Strengthening the Lines of Defense
Peter Sherlock says the numbers certainly help tell the story.
There are roughly 26,000 employed in Massachusetts today in what would be called the cybersecurity sector. And there were, at the precise moment we talked with him, exactly 18,263 openings in that realm, a number that goes up seemingly every day.
That means this sector has about two-thirds the number of qualified individuals it needs, said Sherlock, adding that the dire need to close that gap was one of the motivations behind the creation of CyberTrust Massachusetts, which he now serves as CEO.
Another motivation was to make the state’s businesses, institutions, and municipalities more cyber-secure at a time when the number of victims of cyber and ransomware attacks — like the number of job openings in this sector — keeps going up.
Peter Sherlock
“As we put these students into these SOCs, they’re going to be working under the supervision of cyber professionals. We’re going to put them to work making cities and towns more cybersecure.”
How CyberTrust is going about these assignments, which overlap in many different ways, as we’ll see, will be among the focal points of Sherlock’s presentation at the 11th annual Cybersecurity Summit at Bay Path University, set for Friday, Oct. 13 at the Mills Theatre in Carr Hall on the school’s Longmeadow campus.
Registration for the event, which has been drawing steadily larger audiences because of the importance of the subject matter, is required. Individuals can register at baypath.edu/summit, and attend either in-person or remotely.
The working title for the program is “Who’s Next? How a Stronger Cyber Ecosystem is the First Line of Defense.” And Sherlock told BusinessWest that there are many elements that comprise this ecosystem, including the business sector, government, and education (the state’s colleges and universities, and even its high schools and middle schools). Together, they work on those twin assignments of building the workforce and making entities more cyber-secure.
At the forefront of these efforts is CyberTrust Massachusetts, a nonprofit committed to building both opportunity and security through a consortium of statewide businesses and colleges.
“CyberTrust arose out of a long-running dialogue among business and academic leaders, with some folks in government; these were discussions centered around workforce,” he said, adding that he understands first-hand the challenges of hiring — and retaining — within this sector.
Indeed, he previously served as chief operating officer of MITRE, as well as senior vice president responsible for MITRE’s defense and intelligence business.
“In my roles there, I had to worry about our annual hiring programs; trying to hire 1,000 STEM professionals every year was quite a challenge, as was retaining them,” he explained. “I would talk a lot with other executives in the Massachusetts area about the challenges of growing the pipelines in some of these technologies to keep up with the demand.
“And as the pandemic disrupted the workforce a bit more, those problems have become even more urgent,” he went on, adding that this urgency helped bring business and education together in the CyberTrust Massachusetts consortium to “move the needle,” as Sherlock put it, on not only these workforce issues, but the growing threat — in the form of cyber and ransomware attacks — to businesses of all sizes, nonprofits, institutions, and municipalities.
In his presentation at the Cybersecurity Summit, which will followed by what is expected to be a robust question-and-answer period, Sherlock said he will address a number of issues and initiatives, including the workforce challenges, efforts to activate new pathways for the talent pipeline in order to both grow and diversify and workforce, and cybersecurity approaches for municipalities across the Commonwealth.
While doing so, he will discuss how these problems intersect, and also about efforts to address them jointly, such as the security operation center, or SOC (pronounced ‘sock’ by those within this sector) that is taking shape at Springfield’s Union Station. This SOC, to be established by Springfield Technical Community College, will provide threat monitoring and other cybersecurity services for the state’s municipalities, small businesses, and nonprofits, while also creating learning opportunities for those in or seeking to join this sector at a ‘cyber range,’ a new testing lab that will mirror real-world IT environments to provide hands-on training opportunities to local companies, universities, and other cyber-focused organizations.
“We need to introduce new people to the cyber career field, whether it’s recruiting them from high school or getting adult career changers, and making non-cyber majors credentialed in cyber.”
“While focusing on workforce, we decided we could be serving another purpose at the same time,” he explained. “As we’re training our cyber learners with hands-on experiences, we could actually put them to work securing cities and towns, nonprofits, and small businesses. We put together this rather ambitious plan to set up security operations centers at a number of universities across the Commonwealth and to infuse new cyber-range technology into these colleges and universities and enlist cyber employers from across the state into this activity.
“As we put these students into these SOCs, they’re going to be working under the supervision of cyber professionals,” he went on. “We’re going to put them to work making cities and towns more cybersecure.”
Overall, Sherlock said the workforce issue requires creative, outside-the-box thinking and efforts to encourage individuals to consider this field while they are still in high school or even middle school.
“We need to introduce new people to the cyber career field, whether it’s recruiting them from high school or getting adult career changers, and making non-cyber majors credentialed in cyber,” he said. “There are a lot of different ways to get people into the field that we weren’t working at too much.”
Sherlock said he would go into much more detail at the summit, which grew out of the growing importance of cybersecurity in today’s society, the emergence of that sector, and the need to keep businesses and the community at large informed when it comes to new trends, new initiatives — and new threats, said Tom Loper, associate provost and dean in the School of Management and Technology at Bay Path.
Loper said he hopes, and expects, this year’s summit to be well-attended because of its focus on businesses and municipalities, the efforts to keep them safe from cyberattacks, and the role that they play within the emerging cyber ecosystem.
Easy Targets
While the technology used to prevent cybercrime has certainly become more sophisticated over the years, Paul Savas has two simple words when it comes to the human side of cybersecurity.
“Be smart.”
Unfortunately, too many people simply choose not to.
“If it looks like something’s suspect, don’t open it. Don’t click on the links. So many times, these attacks happen to people who are letting their guard down,” said Savas, vice president of Comcast Business’ Western New England Region.
“How many of us get that Amazon text — ‘there’s a question about the order in your account.’ It’s a bogus text, and you should delete it right away,” he continued. “But so many people don’t. They’re curious. ‘There’s a link … I’ll click it.’ But you have to be smarter than that.”
Then there’s the problem of password laziness.
“They keep creating their own passwords. They’ll even keep a file on their desktop that says ‘passwords,’ kind of a spreadsheet. If I’m a hacker, I love that.”
“The biggest problem is common passwords,” said Sean Hogan, president of Hogan Technology in Easthampton. “So many people reuse passwords; they have a password that they’ve used forever, and they’ll do variations of that password. The problem is, once all the bots out there have that password or something close, they will figure out all your passwords within seconds.”
And he’s run into stubbornness when it comes to changing password habits.
“When I go out to see clients, it’s a constant struggle. One of our hardest adaptations is getting them to start going with password management or password vaulting. They keep creating their own passwords. They’ll even keep a file on their desktop that says ‘passwords,’ kind of a spreadsheet. If I’m a hacker, I love that.”
Allen Reed, assistant vice president and Information Security officer at Freedom Credit Union, has run into similar frustrations.
Allen Reed says ‘trust, but verify first’ is a good rule of thumb for clicking email links.
“At the credit union, I’m always hammering employees: ‘don’t click that link, don’t open that attachment, don’t ever click until you have verified. Trust, but verify first.’ Yes, it’s inconvenient to make a phone call to someone: ‘did I receive an email from you?’ But that’s the world we live in.”
When he talks about cybersecurity with Freedom employees, Reed says he tries to “put a little fear in them” with examples of mistakes other businesses have made, and the financial consequences. “It gets them to think a little more clearly.”
But the topic isn’t just an occasional one at the credit union. “We institute cybersecurity-awareness training on day one of their employment. In fact, we’re audited from the federal financial sector every year to make sure every employee has had security-awareness training — at least annually, but most importantly, on day one.”
Even then, Reed regularly uses his metaphorical hammer.
“We all receive email all day, every day. And the staff has to be trained over and over,” he said. “It’s like when we were young children at the stove, and we were told, ‘don’t touch the stove.’ We had to be told a thousand times before it sunk in.”
And hopefully, the message took root before a serious burn. That’s what companies of all sizes and from all sectors are dealing with today: the possibility of being badly burned by a breach.
For this issue’s emphasis on cybersecurity, BusinessWest examines why even the best-equipped networks can be compromised because of simple human error — and what employers are doing to drive that message home.
Growing Threats
One problem, Reed said, is that cyberthreats have changed over the years.
“In 2005, you were worried about your average teenager sitting in the bedroom after school thinking about how hack into the CIA mainframe; they did it more for the joy of it, to be proud of it.
“Today, we’re talking about nation-states attacking. We’re talking about a government providing monetary resources, building out multi-story buildings, hiring their own citizens and providing them with pay, to attack other nations. That’s what we’re dealing with today. They attack 24/7/365.”
And their efforts have become savvier, Savas said.
“Don’t underestimate the bad actors, because they are so far ahead when it comes to social engineering and how to employ technology. They do research on social media, and they know things about you, like your dog’s name. That’s a pretty easy password to figure out. So don’t make it easy to guess.”
Sean Hogan
“You know the environment that the client has is pretty darn secure, but when you’re having people from the outside log in from their own equipment that is not secure, you’re really running the risk of a breach.”
Some companies have unknowingly voided their cybersecurity insurance policies because they lacked a certain level of protection — not just hardware and software, but training and compliance. “Every level of protection has a cost,” Savas added, “and some companies are gambling and not being fully protected.”
Indeed, Hogan said many advances in cybersecurity are being driven by insurance companies, which are not happy about paying out for preventable mistakes.
