<!–> DKosig/Getty Images Amid continued calls for deeper global cooperation between all stakeholders to bolster cyber defense, government officials are now debating whether multilateral relations have been effective.  Digitalization has become the new engine of economic growth for many countries, with the World Bank estimating that digital economies contribute at least 15% of global GDP. This […] More

Internet-connected technology that’s used to power smart cities makes a very tempting target for cyberattacks and local authorities need to be aware of the risks that they – and their citizens – could face if malicious hackers are able to tamper with infrastructure or services.Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more, is increasingly using sensors and becoming connected to the Internet of Things in an effort to collect data and provide better, more efficient services.

However, the UK’s National Cyber Security Centre (NCSC) – the cyber arm of intelligence agency GCHQ – has warned that cyber-physical systems in smart cities could be compromised by cyber attackers if they are not secured properly.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The huge volume of sensitive data being collected and stored by IoT-connected smart cities, plus the ability to disrupt, “makes these systems an attractive target for a range of threat actors,” the NCSC’s new guidance for securing smart cities warns.”These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly. Because as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” said Ian Levy, technical director at the NCSC. To help guide local authorities and protect infrastructure, organisations and people from the threat of cyberattacks that could target smart cities, the NCSC has published a series of principles that should be adhered to in order to provide these networks with the highest possible level of cybersecurity.

To start with, local authorities should understand the role of their connected place. By determining who is responsible for the connected place, what the IoT network will look like, what data will be collected, processed, stored, and shared and what operational technology is in place already, authorities can begin connecting smart cities with security in mind from the start.Authorities are also urged to understand the potential risks to the connected place. These risks range from knowing exactly what devices and software is being used to connect the place up – ensuring that it’s from a trusted, reputable vendor – to ensuring those devices are sufficiently secured when it comes to authentication. For example, a city shouldn’t be rolling out IoT devices across the network if those products still have a default username and password, as that would make them an easy target for cyber attackers, particularly if data is “collected or processed in a dumb way,” said Levy.SEE: Wi-Fi hotspots, pollution meters, gunshot locators: How lampposts are making cities smarterSmart cities are supposed to help improve services for people, but being irresponsible with data storage could result in privacy violations and poorly implemented security could allow cyber attackers to interfere with services and systems people need.”We hope these principles will help designers, owners and managers of connected place systems to make well-informed cybersecurity choices,” said Levy. While the NCSC guidance doesn’t refer to any particular potential cyber-threat actor, the director of GCHQ recently warned that the emergence of China as technology producer means that the UK and other countries could face challenges if organisations – or local authorities – become reliant on devices and software made in the country.”States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” said Jeremy Fleming. MORE ON CYBERSECURITY More

Burnout has become endemic in the tech industry.
Image: Westend61/GETTY
With the number of data breaches in 2021 soaring past that of 2020, there is even more pressure on security teams to keep businesses secure in 2022. But at a time when strength and resilience have never been more important, burnout, low staff morale and high employee turnover could put businesses on the backfoot when attempting to manage the mounting cybersecurity threat.Employers are already face something of a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks escalating worldwide, but employers face the added pressure of a tightening hiring market and record levels of resignations that are also affecting the tech industry.

