Year: 2019

For the second time inside a year, private health information belonging to people in Singapore has been compromised.

Following a hack disclosed last summer that affected the patient records of up to 1.5 million citizens, Singapore’s Ministry of Health revealed today that personal details and the HIV-positive status of 14,200 people were posted online by a convinced fraudster.

Unlike last year’s data breach — which was caused by what appears to be a targeted cyber attack — the details this time around where exposed by unauthorized access to the ministry’s HIV Registry, which occurred in person.

Mikhy K Farrera Brochez, a U.S. citizen who spent over eight years in Singapore before being deported last year over fraud and drug-related offences, is said to have posted the information on the internet after he gained access to it via his partner Ler Teck Siang, a doctor who once led the Ministry of Health’s National Public Health Unit.

It isn’t clear where the details were posted, but the ministry said access to the leak has been “disabled.” However, since Brochez is believed to have retained details in person, it is entirely possible that they may appear again. In a bid to mitigate that threat, the Singapore government is “working with relevant parties to scan the Internet for signs of further disclosure of the information” and ” “seeking assistance from… foreign counterparts.”

“We are sorry for the anxiety and distress caused by this incident. Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance,” the ministry wrote in an announcement.

It urged anyone who comes into contact with the information to turn it in and “not further share it.”

The registry lists the name, ID number, phone number, email address, HIV test results and related medical information for 5,400 Singapore nations who were diagnosed with HIV up to January 2013. It includes the same details for 8,800 foreigners as of December 2011, and the details of 2,400 related contacts up to May 2007.

The government introduced system safeguards in September 2016 to limit the potential for rogue access to the data. That included a two-person approval process for data downloads, a dedicated workstation to prevent unauthorized access, and the disabling on portable storage devices that could be used to transport information.

Police were first alerted that Brochez was in possession of the data in May 2016. It wasn’t until two years later that they were told that he had retained the information. Despite an investigation, they learned Brochez had disclosed the details online just over one week ago.

Brochez is currently located outside of Singapore. He worked in the country between 2008 and 2016, but was charged for faking his HIV test result using Ler’s blood and using fake qualifications to earn a work permit. After completing a two-year sentence, he was deported in May 2018

Ler is waiting on an appeal after he was handed a two-year jail term for abetting Brochez, providing false information to authorities and failing to take care of confidential information.

Curve, the London fintech that lets you consolidate all of your bank cards into a single Curve card and app to make it easier to manage your spending, has added support for Amex cards.

In effect the feature is being re-instated, having existing fleetingly when Curve was in testing back in 2016 before being unceremoniously blocked by American Express. The two companies appear to have finally settled their differences, which is undoubtedly good news for Curve customers who also have a U.K. Amex card.

Technically in Beta, the new Amex feature lets Curve customers add their Amex cards to Curve and spend with Amex anywhere the Curve Mastercard is accepted. This, says the fintech startup, solves the annoyance Amex card members face with some retailers not accepting Amex cards due to the card’s higher fees.

Presumably, Curve is happy to swallow these fees to better serve its customers, although we don’t know the specific commercial terms of any commercial agreement, if indeed there is one.

In further good news, Curve says that Amex card members will continue to earn American Express Membership Rewards points when they spend with their Curve card linked to Amex and will simultaneously earn Curve Rewards points, too. Curve itself offers rewards at 50 major brands, including Amazon, Uber, Tesco, Sainsbury’s, Waitrose, Ocado, Selfridges, BP and more.

This should mean that Curve customers who switch the Curve app to charge their Amex card under the hood will receive twice the rewards. Once from Curve and once from Amex per qualifying transaction.

Curve says it has been trialling Amex compatibility with its platform in closed Beta since November. During Beta testing, at least 500 Curve users spent more than £1 million on their Amex cards by paying with Curve, apparently.

Adds Curve founder and CEO, Shachar Bialick, in a telling statement: “Ensuring Amex compatibility with Curve was one of our priorities and most asked for features by our customers. However, bringing Amex back to Curve was not an easy feat. There were challenges around brand and commercials, some of which still exists”.

In a brief call, Bialick paid tribute to his team for getting Amex support across the line and to the “progressive regulatory and competitive landscape” in Europe and the U.K., which he says is fostering competition in the payments and financial space and enabled Curve to bring Amex into its platform. “We hope Amex will continue to support the interest of their customers,” adds the Curve founder.