“They don’t want the exposure,” he went on. “And they’re going make it harder to pay off cybersecurity insurance — because that is paying out constantly. They are losing money on that; they’re realizing they sold a lot of policies where people are not doing what they should be doing. And the hackers have caught up.”
Reed noted that, going forward, most businesses will not be able to get cyber insurance coverage until they move to minimum 15-character passwords. “We moved to that four years ago because I knew it was coming.”
And not just longer passwords — or, preferably, pass phrases that are easy for the user to remember but impossible to guess — but two-factor authentication, like a code sent via text or email to the user’s phone. “You have to do that,” Hogan added. “When we install a new environment for a client, they have to do multi-factor no matter what.”
In addition, “there are paid software programs that manage passwords for you and give you different passwords you can copy and paste into the program you’re trying to log into,” Reed said.
For those who choose their own passwords, replacing letters with symbols in a recognizable word — $ for S, ! for I, etc. — makes the password exponentially safer, Savas said, adding that length is still a better safeguard than complexity.
Hogan encourages password vaulting in password generation. “I never generate my own passwords. The client shouldn’t either. So when I go to create that password, I’m going to generate a password that’s going to be random; it’s going to be extremely complex. It’s not the name of my dog. It’s not the name of my car. It’s got nothing to do with me. And it’s going to be a password just for that one website, for that one portal. And then it gets saved to a secure vault.”
Common Sense
While all these procedures are smart, Hogan went on, they only work as long as a company’s employees follow them.
“Can I ensure that everybody’s doing this? No. Can it be a procedure that you mandate? Yes, you can mandate it. But tracking it is a little different. So we add a couple more things on top of all this. Besides password management, vaulting, and multi-factor authentication, then we do the dark-web monitoring and security-awareness training.”
But a lot of cyber protection still comes down to common sense. That includes what people choose to share online, Reed said.
“If you have your entire dossier of who you are on Facebook, Twitter, Snapchat, whatever, once that dossier is out there, that’s what criminals leverage,” he told BusinessWest. “That’s what’s going to convince your grandmother that you need help, because it really sounds like you.”
Or, convince you that your CEO wants you to click a dangerous email link.
“The hackers look at people that can approve wire transfers, ACH batches, you name it,” Hogan said. “They’re looking at owners, they’re looking at CFOs, they’re looking at controllers. We call that ‘whaling’ or ‘spear phishing,’ where they actually target a certain individual. And they’re very sophisticated. They come up with real information.”
Reed agreed. “If they’re going to impersonate the president or the CEO, the only way they’re able to leverage that person, with that crafty email, is if they spend months on social media learning about that person, gathering information to formulate the email. That’s what gets employees to click — because we all want to do what the CEO wants us to do.”
Much of this behavior, from smart password creation to avoiding phishing attacks, comes down to training, Hogan noted. And sometimes, even that’s not enough.
“We can talk until we’re blue in the face, but that doesn’t mean that somebody working at that company is going to follow those procedures properly,” he said, recalling a recent incident when a remote worker for a client used his own laptop to log into the company portal from a remote site, got a suspicious pop-up, and clicked on it, allowing a cyber attacker to navigate the company’s system.
“That’s a big issue. You know the environment that the client has is pretty darn secure, but when you’re having people from the outside log in from their own equipment that is not secure, you’re really running the risk of a breach.”
And many times, Savas said, companies don’t even know they’ve been breached. “The bad actors go in, look around, see if there’s anything worthwhile, then map out a strategy. And that, to me, is scary.”
On the plus side, he believes the message is getting across, and companies are buttoning up with proper training.
“More education is happening within organizations. Attempts are being made, but it all comes down to that individual user being educated, heeding those warnings, and being smart about the things they can control,” Savas explained.
“Confidentiality of the password, not opening attachments, not clicking those links. Those are the three elements that open up an intrusion,” he added. “A lot of it is preventable. The majority is preventable.”
Rise of the Machines
Twice a year, Tom Loper participates in a Cybersecurity Advisory Council meeting. The last one was … different.
“I would say there was a sense of concern that I hadn’t seen before at that council because of ChatGPT and the phishing potential,” said Loper, dean of the School of Arts, Sciences and Management at Bay Path University.
He explained that people can use ChatGPT, the AI chatbot that has drawn major worldwide attention since its unveiling last fall, to input information from any website, or emails from an organization, to generate a phishing episode much more realistic, and much more likely to draw a response, than its target had ever received.
“These are people — from Facebook, from Fidelity, from the Hartford, from every major organization you can think of in our area and beyond — who were taken aback by the capabilities of ChatGPT,” Loper said.
“It really scares the hell out of all of us, because we know the biggest problem that we have in cybersecurity, the biggest challenge, comes between the brain and the keyboard. Human beings allow people in.”
“It really scares the hell out of all of us, because we know the biggest problem that we have in cybersecurity, the biggest challenge, comes between the brain and the keyboard,” he explained. “Human beings allow people in. The systems are very good at stopping people from breaching — flags go off, bells and whistles go off. But the biggest problem we have is the human intervention that has to take place. And human beings make mistakes. Especially when we’re connected to the outside world, we make mistakes that allow phishing to take place.”
Tom Loper says ChatGPT is already making work easier for students and professionals, but that raises issues ranging from plagiarism to how jobs might change.
And ChatGPT just made that challenge even more daunting.
But the impact of this and other AI tools extend far beyond cyberthreats.
“AI has the ability to be as impactful as the internet — possibly even as impactful as electricity — on the way business is conducted,” said Delcie Bean, president and CEO of Paragus Strategic IT in Hadley. “We all knew this day was coming for a long time, but now it’s here, and by the end of this decade, the only businesses that will still be in business are the ones that embrace the change.”
Bean explained that these tools allow enormous amounts of work previously done by humans to be completely automated, often in a fraction of the time and with much greater accuracy — and not just basic administrative work.
“We are also talking about highly complex work like computer coding, law, and even practicing medicine,” Bean related. “In a recent demonstration, AI correctly diagnosed 225 cancer cases within 18 minutes and at 85% accuracy, while human doctors took 50 minutes and only achieved a 64% accuracy rate with the same cases. Between now and the end of the decade, we are going to see dozens of new companies and technologies emerging, displacing a lot of legacy processes and technologies at a rapid pace.”
What does that mean for employers, the workforce, and job opportunities in the future? No one has all the answers to that question — although ChatGPT itself took a stab at it for us — but there is broad agreement that change is coming.
“AI has the ability to be as impactful as the internet — possibly even as impactful as electricity — on the way business is conducted. We all knew this day was coming for a long time, but now it’s here, and by the end of this decade, the only businesses that will still be in business are the ones that embrace the change.”
“This really challenges all forms of expertise because it’s drawing on this incredible domain of knowledge,” said James Wilson, professor of Business at Bay Path. “Now, the accuracy of it, the citing of it, all that is not there yet. But it will come.”
Wilson recently started teaching courses in a certificate program on digital transformation, which includes discussion of the impact of AI on the workplace.
“It started as a therapy session because the students were like, ‘what’s the future going to be? What skills do I need to have? What’s going to happen?’ It’s very uncertain. We have these things called human skills … which are presumably going to differentiate us from this artificial intelligence — that is, creative thinking, inquiry, critical thinking, collaboration. You’re not going to run your business on ChatGPT.”
Delcie Bean says AI promises to disrupt not only administrative and computer careers, but law, medicine, and a wide range of other fields.
But that’s not the only viewpoint. “The most pessimistic view of this is that AI will do for humans what the automobile did for horses,” Wilson said. “There are some dire projections.”
Future … Tense
Loper and Wilson have delved into the capabilities and possibilities of ChatGPT and other AI tools on the higher-education level, and they’ve been impressed.
“ChatGPT is the hot topic because it’s a breakthrough in the way it uses large language processing,” Loper said. “It’s never been made available to the public like this before. The exciting part is how it processes data at a phenomenal speed — it’s absolutely amazing.”
And it’s not just regurgitating knowledge, he stressed. Xiaoxia Liu, assistant professor and director of Applied Data Science at Bay Path, has been using ChatGPT in her classes, helping students finish programming projects.
A Brief ‘Interview’ with ChatGPT
We went right to the source and asked ChatGPT for its take on this article’s topic. These are the answers it provided within seconds.
How will ChatGPT and other AI tools threaten the job market in the coming years?
AI tools and automation have already impacted the job market in many ways, and it is likely that this trend will continue in the coming years. ChatGPT and other AI tools can automate repetitive or low-level tasks, leading to job displacement for those whose work can be automated.
However, it’s essential to note that AI tools and automation can also create new job opportunities, particularly in areas that require specialized skills or expertise in implementing and managing AI technology. Additionally, the use of AI tools can increase productivity and reduce costs, which can result in businesses expanding and creating new job positions.
Overall, the impact of AI on the job market is complex and multi-faceted. While some jobs may be replaced by automation, new opportunities may arise, and existing roles may evolve and require different skill sets. It is essential for individuals and businesses to adapt to these changes by acquiring new skills and embracing the opportunities presented by AI.
What are some jobs that ChatGPT and other AI tools will impact the most?
ChatGPT and other AI tools are likely to impact a range of jobs, particularly those that involve repetitive or low-level tasks that can be automated. Some examples of jobs that may be impacted the most include:
• Customer-service representatives: ChatGPT can automate many customer service tasks, such as answering common questions or directing customers to the appropriate department.
