Into the Breach
Cybersecurity experts say there’s still plenty of misunderstanding when it comes to the reality of data threats. For example, it’s not just big companies being attacked — these days, everyone is a target, and data thieves are becoming more subtle and savvy with their methods. That means companies need to be more vigilant — but it also means career opportunities abound in a field that desperately needs more young talent.
Everyone knows what cybersecurity is. Fewer know what people who work in the field actually do — and how much they earn.
And that’s a problem, Tom Loper said, when it comes to drawing young talent into a field that desperately needs it — and will need it for many years to come, as the breadth and complexity of data threats continue to evolve.
“That’s why we need to start with the high-school students,” said Loper, associate provost and dean of the School of Science and Management at Bay Path University. “They don’t really understand cybersecurity, and that’s a big problem because we have this incredible shortage of folks qualified to work in cybersecurity.”
Bay Path is doing its part, he said, not only with two undergraduate programs in the field and a graduate program in cybersecurity management, but by actively promoting those tracks to incoming students with undecided majors.
“We allow them to take cyber courses that first semester just to try it out, and the whole faculty is steering them toward it because the pay is so good in this field. Most of the ones who take it, believe it or not, they stay in that field,” he said, noting that about 90 students are currently enrolled in the three programs. “That’s a pretty good number for a small school like this. Now, we’re trying to get more high-school students to understand.”
“Companies are becoming more savvy. They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked.”
Loper said Bay Path’s programs are tailored specifically to the requirements of various cybersecurity careers, so students can get entry-level jobs immediately and go on to earn whatever further industry certifications they may need. “We have graduates making $60,000 to $80,000 coming out of school with these degrees. And if they get some experience before graduation, they’re worth even more.”
To that end, Bay Path recently won a grant from the Mass Cyber Center at MassTech to support internship and workforce experiences for students. That’s just one aspect, he said, of the way the region can build a cybersecurity hub from what he calls an “ecosystem perspective,” one that encompasses high-school and college students, workforce-development programs, government agencies, and business sectors where cybersecurity is important. These days, that’s most of them.
“Companies are becoming more savvy,” said Mark Jardim, lead engineer at CMD Technology Group in East Longmeadow. “They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked. But they are calling us and saying, ‘how can we be more protected?’”
Chris Rivers, vice president of Phillips Insurance in Chicopee, agreed that more companies are coming around to the threat potential.
“It sometimes depends on whether they’ve had an incident or a near miss,” he said, adding that, while people may hear news reports about data breaches at large companies, no business of any size is totally immune.
In fact, “smaller businesses tend to have less security, and sometimes it’s easier for hackers to get in there, taking credit-card information or any type of information, really. Think of a law office, and the risk of private information being taken and used against clients.
“Things we’ve preached over the years still hold true — they just keep changing the vector of attack. And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”
“If you have a breach and data is stolen,” Rivers added, “it can get pretty costly.”
Data security has become a primary form of business insurance at all commercial agencies, but a policy to recover damages, even a comprehensive one, isn’t enough; the long-term brand damage, Rivers noted, is much harder to quantify. “Once your reputation is gone, it’s gone.”
The fact that businesses are catching on to this reality, combined with high-tech advances that will making defending against cybercrime more challenging, has created significant opportunities in what promises to be one of the most important career fields over the next decade.
Charlie Christianson, president of CMD and its sister company, Peritus Security, said data breaches cost companies $11.5 billion in 2019. And the threats come in many forms.
“Things we’ve preached over the years still hold true — they just keep changing the vector of attack,” he told BusinessWest. “And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”
The human element to data breaches is still prominent, as e-mail phishing schemes remain the number-one way cybercriminals gain access to networks. These often arrive with URLs that are very close to a legitimate address. More importantly, phishers are ever-honing their ability to replicate the tone, language, and content of the supposed sender.
“They look incredibly realistic,” Christianson said. “A week doesn’t go by where we don’t get one and say, ‘wow, this looks good.’ For people who don’t live it every day, it can be very easy to fall into the trap. The trick is to just stop and think about it before you click on it.”