In other words, this is likely evidence of a startup pushing up against the boundaries of Open Banking and PSD2 to innovate on behalf of customers and finding that the regulation holds water. Hopefully we’ll see more innovation to come in the months and years ahead as other fintech startups do the same.

South African internet conglomerate Naspers is best known for backing Chinese tech giant Tencent, but it also operates a vast network on of online classifieds businesses. That network just got a little larger after Naspers took full control of Russia-based Avito through a new $1.16 billion all-cash investment to top up its ownership to over 99 percent.

Avito is Russia’s top classifieds site, claiming 10.3 million unique daily visitors. It currently has close to 47 million listings covering categories that include goods, auto, real estate, jobs and services.

The deal, which was made via Naspers’ OLX Group, takes its ownership to 99.6 percent on a fully diluted basis and values the full company at $3.85 billion.

While classifieds may sound like a very retro corner of e-commerce, it remains a growing business (just ask Facebook, which has been growing its own marketplace and giving it increasing exposure across its own network).

Particularly in emerging and developing markets, leading local players continue to find traction. In the last six months ending September 30, Avito generated sales of 10.3 million rubles ($157.50 million), up 30 percent on the year before; and it operates with a 65.4 percent ebitda margin, with listings growing 7.4 percent to 17.46 million — according to Vostok New Ventures, one of the backers who sold up in this deal.

“Avito’s talented management team, led by CEO Vladimir Pravdivy, has demonstrated the capacity to achieve remarkable growth consistently over time,” said Martin Scheepbouwer, CEO of the OLX Group, in a statement. “Business performance is excellent and we look forward to continuing this trend by further leveraging the technology, knowledge and experience from Avito within OLX Group and vice versa.”

Naspers-OLX originally took a majority stake in 2015 through a $1.2 billion investment. Before that, it had been involved in Avito as early as 2013, when the company was formed by a merger between Slando.ru and OLX.ru, two rivals that were both backed by Naspers.

Consolidating its position in companies where it’s already strong helps Naspers also use the cash from those operations to invest in newer areas of business like tapping into more on-demand services and innovations in financial services to complement the legacy areas.

“Avito is the leading online classifieds player in Russia and our decision to increase our stake reflects our belief in the long-term prospects of this great business and the Russian internet market,” said Bob van Dijk, Naspers CEO, in a statement. “This investment further strengthens our global position in online classifieds, a core focus for Naspers alongside online food delivery and fintech.”

Monzo, the U.K. challenger bank that now boasts 1.5 million current account customers, has partnered with fintech startup Flux to bring itemised receipts and loyalty points to its banking app.

Due to be officially unveiled at a joint event in London on Wednesday, the new functionality means that if you’re a customer of Monzo — and once you’ve opted in — Flux will deliver digital receipts, rewards and loyalty to the Monzo app in real-time, whenever you spend at a Flux partner merchant. Currently this includes EAT, Costa Coffee, itsu, pod, and pure, while I understand a number of other major merchants are in the pipeline and could be announced quite soon.

In the long-term, Flux wants to become the proprietary technology platform for the interchange of item-level digital receipt data, but has always faced a chicken and egg problem: It needs bank integrations to sign up merchants and it needs merchant integrations to sign up banks. As I wrote when the company raised its Series A in December, cracking this problem has clearly started to gather momentum.

Noteworthy is that Monzo had actually been trialing Flux in a very small closed beta since 2017, but progress had stalled while the challenger bank built out its current account offering and figured out its “marketplace banking” strategy. Related to this is the question of how deep third-party integration should go and how wide the Monzo marketplace should cast its net in terms of the number of competing third-party products vying for attention.

To that end, the Flux integration feels pretty wholehearted. This includes a call-to-action within the Monzo app to link your account to Flux when you spend in a Flux partner merchant. On-boarding users to Flux in context — ie right after the point of purchase — and therefore unlocking itemised digital receipts immediately and retroactively, will very likely make opting into the feature a no-brainer.

Flux’s integration with the Barclays Launchpad app works in a similar fashion. However, within challenger bank Starling, the other Flux bank partner, no such call-to-action exists. Instead, it can only be enabled within the Starling Marketplace, which at two taps deep feels slightly buried for now.

Meanwhile, although the current focus is building receipt infrastructure, the Flux vision is much broader. By bridging the gap between the itemised receipt data captured by a merchant’s point-of-sale (POS) system and what little information typically shows up in your bank statement or mobile banking app, the startup can not only power loyalty schemes and card-linked offers, as well as give merchants much deeper POS analytics, it could also offer new types of enriched experiences for consumers.