• Data-entry clerks: AI tools can be used to scan and input data, reducing the need for manual data-entry clerks.
• Factory workers: AI-powered robots can perform tasks such as assembly-line work, reducing the need for human workers.
• Drivers: The use of self-driving cars and trucks may impact the job market for drivers in the coming years.
• Financial analysts: AI tools can analyze financial data and identify patterns, potentially reducing the need for human financial analysts.
• Retail salespeople: The rise of e-commerce and automated checkout systems may reduce the need for human retail salespeople.
• Administrative assistants: AI tools can be used to automate tasks such as scheduling appointments, managing email, and organizing files, reducing the need for human administrative assistants.
It’s important to note that the impact of AI on these jobs may vary depending on the industry, location, and other factors. While AI may automate some tasks, it may also create new job opportunities in areas such as data analysis, AI development and maintenance, and other specialized roles.
Write a haiku about how AI might change the way people work.
Machines learn and grow.
Work becomes more efficient.
Humans thrive with ease.
“She gives them a start, and then they have to finish it; they use Python or whatever to finish it,” Loper explained. “Now, she’s letting them use ChatGPT, and they’re finishing it in seconds. And it’s very accurate, very fast. She’s excited about that. That’s an example where ChatGPT uses large language learning to help it finish something that you started without you giving it much guidance at all, other than the start of the program.”
Loper noted that ChatGPT also gives different answers to questions based on who’s asking and in what way.
“The algorithm, for whatever reason, is drawing on what it thinks is ideal, but your past references influence the way that it searches. The type of question you ask generates a certain type of format and answer. So if you’re asking a business question, you get an answer in a business format. If you’re asking a question for a literary magazine, you get a different format.”
And that raises issues with academic plagiarism, Loper noted, because professors can no longer throw a chunk of a student’s work into Google to get a definite take on whether something was lifted, verbatim, from another source.
He has experimented with generating presentations from ChatGPT based on a series of prompts, and recognizes the ramifications for students. “It was logically laid out and put in a format that, if a student gave it to me, I would say, ‘damn, that’s good. You really learned this material.’”
When it comes to cracking down on plagiarism, Wilson added, “we might have to abandon ship on that in a way, because it’s not so much about being original anymore as being creative in your inquiry and critical in your understanding of it.”
Wilson called up other AI tools as well during his talk with BusinessWest, from Butternut AI, which can build a website in 20 seconds, to Pictory AI, which generates videos, to Wondercraft AI, which asks for discussion prompts and will generate a full podcast, featuring multiple voices.
“I teach a business-analytics class, where it was all research, research, research. I don’t think it’s about research anymore,” he said of the way AI will affect academia. “I think it’s about asking the right questions. It’s about the right inquiry. It may not be about writing anymore. It may be about editing and getting a draft from the AI expert and then adjusting it. The amount of content that can be created is staggering.”
Even classroom lectures can benefit, he added. “I can put in a few prompts, and it generates an entire lecture. I can go in and change the text, which will then be re-narrated through AI. Suddenly, all my content is better organized.”
Amid all these implications is the compelling idea that AI will only get sharper.
James Wilson
“We’ve all gotten used to Siri, and we’ve all gotten used to Google, but now you’re going to have this super-intelligent, conversational assistant with you,” Wilson said.
Loper added that these discussions are no longer theoretical. He noted that speakers at the Davos World Economic Forum, among others, have been thinking seriously about what types of work are going to be replaced by artificial intelligence and what careers will continue to be dominated by human beings, with their unique sensing and critical skills.
“Human beings aren’t going away any time soon, but we’re going to have a level of augmentation that we’ve never experienced, and we don’t know how to work with it yet. It’s so new,” he added. “James and I are playing with ChatGPT, and we’re kind of in awe of it, but we’re just skimming the surface compared to some of the ways people are using it. It’s just amazing.”
Added Wilson, “if you try to imagine this in a much smaller sense, it’s like when the smartphone came out — how did that change business? Texting and emailing and video chat reconfigured the way things are done, but in a smaller sense.”
Loper agreed. “This is much bigger than anything like that.”
Risk and Reward
Przemyslaw Grabowicz, a computer scientist in the College of Information and Computer Science at UMass Amherst, is heading up a research initiative called EQUATE (which stands for equity, accountability, trust, and explainability), which is currently developing a coordinated response to the Biden administration’s request for public comment on its AI Accountability Policy.
“As a computer scientist, I believe technology can make our lives better, maybe in some senses easier,” he told BusinessWest. “But I think there’s a risk that, if we step into new technologies too quickly, then society may develop a distrust for new technology that may, in the end, slow down developments.”
The National Telecommunications and Information Administration (NTIA), a Commerce Department agency that advises the White House on telecommunications and information policy, is studying whether there are measures that could be implemented assure that AI systems are “legal, effective, ethical, safe, and otherwise trustworthy.”
“Responsible AI systems could bring enormous benefits, but only if we address their potential consequences and harms,” NTIA Administrator Alan Davidson told Reuters. “For these systems to reach their full potential, companies and consumers need to be able to trust them.”
In crafting accountability policies, Grabowicz said, leaders in all areas of life need to think carefully about the consequences of technology development and ways in which profits from this development will be converted into long-term societal gain rather than short-term profits. If not, such technology may contribute to the growth of misinformation and polarization.
“As a society, nobody wants these kinds of consequences, but if corporations focus on short-term financial gain, they may not consider the potential harmful consequences of technology being used in a way that it wasn’t meant to when it was developed.”
Such questions, Bean noted, will be further accelerated by advances in other technologies, especially robotics. “We are rapidly approaching the day when there will be free-standing robots in our lives who are able to think, make decisions, and interact with the world around them.”
In terms of security, he went on, it is hard to quantify the threat. “With Microsoft’s new tool VALL-E, which can mimic a human voice with a sample size as small as three seconds; deepfakes being able to be produced in minutes by anyone with basic computer skills; and more and more data being available to be mined, we are going to need to rethink security.
“While it is possible to imagine how technology will respond to meet these threats, the risk to businesses is the gap that exists in between the threats coming online and the response being available and adopted,” he added. “A lot of businesses are likely to face real threats in that gap — not to mention physical security, things like hacking a moving vehicle or sending a robot to conduct a robbery.”
In short, Bean said, “while there is much to look forward to, there are certainly many threats that will need to be understood and addressed.”
Meanwhile, artificial intelligence continues to evolve — in ways we may not even see coming.
Layers of Protection
By Mark Morris
As the world increases its dependence on the internet for all kinds of transactions, keeping everything secure becomes a constant challenge.
Cybersecurity experts compare their work to an ‘arms race’ in which every new, secure tool they put in place motivates cybercriminals to find a new way to defeat it.
“When you think about it, we need to be right all the time; they only need to be right once,” said Charlie Christianson, president of CMD Technology Group, which installs computer networks for all kinds of companies and keeps them safe.
Paul Whalley, president of Growth for Your Company (G4YC), said cybersecurity is like physical security in that, the more difficult it is for criminals to defeat, the better the odds of not being a victim.
“For example, if criminals want to rob a house, they are more likely to hit the house with an open door over one with bolted locks on every door, tightly shut windows, and a sign out front that says they have a security system.”
“Two-thirds of people use the same passwords on multiple online accounts. Imagine if a cybercriminal knows that one password and can log into your financial, work, or cloud accounts. It happens every day to millions of people.”
In his current venture with G4YC, Whalley helps companies like CMD Technology Group grow their business. In addition, Growth for Your Company is organizing a cybersecurity conference on Tuesday, Sept. 19 from 8:30 a.m. to 3 p.m. at Twin Hills Country Club in Longmeadow. The idea is to educate local business leaders and IT professionals on evolving cyberthreats and the latest tools to combat them.
Businesses that purchased antivirus software years ago may think they are protected, but Christianson noted that, even if the old software blocks a cyberattack, it can take months to determine the source of the attack and how it gained entry.
“The new software tools can make a huge difference because they will immediately point you in the right direction to find the problem,” he said. “Some will block the threat and move it to a safe server to determine if it needs to be quarantined.”
Two-factor authentication (2FA) — that access code a bank sends by text after the customer inputs a password — has emerged as a strong deterrent against outside attacks. Encouraging safe practices such as a written policy to guide employees on how to act when they are using the company’s system is another key to fighting cyberattacks.
The software tools are only as good, however, as the people using them. Scott Augenbaum is a retired FBI agent and cybercrime-prevention trainer who is scheduled to present at the fall cybersecurity conference. Augenbaum contends that online safety begins with basic practices everyone can follow, starting with passwords.
“Two-thirds of people use the same passwords on multiple online accounts,” he said. “Imagine if a cybercriminal knows that one password and can log into your financial, work, or cloud accounts. It happens every day to millions of people.”
When he retired from the FBI in 2018, Augenbaum said, cybercrime was a $4 trillion problem. Since then, the cost to society has doubled. “The pandemic ruined everyone’s lives except the cybercriminals. So many people were shopping online, working from home, and logging in remotely to our most critical sites.”
In addition to using 2FA, Augenbaum recommends that businesses and individuals identify what he calls “mission-critical accounts,” such as banks, credit cards, and cell-phone accounts, and make sure each password is unique and at least 12 to 15 characters long.
All three cybersecurity experts told BusinessWest no one is too small to be a target for cybercriminals.