These attacks are more specific and targeted in the past, he went on, but they’re not the only way data thieves are getting in. Another is through employees’ personal devices, which don’t typically boast the security features of a large corporate system.
“Devices are hit and used to launch an attack, or they’re infected and brought into a secure environment. What’s on that device can get into the corporate network and spread,” he explained, which is why many companies have tightened up their BYOD (bring your own device) policies.
“That’s slowing down as businesses are becoming aware of the risk,” Jardim added. “We’re actually seeing a trend of slowing down the bring-your-own-device idea in the workforce; companies are saying, ‘maybe we shouldn’t do that because attackers are using those vulnerabilities.’”
The trend known as the internet of things, or IoT, poses new threats as well, Christianson said.
“When people think about securing their network, they think about their computers, their servers, their tablets, things like that. But they don’t think about the SimpliSafe security system or the time clock that hangs on the wall or the voice-over-IP phone system they use every day. You have all these devices that aren’t being maintained — they just let them run.”
He knows of one company that was attacked through its security-camera system, and said segmenting networks is one way to minimize such a threat. “That shouldn’t be on same network as your finances.”
The defenses against breach attempts are myriad, from password portals and multi-factor verification of online accounts to geoblocking traffic coming from overseas.
“A lot can be done with training,” Christianson said. “The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”
It’s definitely a challenge, Jardim added. “We have to protect every single door and window, we have to be right 100% of the time, and a hacker just needs to find one vulnerability.”
Cultivating an Ecosystem
That list of threats and defenses — which only skims the surface — drives home the need for a more robust cybersecurity workforce, Loper said.
“We believe you have to take a regional approach to cybersecurity,” he noted. “We don’t believe you can just think of yourself as island unto yourself. Whether you’re a big organization or a small organization, you’re part of the supply chain, and there are opportunities for breaches. Everyone is connected.”
Boosting workforce-development programs is one spoke on the wheel. “It needs more attention. At one point, we didn’t have enough tool and die makers. The Commonwealth got behind it, and now we have enough. Something like that is going to happen in the high schools, and across this region, where we’re retraining people to work in this space just because there are so many opportunities.”
“The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”
One plan is to develop a ‘cyber range,’ which is a simulated IT environment that emulates the IT structure of businesses, Loper explained. “We can bring people into the cyber range and help them deal with threats to a simulated environment.”
All these strategies are running headlong into the rise, in the very near future, of 5G wireless connectivity, which will dramatically increase data speed — and perhaps security threats as well.
“The threat we have now is going to go on steroids with 5G and with IoT,” Loper said. “The opportunties for business development will be greater than ever, and the opportunities for penetration will be greater than ever as well. It’s amazing what’s happening with 5G — it’s mostly good, but pretty darn challenging.”
Those threats provide business for commercial insurers, and that coverage is important, Rivers said, but businesses have to think about their own common-sense defenses as well.
“As we do renewals or reach out to clients, we try to bring out what policies are available to them to protect them from different things,” he noted. “It’s easy for us to recommend everything, but there’s a cost, so we try to inform them what’s out there so they can make decisions — ‘do I want this? Do I want that?’”
Rivers cited a statistic from Philadelphia Insurance Companies, which reports that the average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public-relations expenses to rebuild an organization’s reputation.
“It’s one thing to take the data out, but when your brand is affected because you’ve had this incredible breach, that’s something else,” Loper added. “Your brand is what people think it is; it’s not what you think it is, like in the old days. Now, just look on social media, and that tells you what your brand is. Cybersecurity is one of those things that, if not done properly, can undermine your brand so quickly.”
In the end, Jardim said, the idea is to minimize risk.
“I always joke, the most secure machine is one that’s shut off in a locked room, but you have to find a balance,” he said — one that employs measures from simple common sense to choosing the right firewall.
“We see clients who have $5 million businesses buying a $100 firewall from Staples. You’re not going to protect your infrastructrure with that. You need the right equipment for your size. You need professional stuff for your business — you can’t use the same equipment you buy for your house for your business.”
“Well, you can,” Christianson added quickly, noting just one more way people might take a limited view of cybersecurity threats — and come to regret it.
Joseph Bednar can be reached at [email protected]