This could in the future include letting you easily track your eating out habits, right down to item-level rather than just merchant category, as part of your general health goals. Or providing much deeper spending analytics to help you improve financial wellbeing. In other words, there’s a great deal more latent value in item-level receipt data to be unlocked yet.

Cue Matty Cusden-Ross, CEO and Founder at Flux: “Flux’s mission is to liberate the worlds’ receipt data in order to enrich trillions of experiences globally. Today we’re excited to be expanding our partnership with Monzo to bring automated receipts and rewards to even more people. Monzo share our vision of the future and as Flux continues to scale across bigger and bigger merchants we can’t wait to make Flux available everywhere”.

Male impotence, substance abuse, right-wing politics, left-wing politics, sexually transmitted diseases, cancer, mental health.

Those are just a few of the advertising labels that Google’s adtech infrastructure routinely sticks to Internet users as it watches and tracks what they do online in order to target them with behavioral ads.

Intimate and highly sensitive inferences such as these are then systematically broadcast and shared with what can be thousands of third party companies, via the real-time ad auction broadcast process which powers the modern programmatic online advertising system. So essentially you’re looking at the rear-end reality of how creepy ads work.

This practice is already the target of a legal complaint in Europe, filed under the bloc’s General Data Protection Regulation (GDPR).

The real-time bidding (RTB) complaint, which was lodged last fall by Dr Johnny Ryan of private browser Brave; Jim Killock, previously director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, alleges “wide-scale and systemic breaches of the data protection regime by Google and others” in the behavioral advertising industry.

It argues the personalized ad industry has “spawned a mass data broadcast mechanism” which gathers “a wide range of information on individuals going well beyond the information required to provide the relevant adverts”; and also that it “provides that information to a host of third parties for a range of uses that go well beyond the purposes which a data subject can understand, or consent or object to”.

“There is no legal justification for such pervasive and invasive profiling and processing of personal data for profit,” the complaint asserts.

The individuals filing the complaints have now submitted additional evidence showing lists of ad categories used by Google and online ad industry association, the Internet Advertising Bureau (IAB), that they say show sensitive inferences are systematically made.

The documents, reviewed by TechCrunch, are supplementary evidence for the two original complaints filed with the UK’s ICO and the Irish DPC last year.

The complaint action has also now been joined by Polish anti-surveillance NGO, the Panoptykon Foundation — which has notifies its local DPA of what it describes as “massive GDPR infringement”.

“Ad auction systems are obscure by design,” said Katarzyna Szymielewicz, president of the NGO in a statement. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure.”

Ravi Naik, partner at ITN Solicitors, who is working with the complainants, also added in a statement: “Panoptykon’s submissions add to the increasing focus on real time bidding. The complaint builds on our work before the UK ICO and Irish DPC. We foresee a cascade of complaints to follow across Europe, and fully expect an EU-wide regulatory response”.

The three content taxonomy documents that have been submitted as evidence include one used by Google and two compiled by the IAB to provide publishers with lists of ad categories.

The pair make the lists available online for publishers to download, though there’s no suggestion general Internet users are encouraged to take a look at how their online activity is sliced and diced into ad categories in order that their attention can be sold off to the highest bidder.

And while plenty of the ad categories look harmless enough — hatchback cars, pets, poetry, and so on — others, such as the ones we’ve flagged above, can be highly intimate and/or sensitive.

In Europe such sensitive data categories constitute what’s considered special category personal data — which refers to the most sensitive types of personal data, including medical information, political affiliation, religious or philosophical views, sexuality and information revealing racial or ethnic origin.

Multiple types of this special category data appear to be included in the content taxonomy lists we’ve reviewed.

Under GDPR, processing special category data generally requires explicit consent from users — with only very narrow exceptions, such as for protecting the vital interests of the data subjects (and, well, trying to sell Viagra isn’t going to qualify).

The original complaints argue that Internet users are unlikely to be aware such labels are being routinely stuck on them, let alone how widely their personal data is being shared with third parties participating in programatic ad auctions that rely on scale for the system to function.

The RTB process does not offer Internet users an opportunity to consent to each and every personal data transaction. If it did, web browsers would be swamped with creepy requests to process intimate information about them from scores of unfamiliar companies. And there’s no reason to think people would be okay with that.

