Digital4Security Taster Workshops - Workshop 5: Designing and Deploying CTF Cybersecurity Challenges

Cyber Training Urgency

Cyber threats have intensified, with 2025 seeing a surge in attacks that disrupted global operations. Ransomware strikes on United Natural Foods and Ingram Micro halted food distribution and tech logistics for weeks, while China's Salt Typhoon campaign infiltrated U.S. telecoms, raising national security alarms. These incidents, coupled with a projected 4.8 million shortfall in cybersecurity professionals by 2026, reveal a critical vulnerability: the lack of skilled talent to counter evolving dangers.

Recent changes amplify the urgency. The global cybersecurity workforce stands at 5.5 million, but demand requires an 87% increase to fill gaps in areas like cloud security and AI defense. In the EU, the Cyber Resilience Act (CRA) introduces mandatory reporting of exploited vulnerabilities starting 11 September 2026, with early warnings due within 24 hours. This follows NIS2 Directive transpositions, where non-compliance could lead to fines up to 2% of global turnover. Meanwhile, AI's dual role—empowering attackers with sophisticated phishing while aiding defenders—has widened the 'cyber equity' gap, with sub-Saharan Africa and Latin America facing 70% skills shortages.

The real-world impact spans industries. Healthcare breaches, like the Hospital Sisters Health System incident affecting 882,000 patients, eroded trust and incurred recovery costs averaging $9.77 million. Automotive giants like Jaguar Land Rover faced production halts lasting five weeks, rippling through 5,000 suppliers. Small and medium enterprises (SMEs), often under-resourced, suffer disproportionately, as seen in the UK's Dodd Group hack exposing Ministry of Defence data. Inaction risks cascading failures: supply chain breakdowns, data theft affecting millions, and geopolitical leverage for adversaries.

Concrete stakes include looming deadlines and steep consequences. By mid-2026, EU member states must designate critical entities under the Critical Entities Resilience Directive, mandating resilience plans within nine months. Costs of breaches ballooned, with ransomware payments up 500% in 2025. Risks of delay? Regulatory penalties, lost revenue—Marks & Spencer saw profits plummet from £391.9 million to £3.4 million post-attack—and reputational damage that deters investors. Globally, cyber-enabled fraud hit 73% of networks in 2025, via phishing and smishing.

Non-obvious angles include trade-offs in training approaches. CTF challenges, while effective for simulating attacks and fostering critical thinking, may prioritize jeopardy-style puzzles over holistic strategies, potentially sidelining non-technical roles like compliance officers. Tensions arise between voluntary EU certifications and de facto mandates via procurement, pressuring SMEs. Surprising data shows CTFs attracting broader demographics, including career changers, yet global inequities persist: North America and Europe lead in resources, while developing regions lag. AI tools could bridge this, but their adoption risks creating new vulnerabilities if not governed properly.