Scramble for Non-Traditional Cybersecurity Talent Shows How Employers are Rethinking Job Requirements

Scramble for Non-Traditional Cybersecurity Talent Shows How Employers are Rethinking Job Requirements

In recent years, bachelor’s degrees have gone from giving young professionals a leg up in the job market to being a must-have credential for a wide range of careers, with college graduates taking the vast majority of new jobs created in the US since the end of the Great Recession nearly a decade ago. More recently, however, employers have begun to question whether these degrees are always necessary and dropping degree requirements for some roles.

A tight labor market and talent shortages in high-demand fields are driving this trend further. Last week, the Wall Street Journal highlighted an analysis of 15 million job ads by Burning Glass Technologies, which found that the share of job postings requiring a college degree had fallen from 32 percent to 30 percent between 2017 and the first half of 2018, down from 34 percent in 2012. Work experience requirements are also declining, with only 23 percent of entry-level jobs asking applicants for three years of experience or more, compared to 29 percent in 2012. That means there are an additional 1.2 million jobs accessible to candidates with little or no experience today than a few years ago.

With growing numbers of unfilled jobs, more companies are looking for ways to broaden their talent pool and speed up the rate at which they can fill a role. “Downskilling,” or requiring less work experience and education, is a strategy many companies have opted for to achieve this. One field in which many employers have “downskilled” to broaden their applicant pool is cybersecurity.

Read more

Discover to Offer Employees Full Scholarships for Online Bachelor’s Degrees

Discover to Offer Employees Full Scholarships for Online Bachelor’s Degrees

The credit card company Discover has launched a new program that will pay for its 16,500 employees to earn bachelor’s degrees from three partner universities in certain business- and technology-focused majors at no cost to them. Fortune’s Lucinda Shen reported about the announcement on Tuesday:

Discover says the new program, dubbed The Discover College Commitment, will cover tuition, fees, books, and supplies for U.S.-based employees. The credit card issuer will offer a full-ride specifically for courses in cybersecurity, business, and computer sciences—burgeoning areas that the firm believes could strengthen its own business while also providing a long and stable career for its workers. …

Additionally, Discover plans to cover any income taxes that may be placed on employees due to the program. Due to IRS regulations, employers may only offer up $5,250 in tuition benefits to workers tax-free.

All employees are eligible, provided they work at least 30 hours a week for the company and have not been flagged for conduct issues or severe underperformance. Discover employees can complete their degrees at the University of Florida, Wilmington University, or Brandman University. The program is similar to one just launched by Walmart late last month, which also covers online or on-campus at University of Florida, Brandman University, or Bellevue University. Walmart’s benefit allows employees to study supply chain management or business at an out-of-pocket cost of $1 per day.

Read more

Survey: Ransomware Attacks Against Businesses on the Rise

Survey: Ransomware Attacks Against Businesses on the Rise

Cybercriminals are continuing to carry out ransomware attacks on organizations at a greater frequency, according to two new reports highlighted by Cnet’s Laura Hautala this week:

According to Verizon’s annual Data Breach Investigations Report, released Tuesday, ransomware attacks doubled in the last year. That’s especially alarming considering that they doubled the year before, too. … Ransomware accounted for 39 percent of all new malware infections tallied up in the Verizon report, which looks at more than 53,000 security incidents drawn from Verizon cybersecurity customers as well as reports from the US Secret Service and an international consortium of private sector companies.

The numbers match up with findings released Monday by cybersecurity company Malwarebytes, which found that while hackers are targeting consumers with ransomware less frequently, they’re hitting businesses with more of the attacks.

The threat of ransomware was thrown into stark relief last year, when the WannaCry attack, the largest such cyberattack in history, struck over 300,000 machines in 150 countries, exploiting a vulnerability in outdated versions of Microsoft Windows to lock victims out of their computers and demand ransoms of hundreds of dollars to restore access to their documents and data. Most ransomware attacks are much less sophisticated than WannaCry, which the US government ultimately blamed on North Korea, and rely on phishing scams that trick users into handing passwords or other personal data over to hackers, who can use this information to gain control of their devices.

Phishing and ransomware are of concern for HR departments in particular, first because this part of the organization is often a soft target for cybercriminals and second because employee behavior is the main weak point in most organizations’ cybersecurity strategies.