“The speed at which RTB occurs means that such special category data may be disseminated without any consent or control over the dissemination of that data. Given that such data is likely to be disseminated to numerous organisations who would look to amalgamate such data with other data, extremely intricate profiles of individuals can be produced without the data subject’s knowledge, let alone consent,” the group write in their original complaint filing.

“The industry facilitates this practice and does not put adequate safeguards in place to ensure the integrity of that personal (and special category) data. Further, individuals are unlikely to know that their personal data has been so disseminated and broadcast unless they are somehow able to make effective subject access requests to a vast array of companies. It is not clear whether those organisations have a record of compliance with such requests. Without action by regulators, it is impossible to ensure industry-wide compliance with data protection regulations.”

They cite a New Economics Foundation’s estimate which suggests ad auction companies broadcast intimate profiles about an average UK internet user 164 times per day, adding: “Tracking IDs and other personally specific information are not actually necessary for ad targeting but allow you to be reidentified and profiled every day.”

Here’s a few more highly sensitive labels that are being attached to web users’ identities and shared with potentially thousands of bidding ad companies: Special needs kids, endocrine and metabolic diseases, birth control, infertility, diabetes, Islam, Judaism, disabled sports, bankruptcy.

These categories come from v2 of the IAB’s content taxonomy.

The group has also submitted v1 of the IAB’s taxonomy as evidence, and this includes other disturbingly intimate categories — including a category for ‘incest/abuse support’.

The IAB claims to have depreciated the v1 list but the complainants say it’s still being used in the IAB’s latest ad auctioning system.

We’ve reached out to the IAB Europe for comment.

Filing this new evidence, the complainants argue it underlines “the unreasonable degree of intimacy of the personal data broadcast in ad auctions”.

“The evidence we file today illustrates that the IAB and Google ad auction system can broadcast remarkably intimate details about what you watch, listen to, and read online. ‘Special category’ personal data like this enjoys special protections in the GDPR. I believe this raises the stakes of our complaint,” Brave’s Ryan told TechCrunch.

“Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case. Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop,” added Veale in a statement.

The original IAB lists can be downloaded as a spreadsheet here (see tab 2 for the v1 list; and tab 1 for v2). While PDF versions of the IAB lists with special category and sensitive data highlighted can be viewed here (v1) and here (v2).

Google’s original document can be downloaded here from developers.Google.com. (A marked up version highlighting the special category data is also available from Brave here.)

We’ve also reached out to Google for comment on the latest development in the complaint.

After being sent the category lists for review, an ICO spokesperson told us: “The ICO and our partner authorities on the European Data Protection Board are already engaged on various issues relating to Google and we are engaging with the industry more widely. We are considering the concerns that have been raised with us.”

The agency has made online behavioral advertising a key priority, noting in its Technology Strategy that it’s probing web and cross device tracking, and citing examples including device fingerprinting, browser fingerprinting and canvas fingerprinting.

“This is likely to continue as more devices connect to the internet (IoT, vehicles etc) and as individuals use more devices for their online activities,” it writes in the strategy document. “These new online tracking capabilities are becoming more common and pose much greater risks in terms of systematic monitoring and tracking of individuals, including online behavioural advertising. The intrusive nature of the technologies in combination drives the case for this to be a priority area.”

Didi Chuxing, China’s largest ride-hailing startup which claims over 550 million registered users, is deepening its focus on electric vehicles after it announced a joint venture with BAIC, a state-owned automotive giant.

‘Jingju’ — as the venture is called — is a partnership between Didi and BAIC affiliate Beijing Electric Vehicle that will develop “next-generation connected-car systems” using fleet management, AI and other tech, according to an announcement made today.

The exact scope of Jingju is not exactly clear from the details released so we’ve asked Didi for more information. We’ll update this post with more details as and when we get them.

Didi has long talked about plans to bring more environmentally-friendly vehicles into its fleet in line with efforts across China — Shenzhen, for example, has implemented electric taxis and buses. Back in late 2017, the company announced plans for its own EV charging network and, today, it claims that it has nearly 400,000 “new energy” vehicles on its platform. Didi says it clocked up 31 million registered drivers to date, so there’s obviously a lot of work to be done to raise the EV/hybrid representation.

But BAIC is an ideal partner to make that happen. Not only is it a key automaker in China but it has pledged to stop selling fuel-powered vehicles by 2025.