“Every one of the victims I’ve worked with felt they didn’t fit the victim profile,” Augenbaum said. “Anyone who thinks they are immune because they are a small business increases their chances of joining the list of small businesses that have been victimized.”
Christianson agreed, and gave an example of someone who owns a pizza shop. “That person might think they are only in the pizza business, so what could happen? Well, they most likely process credit-card transactions, and that’s a gold mine to a cybercriminal.”
He added that it’s important for a business owner to consider what is unique in their environment that makes them vulnerable to a cyberattack. There was a time when insurance for cyberattacks could quickly help a company get back to business but after years of increasing claims, that has changed.
“There is a new landscape for cybersecurity insurance companies,” Whalley said. “Companies are now more stringent on eligibility to get cyberinsurance.”
Before selling a cybersecurity policy, Christianson added, insurers want to know that a business has built several layers of protection into its systems.
“Just like an onion has layers, an effective security system also has layers to make it harder to penetrate a company’s data,” he explained. “If one layer gets defeated, there’s another one right behind it to stop a potential breach.”
The Sept. 19 conference will focus, in large part, on how to create those layers of protection with technology and a more educated human element.
“Along with the technology, we will be encouraging training so everyone understands how to mitigate the risks,” Christianson said. “We all have a role to play in preventing cyberattacks.”
Defense Mechanism
The numbers are staggering. According to Cybersecurity Ventures’ 2022 cybercrime report, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025.
The impacts on businesses are already well-established. According to security.org, one in every six businesses that fell victim to cyberattacks faces ransomware, and about half of them pay the ransom. And according to a report last year by Security Intelligence, the share of data breaches caused by ransomware grew 41% in the previous year and took 49 days longer than the average breach to identify and contain.
A study conducted last year by Positive Technologies among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies, and other sectors found that cybercriminals are able to penetrate 93% of company networks and gain access to local network resources.
Such breaches, obviously, affect personal data. In 2020 alone, data breaches exposed more than 37 billion personal records, 82% of which came from only five breaches, security.org notes. Data breaches affect not only companies and organizations, but also the people whose information is in the exposed records. And identity-fraud losses in 2020 cost its 49 million victims $56 billion in total, or roughly $1,100 per victim.
“Cyber insurance premiums are climbing, and it’s becoming increasingly difficult for companies to afford or obtain coverage.”
Clearly, the threat is real, and growing. Here are a few trends to consider when looking at the cybersecurity landscape, and what tech media and organizations are saying about them.
Rising Threats, Rising Liability
With the rise in cybercrime has come increased risk for businesses, and that means a much larger cybersecurity sector. According to security.org, the global cyber insurance market was worth $7.8 billion in 2020 and is likely to grow into a $20 billion industry by 2025. About 75% of all cyber insurance premiums are for businesses, and the rest for individuals. But that could be shifting as well.
So, too, is the responsibility companies bear for their own data security, Forbes projects. “Cyber insurance premiums are climbing, and it’s becoming increasingly difficult for companies to afford or obtain coverage,” the publication notes. “To negotiate insurance premiums and better risk coverage, businesses will be required to present evidence across a broad spectrum of security areas in order to prove compliance with leading cybersecurity standards and best practices.”
Organizations will begin to conduct enterprise risk assessments that highlight the maturity level of their cybersecurity program and proactively address any underwriting concerns, it continues, noting that risk assessments can help determine decisions around insurance gaps, limits, and coverage.
“With the distinct possibility of a global recession on the horizon, we expect to see ransomware attacks spike in 2023. However, larger organizations in regions heavily impacted during the ransomware boom are the most prepared for this wave after investing time and money in fighting back.”
As for those internal efforts, Forbes also notes that cybersecurity has become too complex for many organizations to manage on their own, and most companies don’t have the skills or resources to manage a full-fledged security operations center (SOC). For these reasons, many businesses will be forced to think creatively and could decide to outsource their day-to-day security operations.
Locally, one such SOC is being developed at Springfield Union Station, part of a state- and federally funded project announced in November to establish a Cybersecurity Center of Excellence at the site, which will also include a ‘cyber range’ for training.
Mary Kaselouskas, vice president and chief information officer at Springfield Technical Community College (STCC), which will manage the center, noted recently that “a lot of companies don’t have the resources for a fully operational SOC, or can even afford to have managed SOC operations,” so the need for a local SOC is clear.
Zero Trust on the Rise
One way businesses are increasingly curtailing cyber threats is through a concept called ‘zero trust.’
According to IBM, the idea, developed by John Kindervag in 2010 while a principal analyst at Forrester Research, is a broad framework that promises effective protection of an organization’s most valuable assets. It works by assuming every connection and endpoint is considered a threat.
Essentially, a zero-trust network logs and inspects all corporate network traffic, limits and controls access to the network, and verifies and secures network resources. A zero-trust security model ensures data and resources are inaccessible by default, and users can only access them on a limited basis under the right circumstances, known as least-privilege access. The strategy also authenticates and authorizes every device, network flow, and connection.
“As hybrid work became a way of life, more organizations have started adopting zero-trust frameworks, meaning all users, apps, and devices that request access are assumed to be unauthorized until proven otherwise,” Security Intelligence notes. “Organizations with a zero-trust approach deployed saved nearly $1 million in average breach costs compared to organizations without zero trust deployed.”
Connecting the Globe
Perhaps no cybersecurity trend has been bigger in the last several years than the scourge of attacks related to the supply chain. Analyst firm Gartner predicted that, by 2025, 45% of global organizations will be impacted in some way by a supply-chain attack.
“Cyber criminals look for organizations or industries teetering at the edge and then make their move to tip them over,” said Charles Henderson, an IBM global managing partner and head of IBM Security X-Force. “Last year, we saw that with manufacturing — a strained industry viewed as the backbone of supply chains. With the distinct possibility of a global recession on the horizon, we expect to see ransomware attacks spike in 2023. However, larger organizations in regions heavily impacted during the ransomware boom are the most prepared for this wave after investing time and money in fighting back.”
Global threats often require a global response, which is why, last year, the U.S. State Department announced the launch of the Global Emerging Leaders in International Cyberspace Security (GEL-ICS) Fellowship, in partnership with the Meridian International Center.
The fellowship will support the development of a diverse global network of future cyber policy leaders who share the U.S. and other partners’ vision for cyberspace, and is designed to equip emerging leaders from the governments of these foreign partners with the knowledge and global connections to be advocates of the framework of responsible state behavior in cyberspace, as affirmed by the United Nations General Assembly.
The first cohort of 20 to 25 government officials will engage in a year-long program on international cyberspace policy in 2023. Fellows will visit Washington, D.C., New York City, and San Francisco to engage with U.S. and international leaders from government, industry, and civil society. They will also participate in a series of thematic webinars to support continuing education and foster networking among the fellows and stakeholders.
Additionally, fellows will reconvene on the margins of the 2023 Internet Governance Forum hosted in Japan to mark the end of the program. With each year, fellowship alumni will form a growing, global network of proponents for a stable and secure cyberspace for future generations.
Good Time for a Job Search
If there’s a plus to the increasing cyber threat landscape, it’s an explosion in job opportunities. Even at a time when the IT industry is seeing massive layoffs, cybersecurity appears to be a safer harbor than other tech careers.
The global cybersecurity workforce grew to encompass 4.7 million people last year, reaching its highest-ever levels, according to a workforce study by ISC2. However, the same study found there is still a need for more than 3.4 million security professionals, an increase of more than 26% from 2021’s numbers.
The U.S. Bureau of Labor Statistics projects similarly robust need, estimating that the number of cybersecurity jobs will grow by 35% between 2021 and 2031. According to Cyberseek, of those 3.4 million professionals needed globally, about 770,000 opportunities are in the U.S. alone.
We are excited to announce that BusinessWest has launched a new podcast series, BusinessTalk. Each episode will feature in-depth interviews and discussions with local industry leaders, providing thoughtful perspectives on the Western Massachuetts economy and the many business ventures that keep it running during these challenging times.
Go HERE to view all episodes
Episode 133: October 17, 2022
George Interviews Ivan Shefrin, executive director for Comcast Business Managed Security Services
Cybersecurity: It’s not a matter for large companies, public utilities, and government agencies to consider. It’s a critical matter that should be a priority for businesses of all sizes. That’s the message delivered by Ivan Shefrin, executive director for Comcast Business Managed Security Services on the latest installment of BusinessTalk. In a wide-ranging discussion, Shefrin and BusinessWest Editor George O’Brien talk about who the bad guys are, how they get into you system, how you can keep them out, and what you should do if they do get in It’s must listening, so join us for BusinessTalk, a podcast presented this week by BusinessWest and Comcast Business, and sponsored by PeoplesBank.
Sponsored by:
Also Available On
The Best Defense Is a Good Offense
By Sean Hogan
In a recent study, Stanford University and a top cyber security organization found that more than 85% of all data breaches are caused by human error. The standard practice for prevention of breaches is enabling tools to detect and prevent breach attempts.
Most breaches are prevented with tools such as anti-virus, spam filtering, and edge protection. But what about the attempts that slip through these defense systems? That’s where education comes in to play.
Cyber criminals are constantly evolving and changing their methods for cyber-attacks. The best software and security tools can eliminate many of the known attack methods but there is no company, security, or software package that that can claim 100% success for eliminating threats. The game is constantly changing, and to keep up with unknown threats and techniques it is critical that we all educate and train ourselves to be hyper vigilant when it comes to cybersecurity.
