented groups have concerns that a career in tech is ‘not for them’. This can be reinforced by a lack of people who look like them in senior positions. In addition, some BAME communities prioritise traditional jobs such as medicine, law and finance over technology careers. Companies can participate in outreach in schools and other settings to expand on what a technology career looks like and address concerns someone might have about entering the world of technology. Outreach can help to shed a light on available opportunities while also sending a clear message about the company’s commitment to a diverse workforce.
There’s been a recent discussion about diversity training — particularly the low reliability of the implicit association test and its lack of impact on reducing real-world biases — to the extent that the civil service has stopped all unconscious bias training. However, while certain tools have been criticised, research shows that ongoing diversity training is successful when it combines a range of techniques and is complemented by other diversity initiatives. It’s clear that diversity training needs to be ongoing and not seen as a substitute for wider policy change.
After the Black Lives Matter movement put the spotlight on diversity in 2020, many companies turned to their staff for advice. There have been several instances of people from BAME backgrounds being asked to speak about and advise on diversity practices amidst a climate of emotional trauma and, in some cases, fear of later reprisals from the organisation they were asked to defend. It’s important not to place the burden of improving diversity on individuals — especially if they are unsure how to refuse and are not being compensated for their extra work. Diversity — like any other organisational strategy — should be managed by qualified professionals and engaged with by interested employees.
The technology industry’s track record when it comes to diversity is far from perfect. However, changes are being made. It’s clear that actionable, long-term strategies are needed to truly support organisational diversity in tech.
McGregor Boyall are pleased to announce the appointment of Terry Witham as Director of our Info & Cyber Security Recruitment Practice.
Terry has over 20 years’ experience in recruitment that ranges from building international recruitment teams to solution selling around the globe. As a specialist in the Info & Cyber Security recruitment space, he will drive the growth of McGregor Boyall’s Info & Cyber Security Practice on a national and international basis.
Commenting on his appointment Terry said, “I’m really excited to have finally landed at McGregor Boyall, who possess a phenomenal name in the recruitment industry both in the UK across the Middle East and APAC regions.”
“I am delighted to have Terry on board to build on and expand our Info & Cyber Security Practice both in the UK and internationally” said Group CEO Laurie Boyall. “His experience speaks for itself, and his proven track record of delivery across consultancy and project solutions will be pivotal as we expand our offering in this area.”
“I’m really looking forward to enhancing both McGregor Boyall’s recruitment and consultancy solutions across the UK and internationally” added Witham. “I truly believe McGregor Boyall has a unique brand to take to market to integrate value-add talent solutions and contingent recruitment.”
We surveyed 1,500 employers to gather data on current hiring trends, returning to the office, skills in demand and the impact the global pandemic is having on salaries and rates. We are pleased to be able to present the results below:
Working from home has been vital to slow transmission of the coronavirus. However, a new threat has emerged: increased online activity, use of new applications and less secure home networks are opening up individuals and organisations to a host of cyberattacks.
According to a recent Forbes article, in an analysis of the first 100 days of the COVID-19 crisis security firm Mimecast reported a 33% increase in detected cyberattacks – including spam (+26%), malware (+35%), impersonation (+30%) and blocked URL links (+56%). Certain industries are being particularly targeted, such as healthcare (e.g. The World Health Organisation have reported a fivefold increase in cyberattacks and PPE themed scams have increased) and banking (increased use of online banking presents many opportunities for hackers – such as exploiting new users who may not be familiar with the service).
A recent report from McKinsey highlighted the multitude of potential cybersecurity risks exacerbated by remote working. For example, changes in app-access rights (such as enabling off-site access and lack of multifactor authentication) and use of personal devices or tools (such as a laptop without central control or an unsecured network) increase the opportunities for cyberattacks. While technology was vital to navigate our way through the COVID-19 crisis, rapid adoption of new digital offerings has increased risk. New tools such as video-conferencing have been particularly affected, where an unauthorised person joins a call to steal information or cause disruption. There are also fake tech support scams – increasingly sophisticated attempts to manipulate remote workers (especially those who may be working from home for the first time) with fabricated access and other tech support issues.
The weakest point in any technical system is the person sitting behind the screen. The majority (at least half, according to Trustwave’s 2020 Global Security Report) of cyberattacks occur via social engineering, a psychological manipulation process using tactics such as sending a scam from a trusted source. As always, cyber-criminals know how to target human vulnerabilities, and the number of phishing scams capitalising on our fear of COVID-19 has significantly increased. In addition, we are more likely to fall for a scam when tired or stressed – given the change to working from home, where many are juggling a variety of stressors – we might be even more vulnerable to these kinds of attacks right now.
What can you do?
Given that the person behind the screen represents a security weak-point, they also represent an area of improvement. We will need to learn how to practise good cyber-hygiene, similar to how we adopted thorough hand-washing and social distancing to reduce the risk of the coronavirus.
There are several excellent resources on improving cybersecurity. For example, Siemens have provided their eight top tips for cybersecurity in the home office, including only bringing home essential devices, not mixing personal and business use of devices and ensuring all software is always up to date. The Electronic Frontier Foundation provide more in depth advice on how to spot a phishing scam.
However, while this information is useful, it can be more difficult to establish reliable cyber-security habits. A reported three in four remote workers have yet to receive cybersecurity training, despite the clear increase in risk. More importantly, remote workers are falling for these cyber-attacks. This was recently highlighted by software development company, Gitlab, who found that 1 out of 5 of their own remote-working staff exposed user credentials by replying to a fake phishing message. Regular testing of existing cybersecurity plans in this manner can help to identify areas for improvement.
While cyber-attacks are growing ever more sophisticated, so is cybersecurity. Gamification is one fresh approach to cybersecurity training. Reading through countless tips and the odd video on cybersecurity is unlikely to translate to robust cyber-hygiene habits. However, gamified training results in increased engagement, knowledge and information retention.
Increased investment in cybersecurity may provide us with a host of interesting ideas. Cheltenham Borough Council recently announced plans for a £400 million campus development, situated next door to GCHQ, said to be the ‘Silicon Valley of the UK’. The complex will help to bridge the current skills gap and enhance the UK’s cybersecurity capacity.
Clearly, the coronavirus has highlighted a variety of cybersecurity threats. With remote working expected to continue for the foreseeable future and beyond, it is vital to address current shortcomings in security. Looking forward, the industry is an exciting one, poised for innovation and development.
Our Technology Market Insights Report & Salary Guide 2020 provides the latest insights on the market collated by our Technology Recruitment Teams, and from data collected from surveying our clients and candidates.
Our Scotland Salary Guide 2019 provides the latest salary data collated by our specialist Recruitment Teams covering:
Our England Regions Salary Guide 2019 provides the latest salary data collated by our specialist Recruitment Teams covering:
Our Technology Market Insights Report & Salary Guide 2019 provides the latest insights on the market collated by our Technology Recruitment Teams, and from data collected from surveying our clients and candidates.