The joint venture is likely to tie into Didi’s existing driver services business, which helps drivers get access to services that include leasing and purchase financing, insurance, repairs, refueling, car-sharing and more. Essentially, with its huge army of drivers, Didi can get preferential rates from service providers, which means better deals for its drivers.

That, in turn, is helpful for recruiting new drivers and growing the business which is under threat because of new regulations that look set to limit the number of people who can drive for Didi.

A group of current and former BuzzFeed employees are asking the company to pay out paid time off to all recently laid-off staff. In response, Lenke Taylor, BuzzFeed’s human resources lead, said it wants to meet with staff and is “open to re-evaluating” its decision on PTO.

In an open letter to Smith, BuzzFeed’s CEO Jonah Peretti, and editor in chief Ben Smith, and signed by more than 400 employees so far, the BuzzFeed News Staff Council wrote “BuzzFeed is refusing to pay out earned, accrued, and vested paid time off for almost all U.S. employees who have been laid off.” The BuzzFeed News Council, which describes itself as “a group of employees appointed to open up the lines of communication between News employees and company management,” added that BuzzFeed is only paying out PTO to employees in California, where it is required by law.

BuzzFeed announced last week that it is laying off 250 employees, or 15 percent of its workforce. In an employee memo, Peretti said the lay offs were done to help BuzzFeed sustain growth without seeking additional rounds of funding. The company has raised almost $500 million over the past decade, including a $200 million flat round in 2016.

“This is paid time that employees accrued by choosing not to take vacation days, and instead do their work at BuzzFeed,” the letter read. “Many of the employees who have been laid off had the most difficult jobs in terms of scheduling—such as the breaking and curation teams on BuzzFeed News who regularly worked weekends and holidays, or managers who weren’t able to use vacation time because they were expected to be available to their teams.”

“For many people, paying out PTO will be the difference between whether or not bills and student loans will be paid on time and how their families are supported,” it continued. “It is unconscionable that BuzzFeed could justify doing so for some employees and not others in order to serve the company’s bottom line.”

BuzzFeed’s laid-off employees received a severance of a minimum 10 weeks pay, and benefits through April. Taylor’s response to the petition’s organizers said the company wants to meet with staff to discuss the issue:

“We would like to have a dialogue with the news staff council and staff from other departments on PTO payout. We are open to re-evaluating this decision but we think it is important for everyone to understand the tradeoffs in changing the PTO practice, how we came to the decision to offer everyone a minimum of 10 weeks salary, and the ways we’ve adjusted our severance to be fair and competitive in every state we operate,” she wrote.

Taylor added that the company will follow up with employees by the end of Monday to schedule a meeting.

Samsung Electronics said Sunday it will replace plastic packaging used for its bevy of products from mobile phones and tablets to home appliances and wearables with paper and other environmentally sustainable materials like recycled/bio-based plastics.

Samsung will start making the switch in the first half of the year. The company aims to only use paper packaging materials certified by forestry initiatives by next year. By 2030, Samsung says it plans to use 500,000 tons of recycled plastics and collect 7.5 million tons of discarded products (both cumulative from 2009).

The company said it’s formed an internal task force to come up with innovative packaging ideas that avoid plastic.

For instance, the plastic trays used to hold mobile phones and tablets will be replaced with ones made from pulp. Samsung said it will also alter the phone charger design, swapping the glossy exterior with a matte finish and eliminating plastic protection films, reducing the use of plastics.

Plastic bags used to protect the surface of home appliances such as TVs, refrigerators, air conditioners and washing machines as well as other kitchen appliances will also be replaced with bags containing recycled materials and bioplastics. Bioplastics are made from plastic wastes and non-fossil fuel materials like starch or sugar cane.

The company also committed to only using fiber materials certified by global environmental organizations like the Forest Stewardship Council, Programme for the Endorsement of Forest Certification Scheme and the Sustainable Forestry Initiative for packaging and manuals by 2020.

The company will adopt more environmentally sustainable materials even if it means an increase in cost,” Gyeong-bin Jeon, head of Samsung’s Global Customer Satisfaction Center, said in a statement.

Urgently, the roadside assistance startup that connects car owners who need help with tow truck and other services, has raised $21 million in a Series B round that includes the venture arms of BMW, Porsche and Jaguar Land Rover.

BMW has also signed Urgently as a vendor partner for its own roadside assistance platform (known as BMW Assist) to provide roadside assistance and extended mobility services to owners of all four of its brands in the U.S, including BMW, BMW Motorrad, MINI and Rolls-Royce Motor Cars.