Sean Hogan
“In a recent study, Stanford University and a top cyber security organization found that more than 85% of all data breaches are caused by human error.”
It is critical to teach your staff about cyber-attacks. I tell my clients to always question everything; if you aren’t expecting an email with a drop box link, then don’t open it, and certainly don’t click the link. Hackers have upped their game when it comes to disguising malicious content. Hackers will use credentials from sources on the dark web, and the more thorough hacker will do some social engineering and gather information about the targets on public websites and social media platforms.
The more believable they are, the more effective they can be. I recommend scanning tools to alert companies whenever there are credential breaches that have appeared on the dark web. This will allow security teams to know when credentials have been breached, where credentials were breached, and who will provide the credentials. These tools will reveal passwords, password policies, or lack thereof.
Common passwords are one of the easiest low hanging fruits to be used by hackers. Let’s pretend you use your business email to log into an online app like Uber. If Uber is breached, the hackers will have access to your Uber password, but if you use that same password or a similar password elsewhere, like in your banking app, the hacker can use scanning tools and password-hacking tools to easily get into your other accounts. The object is to make it as hard as possible to breach your accounts; don’t make it easy for a junior hacker to wreak havoc.
We recently had a client forward us an email that he thought might be a phishing attack. All the details were accurate, everything was spelled correctly. The ‘sent from’ address had one difference, it was sent from a registered .net domain not the company’s legitimate .com address. Other than that, everything was accurate. The hacker had the wherewithal to create a domain and register that domain as a .net. (Lesson learned, reserve all similar URL’s to prevent this from happening!)
This one example was a sophisticated attempt to convince the client to create a wire transfer; the client now has a policy of triple-checking and confirming any transactions with multiple steps.
The best way to teach your staff about attacks is to create a fake phishing attack. We create and run fake attacks to our staff and our clients. We have a library to choose from, and we can simulate a bank request, a Netflix credential reset, a credit card alert just to name a few. These attacks mimic real attacks. The recipient reactions are tracked, and reports are made available after the campaign has expired.
The email is delivered (allowed on purpose past our filters), the recipient can open, click, and provide data. We call this the trifecta! Normally opening an email is not malicious by itself; clicking the link can activate embedded malware. If a recipient does take the bait, then the training software will automatically play an educational video that teaches that staff how they were fooled and what to look out for in the future.
When the campaign has ended the results are tallied in a report. The report will tell you how many opens, clicks, and credentials. The report will also indicate whether the end-user sat through the educational video. This is a great tool to use from a cybersecurity perspective. Teach your staff, install best-in-class edge protection, spam filtering, end-point protection, anti-virus, dark-web scanning, and backup. Overall, don’t overlook the most important step: Promote awareness and create a strong anti-cyber culture in your office.
Sean Hogan is president of Hogan Technology Inc.; www.teamhogan.com; (413) 779-0079.
No Breach January
By Lauren C. Ostberg
Along with the widely reported cyberattacks on behemoths like LinkedIn and Facebook, 2021 also saw cyberattacks on local governments, small businesses, school systems, nonprofit organizations, and other smaller, more vulnerable targets. For more than a decade, Massachusetts has enumerated a set of administrative, physical, and technological safeguards designed to protect consumer’s personal information.
“This personal information is what you are obliged to safeguard; access, use, or compromise of this personal information by an unauthorized person constitutes a reportable breach.”
For more than a decade, you — a natural person, corporation, association, partnership, or other legal entity who uses, stores, or otherwise accesses personal information in connection with the provision of goods and services or with employment — have been required by law to put such safeguards in place.
Whether a genuine desire to comply with 201 CMR 17 or the breaches of 2021 motivates you, the new year is the perfect time to strengthen your cybersecurity position with three simple steps.
Inventory the Personal Information You Possess
Under applicable Massachusetts law, ‘personal information’ is a Massachusetts resident’s first and last name or first initial and last name combined with a Social Security number, driver’s license or state ID number, financial-account number, or credit- or debit-card number. This personal information is what you are obliged to safeguard; access, use, or compromise of this personal information by an unauthorized person constitutes a reportable breach. A useful first step in developing, or improving, your cybersecurity position, then, is compiling a list of every location where you keep this personal information.
Creating this list should make some security risks apparent — do you have Social Security numbers in your e-mail inbox, in an unlocked filing cabinet, or stored on the desktops of employees’ unencrypted laptops? In the event you experience a ransomware attack or another cybersecurity incident, knowing where personal information was stored can help you quickly determine whether the potentially compromised data contained ‘personal information’ and, thus, whether you have experienced a ‘breach’ reportable to regulators.
If you already have a well-developed written information security program (WISP) and feel confident in your cybersecurity posture, this step still applies to you. Reviewing and updating this inventory can (and should) be part of your annual review of that WISP’s scope and effectiveness.
Learn to Encrypt Personal Information
Massachusetts regulators require that personal information (when held by a person other than the consumer) be encrypted ‘in transit’ and ‘at rest.’ In transit refers to information when it is transmitted across networks — say, from one e-mail account to another. At rest refers to storage, on a flash drive, laptop, etc., or on an e-mail server.
If you comply with this regulation, an employee’s lost laptop or a compromised e-mail account will not impact consumers or raise the risk of identity theft because that sensitive information should be inaccessible to unauthorized parties. Encryption can be a simple process — in some cases, it’s a matter of a few well-placed clicks. Let this year be the one you figure it out.
If you have already enabled encryption on relevant devices and accounts, and have policies requiring the encryption of personal information, congratulations. After you pat yourself on the back, make sure your employees are aware of these policies and that they knew how and when to make use of these safeguards.
Train on Phishing
Massachusetts’s data-security regulations require employee training as both an enumerated administrative and technical safeguard. This is because internal policies regarding access to use of, and the transportation of, personal information required by 201 CMR 17 are of limited use if they are not consistently followed company-wide.
Similarly, the best malware protection and server encryption will not protect a business whose employees hand over the proverbial keys to the kingdom by providing their credentials or downloading malware by clicking a link in a phishing e-mail.
Because individuals responding to phishing e-mails is a known vulnerability, it is a useful place to start training. Phishing, which can take the form of e-mails or phone calls, is the fraudulent practice of attempting to obtain personal information or other valuable data from a person by pretending to be a reputable, and trusted, third party. Training employees to recognize, avoid, and report these scams is an initial step (and one endorsed by the FTC) to improving your cybersecurity hygiene.
While other safeguards in 201 CMR 17 and the Attorney General’s Compliance Checklist (like two-factor authentication) are important considerations, if you inventory your personal information, enable and use encryption, and train yourself and your employees to avoid phishing scams, you will be well on your way to a breach-free January and a compliant 2022.
Lauren Ostberg is an attorney in Bulkley Richardson’s cybersecurity group; (413) 272-6282.
Threat Level: Constant
Brian Levine says the UMass Cybersecurity Institute’s work is “security for the common good.”
Make no mistake, we live in an increasingly interconnected world, and the technology that makes that possible is always under threat from those who would mine, expose, and exploit data — often in life-altering ways. So while it’s no surprise that the cybersecurity field is rife with job opportunity, exactly how much opportunity (a half-million open jobs nationally, according to one study) may still raise eyebrows. Area universities with cybersecurity degree programs hope those statistics also raise interest in a challenging field that offers good pay and the chance to do some truly meaningful work.
It’s impossible to envision a world that doesn’t need cybersecurity, Brian Levine said, and that’s not exactly good news.
“I don’t think there’s any way this will go away, unfortunately,” he said, after listing common threats ranging from malware and ransomware attacks to massive breaches of consumer data. “It’s an ever-present problem. So what we do here is really important.”
He was referring to the UMass Cybersecurity Institute on the Amherst campus, which launched in 2015 with the mission of advancing what it calls “security for the common good,” said Levine, the institute’s director. For example, he has worked over the past decade to build tools used by law enforcement around the country — and the world — on cases of internet-based child sexual abuse (for example, the sharing of exploitative photographs).
“That’s a privacy issue, and a forensics issue,” he said, stressing that the institute’s researchers never lose focus on the human benefits of their work — in other words, it’s never just a technical exercise.
“The courses we offer are influenced by research that we do,” he went on. “We have a lot of pride in moving the research we’re doing into the classroom.”
That high-impact work is appealing to many who enter this profession, but one of the most obvious draws is the career opportunity. Matt Smith, director of Cybersecurity programs at Bay Path University, noted that a half-million jobs in cybersecurity are open across the U.S. — more than 20,000 of them in New England, and roughly two-thirds of those (13,389, according to the national CyberSeek research project) in Massachusetts — the 12th-highest total among all U.S. states.
“The industry is changing so rapidly.Turn on the news — one day they’re talking about ransomware, another day it’s the Colonial Pipeline attack … it’s all about security. So, workforce in this industry is in demand.”
“The industry is changing so rapidly,” Smith said. “Turn on the news — one day they’re talking about ransomware, another day it’s the Colonial Pipeline attack … it’s all about security. So, workforce in this industry is in demand.”
That’s the other side of the ‘bad news’ coin — at least for people who want to make a career of defending against threats that will only continue. “It’s real job security, with high starting salaries. You’re going to retain employment and have opportunities to upscale.”