This battle for talent could hit cybersecurity particularly hard. According to a survey of more than 500 IT decision makers by threat intelligence company ThreatConnect, 50% of private sector businesses already have gaps in basic, technical IT security skills within their company. What’s more, 32% of IT managers and 25% of IT directors are considering quitting their jobs in the next six months – leaving employers open to a cacophony of issues across hiring, management, and IT security.SEE: Cybersecurity is tough work, so beware of burnoutMany employees are being lured away by the prospect of better pay and more flexible working arrangements, but excessive workloads and performance pressures are also taking their toll. ThreatConnect’s research found that high levels of stress were among the top three contributors to employees leaving their jobs, cited by 27% of survey respondents. Burnout threatens cybersecurity in multiple ways. First, on the employee side. “Human error is one of the biggest causes of data breaches in organisations, and the risk of causing a data breach or falling for a phishing attack is only heightened when employees are stressed and burned out,” says Josh Yavor, chief information security officer (CISO) at enterprise security solutions provider Tessian.A study conducted by Tessian and Stanford University in 2020 found that 88% of data breach incidents were caused by human error. Nearly half (47%) cited distraction as the top reason for falling for a phishing scam, while 44% blamed tiredness or stress.”Why? Because when people are stressed or burned out, their cognitive load is overwhelmed and this makes spotting the signs of a phishing attack so much more difficult,” Yavor tells ZDNet. Threat actors are wise to this fact, too: “Not only are they making spear-phishing campaigns more sophisticated, but they are targeting recipients during the afternoon slump, when people are most likely to be tired or distracted. Our data showed that most phishing attacks are sent between 2pm and 6pm.” Carlos Rivera, principal research advisor at Info-Tech Research Group, says the role exhaustion plays in making a company susceptible to phishing attacks should not be shrugged off or underestimated. It is, therefore, good practice to create a simulated phishing initiative as part of an organization’s security awareness programme, he tells ZDNet.”This program can be optimized by enforcing an hour’s worth of training per year, which can be carved into five-minute training sessions per month, 15 minutes a quarter,” says Rivera. “In order to have the most impact on your training effectiveness, base it on topics stemming from current events that typically manifest as tactics, techniques and procedures used by hackers.”SEE: Cybersecurity training isn’t working. And hacking attacks are only getting worse A report by analyst Gartner recently argued that the role of the cybersecurity leader needs to be “reframed” from one that predominantly deals with risks within the IT department to one that is responsible for making executive-level information risk decisions and ensuring business leaders have comprehensive cybersecurity knowledge.The analyst predicts that 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. This would mean that cybersecurity leaders will have less direct control over many of the IT decisions that would fall within their remit today.”Cybersecurity leaders are burnt out, overworked and in ‘always-on’ mode,” said Sam Olyaei, research director at Gartner. “This is a direct reflection of how elastic the role has become over the past decade due to the growing misalignment of expectations from stakeholders within their organisations.”Yavor also says it is critical to consider how burnout affects security teams and the knock-on effects for the wider organization. According to Tessian research, security leaders work an average of 11 hours extra per week, with one in 10 leaders working up to 24 hours extra a week. Much of this time is spent investigating and remediating threats caused by employee mistakes, and even when they’ve logged off, some 60% of CISOs are struggling to switch off from work because of stress.”If CISOs are experiencing this level of burnout, imagine the impact this has on the wider organisation as well as the people they work with. You’re going to lose good people if teams are constantly burned out.”Glorifying overworkThe culture around cybersecurity also needs to change, which Yavor believes wrongly idolizes overtime and sacrificing personal wellbeing for the sake of the company. “As security leaders, some of our most exciting stories include pulling all-nighters to defend the organisation or investigate a threat. But we often fail to acknowledge that the need for heroics usually indicates a failure condition, and it is not sustainable,” he says.”As leaders, it’s critical that CISOs lead by example and to set their teams up for sustainable operational work. Ensure there is confidence in the boundaries that are set – when you’re off call, you’re off call – and that the whole team feels supported.”Rivera points out that the growing popularity of remote working might be increasing the tendency of staff to put in longer hours, which may “contribute to burnout, unaccounted absences and in some cases, higher than expected turnover.”SEE: Tech workers are frustrated and thinking about quitting. Here’s what might persuade them to staySecurity and tech teams should work with other departments to bring organizational awareness to the issue of burnout and overwork, Rivera says, which can help managers identify single points of failure and instil a culture of resiliency within the company.This approach includes adopting a “left-shift mindset” within the development environment, where burnout and stress can lead to errors slipping through the gaps and making their way into published code. “Organizations will face the least risk when introducing security as early as possible in the development process and leveraging tools to automate and support this goal,” says Rivera.On the technical front, building a continuous improvement/continuous delivery (CI/CD) pipeline – and deploying tools such as an integrated development environment (IDE) – will give organizations the best chance of success. “An IDE will consist of a source code editor, debugger and build automation tools to provide the developer with self-service capabilities and identify errors in near real-time. IDE coupled with static analysis security testing and open-source scanning automated into the build pipeline will provide effective defect mitigation,” Rivera adds.Like any job function, communication is also critical. CISOs need to do a better job of communicating their capacity constraints, which Yavor says will set a precedent within the wider organization in admitting their own limitations.”Be comfortable in saying, ‘it’s not possible for me to do these things, with the resources and the constraints we currently have,'” he says. “There is this unfortunate trend of heroism in the security industry – and that mindset needs to change.”MORE ON CYBERSECURITY More

Getty Images Welcome to the latest installment of Ask ZDNet, where we answer the questions that stump Alexa. In the mailbag this week: A reader works from two homes that are 1,000 miles apart. Is there a way to keep the content on his two PCs identical? How do I keep two PCs in sync […] More

Organisations should use major cyber incidents as a way to think through the core of their security strategy in order to prevent or recover better from similar attacks.”A significant cyber incident is really an opportunity; because it’s an opportunity to focus on the core issues that lead to these cyber incidents,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, speaking at the UK National Cyber Security Centre’s (NCSC) CYBERUK 21 virtual conference.Neuberger said that whether it’s something like the SolarWinds sophisticated supply chain attack, or the Colonial Pipeline ransomware incident, “we know that vulnerabilities across software and hardware can bring on larger concerns”, but that looking at the core issues can help everyone improve their security.”As we look at those issues, we look at them in the frame of them – the entities conducting the cyber hacks – and us, what we need to do to build the reliance, to be able to prevent or rapidly recover from these incidents”.SEE: Network security policy (TechRepublic Premium)Cyber criminals and other malicious hackers look for vulnerabilities to exploit to infiltrate networks, so questions need to be asked to ensure that networks are as resilient as possible against attacks.”So we turn to us – which is what we need to do about it. First and above all, shifting our thinking from incident response to how do we prevent, how do we build more reliance, how do we build more secure software?” Neuberger explained.

“How do we ensure, for example, that the systems that we use to build software have best practices like multi-factor authentication, that we’ve rolled out encryption across our government systems, so that even if an adversary steals significant information, it’s difficult for them to use that information”.What much of it comes down to, is to “ensure that technology is both secure and easier to use”, she said.”But also shift our thinking to where it needs to be, which is how do we drive prevention and more security so that we have greater resilience to these hacks,” Neuberger added.Neuberger’s comments came shortly before President Joe Biden signed an executive order in an effort to boost cybersecurity of federal government agencies in the aftermath of the Colonial pipeline ransomware attack, the SolarWinds attack and zero-days in Microsoft Exchange leaving many vulnerable to cyber attacks.It mandates that agencies have 180 days to implement multi-factor authentication, as well as encrypt data – and agencies which can’t meet the deadline will have to explain why they can’t in writing.MORE ON CYBERSECURITY More