Urgently, founded by Chris Spanos, Surendra Goel, and Luke Kathol, doesn’t charge annual membership fees like AAA or other auto clubs. Instead, the app works a lot like Uber of Lyft . Users can request help like getting a jump start, a tow or tire change via the app, which connects them with available services nearby. At that time, the user is shown what the towing or other service fee will be. Payments are handled within the app.

The potential for Urgently goes beyond connecting with traditional car owners. The platform is scalable, making it attractive for companies that have large fleets too. And as more electric vehicles come to market, there may be more demand for roadside assistance services like mobile charging.

“The old model of roadside assistance must make way for a modern, more digital approach,” Kasper Sage, a partner at BMW i Ventures said. “Urgent.ly will allow OEMs around the world to provide their customers the kind of real-time and connected digital experience they now expect in everything from food delivery to ride-sharing.”

As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyber attacks have been in a lull in recent months and still are.

The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.

This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.

The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help.

Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40%, according to the National Initiative for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.

Towfiqu Photography via Getty Images

Global Gap of Nearly 3 Million Cybersecurity Positions

In a recent study, (ISC)2 – the world’s largest nonprofit association of certified cybersecurity pros – said there is now a gap of almost 3 million cybersecurity jobs globally – substantially more than other experts said might be the case years into the future.

Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and it’s even worse for smaller enterprises. They’re attacked more — sometimes as a conduit to their larger business partners – because their defenses are weaker.

So what kind of cyber talent are companies and government entities looking for?

Preferably, they want people with a bachelor’s degree in programming, computer science or computer engineering. They also warm up to an academic background replete with courses in statistics and math. They want cybersecurity certifications as well, and, of course, experience in specialties plagued by staffing shortages, such as intrusion detection, secure software development and network monitoring.

These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good.

Only Recently Has Formal Training Existed

Cybersecurity has long been a field that has embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science. Professionals need some training to become familiar with select tools and technologies – usually at a community college or boot camp — but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly strong candidates have backgrounds as programmers, systems administrators and network engineers.

Asking too much from prospective pros isn’t the only reason behind the severe cyber manpower shortage. In general, corporations do too little to help their cyber staffs stay technically current and even less when it comes to helping their IT staffs  pitch in.

(ISC) 2 formalized a study of more than 3,300 IT professionals less than 18 months ago and learned that organizations aren’t doing enough to properly equip and power their IT staffs with the education and authority to bolster their implementation of security technologies.

Inadequate Corporate Cyber Training

One key finding was that 43% of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach.

Universities suffer shortcoming as well. Roughly 85 of them offer undergraduate and/or graduate degrees in cybersecurity. There is a big catch, however.  Far more diversified computer science programs, which attract substantially more students, don’t mandate even one cybersecurity course.

Fortunately, positive developments are popping up on other fronts. Select states have begun taking steps to help organizations and individuals alleviate a talent shortage by building information sharing hubs for local businesses, government and academia — all revolving around workforce development.

Georgia recently invested more than $100 million in a new cybersecurity center. A similar facility in Colorado, among other things, is working with area colleges and universities on educational programs for using the next generation of technology. Other states have begun following in their wake.

On another front, there is discussion about a Cybersecurity Peace Corps. The model would be similar to the original Peace Corps but specific to nascent cybersecurity jobs. The proposed program — which would require an act of Congress and does not yet exist — would place interested workers with nonprofits and other organizations that could not otherwise afford them and pay for their salaries and training.

Cyber Boot Camps and Community College Programs

Much further along are cyber boot camps and community college cybersecurity programs. The boot camps accept non-programmers, train them in key skills and help them land jobs. Established boot camps that have placed graduates in cyber jobs include Securest Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago.

There are also more than a dozen two-year college cybersecurity programs scattered across the country. A hybrid between a boot camp and community college program is the City Colleges of Chicago (CCC), which partners with the Department of Defense on a free cybersecurity training program for active military service members.

A small handful of technology giants have also stepped into the fray. IBM, for example, creates what it calls “new collar” jobs, which prioritize skills, knowledge and willingness to learn over degrees. Workers pick up their skills through on-the-job training, industry certifications and community college courses and represent 20% of Big Blue cybersecurity hires since 2015.

Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates. They can learn on the job, without degrees or certificates, and eventually fit in well. You can quibble with how much time, energy and work this might take. It’s clear, however, that there is no truly viable alternative.