Reflecting the many different niches in cybersecurity, Bay Path offers three undergraduate degrees in the field — digital forensics and incident response, information assurance, and risk management — as well as a master’s degree in cybersecurity management.
“We renew the courses every time we go live, sometimes two times a year,” Smith said. “Every time it’s being presented to another cohort, we look at the information being presented and decide if it’s still applicable, or how it can be improved upon.”
Matt Smith says the constantly evolving nature of threats means job security and advancement opportunities for today’s cybersecurity professionals.
For example, “the Colonial Pipeline incident hadn’t happened two years ago — so, let’s talk about that this year and remove something else from the course. We’re always going through the courses, tweaking them, fine-tuning them, and I think that sets us apart from other universities. We handpick the material we incorporate, and we update it, and we use the best forensic software we can.”
And that’s a challenge, said Beverly Benson, Cybersecurity program director for the American Women’s College, Bay Path’s all-online arm, which offers intensive, accelerated versions of the undergraduate cybersecurity programs taught at the main campus.
“I am constantly doing research on threats, making sure my curriculum and content is fresh, because the reality is, those individuals who are trying to attack systems, they don’t take vacations,” she told BusinessWest. “We need to stay abreast of everything to make sure students are getting as up-to-date a curriculum as possible.”
The industry’s constantly evolving nature makes it attractive to many career seekers, she added.
“It’s not a repetitive type of field. There may be a framework to adhere to, but as technology advances, so does the work that needs to be done. Our world is becoming more connected and interconnected, and data is everything. Think about the gadgets in our homes — even washing machines, dryers, and stoves are connected to the internet. We need people to understand how to keep that data safe.”
For that reason, Benson went on, “cybersecurity touches everyone, whether it’s healthcare, financial services, food service, the travel industry, the Department of Defense, you name it. We’re a very interconnected world, and we’re able to do things faster because of data — so we need to protect that data, whether it’s at rest, in transit, or in use.”
Defending Data
Levine listed a number of ways the cybersecurity research — and classwork — at UMass affects real people.
“One professor looks at ensuring that people have censorship-free access to information on the internet, which can be very important if you’re a dissident in a country that has censored or filtered it,” he said. “Another professor works with differential privacy, and his technology is being used by the U.S. Census.”
That term refers to technology that allows the government, corporations, or anyone else to release statistical information while not exposing people’s individual data.
Beverly Benson
“It’s not a repetitive type of field. There may be a framework to adhere to, but as technology advances, so does the work that needs to be done. Our world is becoming more connected and interconnected, and data is everything.”
“One problem with studies that collect information about you and release it later is the possibility that someone’s personal details can be inferred by looking at the data set,” Levine said, noting that differential-privacy measures ‘fuzz’ the information so the statistics are accurate, but don’t reveal information about any one person.
“We have courses on what some people call ‘ethical hacking’ — how to analyze a computer for its vulnerabilities and learn to defend those vulnerabilities. It’s teaching students to be white hats,” he explained, adding that other classes delve into reverse-engineering security, digital forensics, ethics and law, and securing distributed systems — which, these days, means cryptocurrency.
“Cryptocurrencies are one of the hardest challenges — no one is in charge, and people are exchanging things of value,” Levine said, adding that, whatever the topic, UMass brings in experts with practical experience in the field to teach students. “We don’t want everything taught from an ivory-tower point of view. And we want to teach techniques that will survive past graduation in a quickly evolving field. It’s not just computer science.”
At the American Women’s College, Benson said the average age of a cybersecurity student is 35, many no doubt drawn by the expansive opportunities in the field. “We have career changers, we have people in IT fields who are looking to specialize, and some are new to it, looking to learn more about cybersecurity and join the workforce.”
She’s also gratified that the program is making a small dent in what is currently a male-dominated workforce, to the tune of 80%. Part of the pitch, she said, is the reality that work in this field is wildly varied.
“We have the opportunity to demystify cybersecurity,” she said. “I explain to our women that cybersecurity is more than someone being in a basement coding. Part of cybersecurity is things like risk management, which can be a more consultative approach, helping someone understand assets, risks, and how to protect against vulnerabilities. Those are not technical skills; those are essential business skills.”
Smith agreed. “This hits on financial services, healthcare, government, you name it. Every industry has been affected in one way or another by cybersecurity.”
He should know, having worked in a number of sectors, ranging from the Pentagon to the financial-services world, and he often calls on professionals who actually work in those fields to bring their real-world expertise to Bay Path students. “A lot of programs are computer-science-driven; they’re experts in coding and programming. When you jump into cybersecurity, it’s a different animal.”
Introducing more women into the field, and all the sectors it influences, would be a healthy development, he said.
“I’m the program director, but also their cheerleader,” Benson agreed. “They know my motto is ‘dare to dream,’ and having a diverse workforce will bring about diversity of thought, diversity of problem solving, diversity in the ways people will collaborate. And I think that’s so needed.”
Making Connections
Another needed element is networking and making connections in the field early, Smith said. Many Bay Path students take advantage of a Mass Cyber Center mentorship program, working with large companies like Baystate Health, Travelers Insurance, and MassMutual.
“Networking doesn’t happen only when you go to conferences,” he said in explaining the value of such programs. “And most employers, after an internship, offer something on the spot — they’ll say, ‘please, when can you start?’”
That’s huge for new graduates, who typically enter the work world in significant debt. “We’re one of the industries that actually tackles that cohesively. We’re actually getting them employed at a very high-level-paying job, thus cutting down on student debt,” Smith noted, adding that a graduate’s employer will often pay for further education as well.
Speaking of connecting students with careers, the UMass Cybersecurity Institute recently secured a renewal of its CyberCorps Scholarship for Service program, sponsored by the National Science Foundation, which began in 2015.
The latest grant will support approximately 31 scholars at the undergraduate and graduate levels in the university’s computer science and electrical and computer engineering degree programs by offering them full tuition and fees, a stipend ranging from $25,000 per year for undergraduates to $34,000 per year for graduate students, and a professional-development fund for one to three years of their degree program. In addition, students complete an internship at a federal agency during the summers and, upon graduation, work full-time at a federal agency in a cybersecurity role for one to three years at full pay and benefits. Then they’re free to move on, but many don’t.
“We’ve done this for 34 students already, and the vast majority have stayed in the government after their service period is up,” Levine said, noting that federal opportunities range from working at the Pentagon to protecting land and wildlife with the Environmental Protection Agency; from tracking down cybercriminals with the FBI to joining the Cybersecurity and Infrastructure Security Agency, which swoops in to manage ransomware attacks.
“This program will help create a new generation of cybersecurity professionals and researchers to address novel and challenging problems facing society,” said Sanjay Raman, dean of the College of Engineering at UMass Amherst. “These students will help to modernize the executive-branch workforce, advance science and technology at government laboratories, and secure our national defense.”
It’s that kind of real-world impact that inspires those who teach the next generation of cybersecurity pros.
“This is why I get up in the morning,” said Bay Path’s Smith, who worked in counterintelligence around the time of 9/11 and remembers how the world changed. “We did a lot of things to protect our country, and I’m proud of that. Now, I want to give back to the students and help them pick up some of the stuff I’ve learned, so they can excel in a workforce that’s begging for anybody with interest in their field.”
His job, and that of his department, is to stay at the forefront of developments in the field — and, again, they are constant — and continue to hone and evolve the program so it remains relevant and on the cutting edge.
“We want our students to stand out in the industry and get hired,” he said. “And we’ve been very fortunate — our students are landing some amazing jobs.”
Joseph Bednar can be reached at [email protected]
Risk and Reward
If the COVID-19 pandemic has taught businesses anything, it’s that employees, in many cases, can do their jobs from home — which can, in theory, lead to cost savings. But also expenses — the type of expense that, if ignored, can lead to much bigger losses.
We’re talking about data security. And what remote workers need depends, in many cases, on how long they plan on staying home, said Sean Hogan, president and CEO of Hogan Communications in Easthampton.
“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease,” he told BusinessWest. “But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”
And a sometimes messy one. In a shared workplace, Hogan noted, “you might have great security, firewalls, routers, you have security installed, you make sure all the security is updated, you constantly have the latest patches and revisions.”
But working from home poses all kinds of issues with the unknown, the most pressing being, what programs are running on home devices, whether those devices are loaded with viruses, and whether they can infect the company’s servers when they connect remotely.
“We’re trying to control security at someone’s own bandwidth at the house, where three, four, or five people may be trying to jump on at the same time,” he added. “It’s not shaped at all; it doesn’t prioritize any applications or traffic. Now, there are ways to do that — we can install SD-WAN software that allows us to monitor the connection and prioritize traffic like Zoom, Microsoft Teams, or GoToMeeting. That way, you don’t have everyone breaking up and having issues.”
Sean Hogan
“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease. But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”
But that doesn’t solve the issues of security holes in the home wi-fi — which have weaker protocols, allowing hackers easier access to the network’s traffic — as well as the human element that makes workers vulnerable to phishing scams, which are the top cause of data breaches, and insecure passwords, which allow hackers easy access to multiple accounts in a short period of time.
“The Internet has become the Wild West over the last 10 years,” said Jeremiah Beaudry, president of Bloo Solutions in Chicopee, starting with scam e-mails — from phishing attacks to realistic-looking but nefarious sites that try to wrench passwords and data from users and install malware on their computers.
“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client,’” he noted. “You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”
That combination of possibly flawed technology and human errors make the home office a particular concern in the world of cybersecurity.