Read more

Verizon Shareholders Want to Tie Executive Pay to Cybersecurity

Verizon Shareholders Want to Tie Executive Pay to Cybersecurity

Trillium Asset Management, an activist investment fund focused on social and environmental responsibility, has filed a shareholder proposal at Verizon that would tie executive compensation at the telecommunications giant to its performance against cybersecurity and data privacy goals:

Verizon shareholders request the appropriate board committee(s) publish a report (at reasonable expense, within a reasonable time, and omitting confidential or propriety information) assessing the feasibility of integrating cyber security and data privacy metrics into the performance measures of senior executives under the company’s compensation incentive plans. …

Currently, Verizon links senior executive compensation to diversity metrics and carbon intensity metrics. Cyber security and data privacy are vitally important issues for Verizon and should be integrated as appropriate into senior executive compensation as we believe it would incentivize leadership to reduce needless risk, enhance financial performance, and increase accountability.

The proposal points to several data breaches in the company’s recent history, including one that affected 1.5 million customers in 2016 and another affecting 6 million last year. It also expresses concern about the growing number of users whose data the company is now responsible for safeguarding following its acquisition of Yahoo and AOL, which will expand Verizon’s digital advertising reach to 2 billion people.

Read more

As EU Regulation Looms, Businesses Scramble for Data Protection Officers

As EU Regulation Looms, Businesses Scramble for Data Protection Officers

The EU’s General Data Protection Regulation (GDPR), which is scheduled to come into force on May 25, represents a massive overhaul of data privacy law throughout the bloc. The GDPR expands the reach of existing privacy regulations, applying not just to European organizations but to all companies processing the personal data of EU residents, no matter where the company is located. It also requires organizations to request users’ consent for data collection “in an intelligible and easily accessible form,” while granting EU citizens a number of new rights, including the right to access data collected about them and the “right to be forgotten,” or to have that data erased. Organizations caught violating the regulation will be fined as much as 4 percent of their annual global turnover or 20 million euros.

With the enforcement date of this massive new regulation just months away, “data protection officers are suddenly the hottest properties in technology,” Reuters’ Salvador Rodriguez reports:

More than 28,000 will be needed in Europe and the US and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The organization said it did not previously track DPO figures because, prior to GDPR, Germany and the Philippines were the only countries it was aware of with mandatory DPO laws.

Read more

Study: Bad Moods Lead to Bad Passwords

Study: Bad Moods Lead to Bad Passwords

Cybersecurity has emerged as one of the most significant challenges of the digital workplace. Moreover, it is an issue over which organizations don’t always have full control, as it depends to such a great degree on employee behavior. New research from the University of Delaware’s John D’Arcy shows that employees’ moods can influence their cybersecurity habits, for better and for worse:

According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy. “On the flip side, if they’re in a bad mood, what you get can change from day to day,” D’Arcy said. “That makes it more likely that they will violate policy.” …

The team also examined what might cause some of these mood changes in the workplace, and ironically, sometimes the cause of the employees’ bad moods was the security policy itself. The research team calls this a security policy “backfiring.”

“Sometimes if they’re dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact,” D’Arcy said. “It’s like too much security puts employees in a negative mood, which then again makes them less likely to follow policy.”

This finding may seem ironic, but in fact it makes perfect sense, because there’s nothing employees find more frustrating than workplace policies that get in the way of them getting their work done.

Read more

How Can We Nudge Employees Toward Better Cybersecurity Habits?

How Can We Nudge Employees Toward Better Cybersecurity Habits?

It’s not uncommon to think of cybersecurity as primarily a technological challenge, but it’s really more of a human one, Alex Blau writes at the Harvard Business Review, in that cyberattacks so frequently take advantage of human error. Most of the large-scale cyberattacks that have made headlines in the past year at some point involved someone making a mistake or exercising bad judgment and accidentally giving cybercriminals access to sensitive data. Behavioral science, Blau observes, help explain why people (including your employees) have a hard time adopting good cybersecurity habits:

One major insight from the fields of behavioral economics and psychology is that our behavioral biases are quite predictable. For instance, security professionals have said time and again that keeping software up-to-date, and installing security patches as soon as possible, is one of the best methods of protecting information security systems from attacks. However, even though installing updates is a relative no-brainer, many users and even IT administrators procrastinate on this critical step. Why? Part of the problem is that update prompts and patches often come at the wrong time — when the person responsible for installing the update is preoccupied with some other, presently pressing issue.

Blau’s insight here underscores something we discovered in our recent study of organizational culture at CEB, now Gartner. When culture change efforts fail, it is sometimes because employees are unable to manage the tension between the desired change and their day-to-day workflow. Getting employees to adopt a new habit at work means understanding the tradeoffs they need to make in order to do so, minimizing those tradeoffs as much as possible, and giving employees guidance on how to manage them. When best practices in cybersecurity (or any other area where you’re hoping to change employees’ habits) get in the way of an employee doing their work efficiently, the employees is more likely to sidestep them.

Read more