The scale of cyberattacks seen today is both unprecedented and harrowing. Crucial sectors including healthcare, finance, and education have found themselves increasingly under attack, with hackers leaving behind a trail of breached systems, stolen data, and disrupted operations.
Focusing on just the healthcare sector specifically, the statistics speak for themselves: last year businesses and institutions experienced 809 data breaches, a 136% increase from the prior year with over 56 million individuals affected. In terms of attacks, the financial sector was not far behind, with 744 breaches impacting 61 million people. These numbers serve as a serious reminder that no organisation is immune, especially those found in critical sectors.
Addressing the workforce gap
The global cybersecurity workforce gap has only served to exacerbate this problem. There’s no point investing in cost-intensive security measures if a business does not have the right staff and knowledge to implement them correctly. Within the United Kingdom, for example, around 44% of all businesses have skills gaps in basic technical areas, following a similar trend seen across the globe.
When it comes to establishing a robust cybersecurity workforce, businesses find themselves in a challenging position: they are operating in a decreasing pool of experts, and those available can demand a hefty price. According to the World Economic Forum, this shortage of cybersecurity professionals has arisen due to the following issues: a lack of distinct career paths, outdated training, costly certifications and a high level of job stress.
Thankfully, actions are being taken to remedy this issue. Returning to the United Kingdom, there has been significant improvements in terms of training new talent, with the number of cybersecurity graduates having increased by 34%. This has played a part in the 32% decrease in the number of cyber job postings across the country between 2020-2023, though it’s important to note a number of economic factors such as job cuts have also affected this figure.
The comprehensive training programs and competitive compensation offered by businesses are helping to fill critical roles and foster loyalty and retention. Upskilling existing employees not only empowers them with cybersecurity expertise tailored to a company’s specific needs, but offers new career pathways employees may have never considered previously.
An internal talent pipeline is often more effective and economical than seeking external hires – employees trained in-house are familiar with the company’s systems, workflows, and culture, making them better equipped to identify and address vulnerabilities. Combining a skilled workforce with preventative measures such as regular audits, testing, and continuous software updates creates a multi-layered defence capable of thwarting even the most sophisticated attacks.
Setting the right standard for security
Training and education are vital, yet they are just one basic cog in the entire system. To protect operations while upskilling its workforce, businesses must consider adopting a ‘trusted computing’ approach. This includes the adoption of the latest standards, specifications and technologies available from organisations like the Trusted Computing Group (TCG). Free-to-use and designed for all modern systems, networks, and devices, these standards are already helping to enhance security measures across all sectors.
A prime example is the Trusted Platform Module (TPM), a low-cost, secure Root-of-Trust (RoT) which delivers secure operations through the protection of a user’s identity and sensitive data. With a TPM, elements of a device’s firmware and software are hashed before they are executed, and validated t server-level when the system attempts to connect to a network. Should the details not match, the devices will simply not boot up. The signing and verifying done by the TPM ensures the key security building blocks of verification, data protection, identify and attestation are built-in to a company’s systems.
Additionally, a Device Identifier Composition Engine (DICE) can also be used in cases where the TPM may be too large or otherwise unsuitable for a device application or its architecture. A more lightweight solution, DICE implements the same key security protocols as the TPM, and provides the ability to create cryptographically secure identities and verify software found in newer devices. Within DICE architecture lies a foundational secret known as the ‘Unique Device Secret (UDS)’, protected by a layered security approach. Each layer independently creates its own unique secret, derived from the UDS; if one layer is compromised during an attack, the secret the hacker uncovers can’t be used to compromise the others, mitigating the potential damage. Device integrity is also preserved by DICE and its ability to re-key should malicious code ever be detected.
There is also the Cyber Resilient Module and Building Block Requirements (CyRes) specification, created to reduce malware persistence and protect critical code and data stored in devices and systems. In the event an attack compromises these, CyRes provides the means to recover a system back to a reliable state prior to any compromise, helping operations to restart quickly and reduce the negative effects of the attack.
Creating a security-led culture
These standards and specifications work hand-in-hand with the intensive training initiatives being launched by governments and educational bodies across the globe. In fact, organisations like the TCG have become increasingly aware of the benefits of these efforts, and have begun to rollout their own training initiatives to better prepare the next generation of cybersecurity experts.
The courses offered by businesses typically target their employees, teaching them good practices for recognising phishing attempts, ensuring good password hygiene, and reporting suspicious activities to relevant bodies. This high-level approach is a good start, and may interest people in taking more technical classes developed by standards organisations.
Training programs such as the courses created by TCG and OpenSystemsTraining 2 are pivotal in letting software developers and interested parties hone their cybersecurity skills and get unprecedented access to the latest standards and specifications like the TPM. Often lab-driven and requiring no experience working with standards, these courses can help users discover innovative security applications and learn how to leverage key technologies to bolster software and hardware security. The result? Users learn a vast new set of skills that would previously have taken several months or years of training, while the time associated with adopting standards is also reduced. This goes a long way in both reducing the cybersecurity skills gap, while making security measures more accessible to businesses.
Cybersecurity cannot be a one-time investment or a compliance checkbox; it must become an ingrained part of organisational culture. By embedding trusted computing in every process and decision, businesses can move from being reactive to initiative-taking. From adopting trusted technologies to investing in a skilled workforce, resilience now requires a multifaceted approach, especially if businesses are to overcome the shortage of security professionals. The message is clear, and the stakes are too high to ignore: Cybersecurity is not just about reacting to threats; it is about anticipating them and staying ahead in an increasingly dangerous digital world. The steps we are seeing being taken are a good start, but more can always be done.
About the Author
Thorsten Stremlau, CISSP, is Systems Principal Architect NVIDIA. He is a Distinguished Engineer and Systems Principal Architect in NVIDIA. He is responsible for technical strategies for components, devices, software and cloud services. In this role, Thorsten identifies and drives integration of current and future technologies, integrating them into the product development processes, and specifically drives innovation into the security capabilities of NVIDIA’s portfolio.
Thorsten’s career has been dedicated to identifying solutions and strategic implementations for customers in all aspects of IT. As an engineer for nearly 25 years, his broad experience enabled him to assist thousands of our customers to digitally transform their environments using advanced technology.
Thorsten holds a Bachelor in Industrial Manufacturing/Finance. Thorsten lives in North Carolina with his family.
Thorsten can be reached online at [email protected] or [email protected] and at our company website https://trustedcomputinggroup.org/