“Nobody has the exact answers right now for how to make the most secure connection at a remote office,” Hogan said, adding that going to the cloud has been an effective measure for many businesses, while others have taken the more drastic step of setting up physical firewalls at remote sites for key employees — say, for the CEO or CFO. “We’ll lock them down if they’re actually connecting to files and servers that are really confidential.”
Possible solutions are plenty, he said — but it all begins with knowing exactly what equipment remote employees are dealing with, and what threats they pose.
Viral Spread
COVID-19 isn’t the only fast-spreading infection going around, Hogan said. In fact, “45% of home computers are infected with malware. That’s an eye opener for many people. It’s a huge issue, and removing it is a huge challenge.”
One problem is the human element — specifically, how users invite threats in by not recognizing them when they pop up. Take the broad realm of phishing — the setting in which people receive such pitches can actually make a difference in how they respond, Beaudry said.
“It’s harder to sift through it when working from home; it’s not natural. You’re out of your element when you’re sitting at our desk in your pajamas, as opposed to being in your office at work. You may not be reading your e-mail as carefully as you normally would. You may not be on alert.”
A big piece of the puzzle is end-user awareness, he said. “You want to have your employees educated about what’s out there, so they know how to spot forgeries.”
Alex Willis, BlackBerry’s vice president of Sales Engineering and ISV Partners, recently told Forbes that companies trust their employees to do the right thing, and workers are generally honest, but trust can be a dangerous thing.
“The problem with just trusting people is that employees don’t always do this on purpose,” Willis said. “Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.”
Jeremiah Beaudry says home networks aren’t typically built to run as efficiently — or safely — as those in a workplace.
Again, it’s that issue of the unknown, Beaudry told BusinessWest. “You don’t know what they have going on with their home networks. We didn’t set up the home connection, we don’t know what they have, and everyone has different people on it. Some are borrowing it from their apartment complex or sharing it with the neighbors, and they expect the internet to work perfectly. It’s not going to.”
In an office, on the other hand, everyone is using the same network, running at the same speed, with the same level of security and firewall protection. “Then, when they go home, there are so many variables.”
The best-case scenario is to give employer-owned devices to employees so they can remotely manage information.
“You can put antivirus on an employer-owned device; when they’re using their own devices, you don’t know what they’re doing to protect it,” Beaudry added. “And if the employee is laid off or fired, you would have the ability to control any employer-owned data.”
At the very least, he said, companies should encrypt the traffic between their network and individual users’ home computers.
“We put monitoring agents on remote clients that monitor for any viruses or malware and will update their antivirus and malware protection in some cases,” Hogan added.
Vigilant Approach
None of this completely addresses the speed and efficiency issues of home devices. “Usually, in a home office, they pay for their own bandwidth, and the business can’t say, ‘we don’t want your kid playing Fortnite,’” Hogan said. “That’s the challenge.”
“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client.’ You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”
“Some clients will pay for a second, business-only connection for remote workers, he added. “But that’s pretty extreme; not many are doing that.”
More popular — and effective — is the move to a virtual environment. Working in the cloud, he noted, means not worrying about the hub-and-spoke relationship between physical servers and computers that’s the biggest weak point for security. “Most of my clients have eliminated that weakness.”
For some clients, the cybersecurity issue is especially critical — take medical businesses, for whom privacy is paramount in the HIPAA era. “That changes the game completely,” Hogan said, noting that one resource for companies handling sensitive data is a SOC, or security operations center.
“Clients who really value security can sign up with a SOC team that responds in case of a breach,” he explained. “It’s a lot of monitoring, detecting, and responding.”
Delcie Bean, CEO of Paragus IT, said any investment in platform migration and remote work has to be accompanied by investment in strong security tools — and education.
“The legacy tools and technologies used to secure networks for the past 10 years need not apply for this next wave of mobile workers,” he told BusinessWest. “Security of the future will be a lot more about multi-factor authentication, deep encryption, and will involve a lot more end-user training as well as testing than the command-and-control style approach of the past.”
Hogan agreed. “Password management is so massive,” he said, noting that people resist simple protections like multi-factor authentication, or even just using complicated passwords, or different passwords for different sites.
“We are also dark-web monitoring pretty consistently,” he added. “The dark web has been on fire lately — a lot of breaches.” Once data fall into those hands, the damage is done, he added, “but the important thing is to know what got breached, and if you can tell what credentials are out there, so you can change them.”
The bottom line, Beaudry said, is to make sure employees use unique passwords and encrypt connections remotely, and not using tools that are potentially vulnerable.
“And there’s a long list of tools known to be exploited by hackers, so it’s good to check with an IT professional before using any remote desktop method,” he added. “Some methods require you to open firewall ports that can leave you vulnerable to ransomware and all sorts of awful data breaches. The main thing is to make sure your firewall is locked down and no unnecessary ports are open, and you have backups of all data.”
That’s a lot to consider when moving into an era of expanded remote work — some of which comes at a cost. But the cost of ignoring it is much higher.
Joseph Bednar can be reached at [email protected]
Into the Breach
Cybersecurity experts say there’s still plenty of misunderstanding when it comes to the reality of data threats. For example, it’s not just big companies being attacked — these days, everyone is a target, and data thieves are becoming more subtle and savvy with their methods. That means companies need to be more vigilant — but it also means career opportunities abound in a field that desperately needs more young talent.
Everyone knows what cybersecurity is. Fewer know what people who work in the field actually do — and how much they earn.
And that’s a problem, Tom Loper said, when it comes to drawing young talent into a field that desperately needs it — and will need it for many years to come, as the breadth and complexity of data threats continue to evolve.
“That’s why we need to start with the high-school students,” said Loper, associate provost and dean of the School of Science and Management at Bay Path University. “They don’t really understand cybersecurity, and that’s a big problem because we have this incredible shortage of folks qualified to work in cybersecurity.”
Bay Path is doing its part, he said, not only with two undergraduate programs in the field and a graduate program in cybersecurity management, but by actively promoting those tracks to incoming students with undecided majors.
“We allow them to take cyber courses that first semester just to try it out, and the whole faculty is steering them toward it because the pay is so good in this field. Most of the ones who take it, believe it or not, they stay in that field,” he said, noting that about 90 students are currently enrolled in the three programs. “That’s a pretty good number for a small school like this. Now, we’re trying to get more high-school students to understand.”
“Companies are becoming more savvy. They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked.”
Loper said Bay Path’s programs are tailored specifically to the requirements of various cybersecurity careers, so students can get entry-level jobs immediately and go on to earn whatever further industry certifications they may need. “We have graduates making $60,000 to $80,000 coming out of school with these degrees. And if they get some experience before graduation, they’re worth even more.”
Tom Loper said cybersecurity is a complex challenge best tackled from a region-wide, ‘ecosystem’ perspective.
To that end, Bay Path recently won a grant from the Mass Cyber Center at MassTech to support internship and workforce experiences for students. That’s just one aspect, he said, of the way the region can build a cybersecurity hub from what he calls an “ecosystem perspective,” one that encompasses high-school and college students, workforce-development programs, government agencies, and business sectors where cybersecurity is important. These days, that’s most of them.
“Companies are becoming more savvy,” said Mark Jardim, lead engineer at CMD Technology Group in East Longmeadow. “They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked. But they are calling us and saying, ‘how can we be more protected?’”
Chris Rivers, vice president of Phillips Insurance in Chicopee, agreed that more companies are coming around to the threat potential.
“It sometimes depends on whether they’ve had an incident or a near miss,” he said, adding that, while people may hear news reports about data breaches at large companies, no business of any size is totally immune.
In fact, “smaller businesses tend to have less security, and sometimes it’s easier for hackers to get in there, taking credit-card information or any type of information, really. Think of a law office, and the risk of private information being taken and used against clients.
“Things we’ve preached over the years still hold true — they just keep changing the vector of attack. And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”
“If you have a breach and data is stolen,” Rivers added, “it can get pretty costly.”
Data security has become a primary form of business insurance at all commercial agencies, but a policy to recover damages, even a comprehensive one, isn’t enough; the long-term brand damage, Rivers noted, is much harder to quantify. “Once your reputation is gone, it’s gone.”
The fact that businesses are catching on to this reality, combined with high-tech advances that will making defending against cybercrime more challenging, has created significant opportunities in what promises to be one of the most important career fields over the next decade.
Human Nature
Charlie Christianson, president of CMD and its sister company, Peritus Security, said data breaches cost companies $11.5 billion in 2019. And the threats come in many forms.
“Things we’ve preached over the years still hold true — they just keep changing the vector of attack,” he told BusinessWest. “And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”
The human element to data breaches is still prominent, as e-mail phishing schemes remain the number-one way cybercriminals gain access to networks. These often arrive with URLs that are very close to a legitimate address. More importantly, phishers are ever-honing their ability to replicate the tone, language, and content of the supposed sender.
“They look incredibly realistic,” Christianson said. “A week doesn’t go by where we don’t get one and say, ‘wow, this looks good.’ For people who don’t live it every day, it can be very easy to fall into the trap. The trick is to just stop and think about it before you click on it.”
These attacks are more specific and targeted in the past, he went on, but they’re not the only way data thieves are getting in. Another is through employees’ personal devices, which don’t typically boast the security features of a large corporate system.
“Devices are hit and used to launch an attack, or they’re infected and brought into a secure environment. What’s on that device can get into the corporate network and spread,” he explained, which is why many companies have tightened up their BYOD (bring your own device) policies.
“That’s slowing down as businesses are becoming aware of the risk,” Jardim added. “We’re actually seeing a trend of slowing down the bring-your-own-device idea in the workforce; companies are saying, ‘maybe we shouldn’t do that because attackers are using those vulnerabilities.’”
The trend known as the internet of things, or IoT, poses new threats as well, Christianson said.
“When people think about securing their network, they think about their computers, their servers, their tablets, things like that. But they don’t think about the SimpliSafe security system or the time clock that hangs on the wall or the voice-over-IP phone system they use every day. You have all these devices that aren’t being maintained — they just let them run.”
He knows of one company that was attacked through its security-camera system, and said segmenting networks is one way to minimize such a threat. “That shouldn’t be on same network as your finances.”
The defenses against breach attempts are myriad, from password portals and multi-factor verification of online accounts to geoblocking traffic coming from overseas.
“A lot can be done with training,” Christianson said. “The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”
Mark Jardim (left) and Charlie Christianson say cybercrime is constantly evolving, and so must the strategies businesses employ to prevent it.
It’s definitely a challenge, Jardim added. “We have to protect every single door and window, we have to be right 100% of the time, and a hacker just needs to find one vulnerability.”
Cultivating an Ecosystem
That list of threats and defenses — which only skims the surface — drives home the need for a more robust cybersecurity workforce, Loper said.
“We believe you have to take a regional approach to cybersecurity,” he noted. “We don’t believe you can just think of yourself as island unto yourself. Whether you’re a big organization or a small organization, you’re part of the supply chain, and there are opportunities for breaches. Everyone is connected.”
Boosting workforce-development programs is one spoke on the wheel. “It needs more attention. At one point, we didn’t have enough tool and die makers. The Commonwealth got behind it, and now we have enough. Something like that is going to happen in the high schools, and across this region, where we’re retraining people to work in this space just because there are so many opportunities.”
“The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”
One plan is to develop a ‘cyber range,’ which is a simulated IT environment that emulates the IT structure of businesses, Loper explained. “We can bring people into the cyber range and help them deal with threats to a simulated environment.”
All these strategies are running headlong into the rise, in the very near future, of 5G wireless connectivity, which will dramatically increase data speed — and perhaps security threats as well.
“The threat we have now is going to go on steroids with 5G and with IoT,” Loper said. “The opportunties for business development will be greater than ever, and the opportunities for penetration will be greater than ever as well. It’s amazing what’s happening with 5G — it’s mostly good, but pretty darn challenging.”
Those threats provide business for commercial insurers, and that coverage is important, Rivers said, but businesses have to think about their own common-sense defenses as well.
“As we do renewals or reach out to clients, we try to bring out what policies are available to them to protect them from different things,” he noted. “It’s easy for us to recommend everything, but there’s a cost, so we try to inform them what’s out there so they can make decisions — ‘do I want this? Do I want that?’”
Rivers cited a statistic from Philadelphia Insurance Companies, which reports that the average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public-relations expenses to rebuild an organization’s reputation.
“It’s one thing to take the data out, but when your brand is affected because you’ve had this incredible breach, that’s something else,” Loper added. “Your brand is what people think it is; it’s not what you think it is, like in the old days. Now, just look on social media, and that tells you what your brand is. Cybersecurity is one of those things that, if not done properly, can undermine your brand so quickly.”
In the end, Jardim said, the idea is to minimize risk.
“I always joke, the most secure machine is one that’s shut off in a locked room, but you have to find a balance,” he said — one that employs measures from simple common sense to choosing the right firewall.
“We see clients who have $5 million businesses buying a $100 firewall from Staples. You’re not going to protect your infrastructrure with that. You need the right equipment for your size. You need professional stuff for your business — you can’t use the same equipment you buy for your house for your business.”
“Well, you can,” Christianson added quickly, noting just one more way people might take a limited view of cybersecurity threats — and come to regret it.
Joseph Bednar can be reached at [email protected]
Creating Cyber Solutions
Tom Loper says the ‘supply chain’ project will benefit the region and its manufacturing sector while also giving cybersecurity students a leg up on jobs.
A group of regional partners, led by Bay Path University, has been awarded a $250,000 grant from the Mass. Technology Collaborative for a pilot program that will address a host of identified issues — from a critical shortage of workers in the cybersecurity field to the need for smaller manufacturers to become more cyber secure if they are going to keep doing business with their customers in the defense, aerospace, and other sectors.
The project’s name is long and quite cumbersome.
‘Engaging Student Interns in Cybersecurity Audits with Smaller Supply Chain Companies to Develop Experience for Entry-level Positions While Improving the Cybersecurity Ecosystem in Massachusetts.’
Yes, that’s really what it’s called. And while that’s a mouthful — not that anyone actually recites the whole thing anyway — it really does capture the essence of an ambitious initiative spearheaded by Bay Path University and its emerging cybersecurity programs, and also involving Springfield Technical Community College, Paragus Strategic IT, the Economic Development Council of Western Mass. (EDC), and other area partners.
Breaking down that long title into its component parts certainly helps to tell the story behind the $250,000 grant awarded recently by the Mass. Technology Collaborative. The program, set to commence early next year, will indeed engage students in Bay Path’s cybersecurity programs in internships with smaller supply chain companies across the region. They will be working with employees at Paragus to undertake cybersecurity assessments of these small manufacturing firms, essentially identifying holes where intruders can penetrate and possible methods for closing them.
And the program will provide needed experience that is difficult for such students to attain, but very necessary for them to land jobs in the field. And it will put more workers in the cybersecurity pipeline at a time when there is a considerable gap between the number that are available and the number that are needed — a gap approaching 9,000 specialists in this state alone. And it will bring more women into a field that has historically been dominated by men and is struggling desperately to achieve diversity.
That’s a lot of ‘ands.’
Which helps explain why the Mass. Technology Collaborative, which was planning to divide $250,000 among several entities, gave that entire amount to Bay Path’s proposal and then found another $135,000 to award to two other projects, said Tom Loper, associate provost and dean of the School of Arts, Sciences and Management at Bay Path, who started with the small supply-chain companies, as he explained the project’s importance.
“These companies have a cyber vulnerability, in many cases, because they don’t have sophisticated systems and they don’t have sophisticated staff that can help create a cyber-safe environment,” he noted, adding that he took what he called a “Western Mass. approach” to the process of applying for the grant.
By that, he meant a focus on smaller businesses, as opposed to the larger defense contractors like Raytheon in the eastern part of the state, and also on schools like Bay Path (and its online component, The American Women’s College) and STCC that are graduating cybersecurity students but struggling to find them real-world experience to complement what they learn in the classroom.
Matthew Smith says that among the many potential benefits from the ‘supply chain’ project is much-needed gender diversity in the cybersecurity field.
Thus, the project is a potential win-win-win, with maybe a few more wins in there as well, said Rick Sullivan, president & CEO of the EDC, noting that winners include the individual students at Bay Path, the emerging cybersecurity industry, individual small manufacturing companies, and the region as a whole, which counts its precision manufacturing sector as a still-vital source of jobs and prestige.
“The large customers, the Department of Defense, the Department of Transportation … they’re really requiring, and rightfully so, very strict compliance with the highest cybersecurity techniques out there,” Sullivan said, referring to the requirements now being placed on smaller supply-chain companies. “When they go to the bigger companies, they have to certify their entire supply chains, and we have a lot of companies in this region that feed into that supply chain.”
Overall, the pilot program is a decidedly proactive initiative aimed at helping these smaller companies become aware of the requirements they will have to meet to keep doing business in such fields as defense and aerospace, and then help them meet those thresholds, starting with an assessment of their cybersecurity systems and immediate threats.
For this issue and its focus on technology, BusinessWest takes an in-depth look at the Bay Path-led project, its many goals, and how, if all goes as planned, it will close gaps in cybersecurity systems as well as gaps in that sector’s workforce, while also making the region’s manufacturing sector stronger and more resilient.
Day at the Breach
The project summary for the Bay Path initiative, as authored by Loper and others, does a very effective job of summing up both the many types of problems facing the state and its business community with regards to cybersecurity, and also how this pilot program will address several of the key concerns.
“Entry-level job postings for information security analysts and related cybersecurity positions typically require one to two years of experience in the field, making it challenging for recent college graduates with cybersecurity degrees to fill these positions,” the summary begins. “Bay Path University, a women’s university in Western Mass., will lead a project that will engage 30 undergraduate and graduate cybersecurity students, primarily women, in a full year of challenging experiences as paid interns on cybersecurity auditing teams.
Rick Sullivan
“The large customers, the Department of Defense, the Department of Transportation … they’re really requiring, and rightfully so, very strict compliance with the highest cybersecurity techniques out there.”
“Teams will provide cybersecurity audits at a lower cost for small to mid-sized companies in the region,” the proposal continues. “Undergraduate cybersecurity interns from Bay Path University and Springfield Technical Community College will be assigned to auditing teams led by a graduate intern from Bay Path’s M.S. in Cybersecurity Management Program. Teams will be supervised throughout the audit process by seasoned cybersecurity specialists from Paragus Strategic IT. Through the internship, students will gain insight into the breadth and scope of challenges to the cyber ecosystem and hands-on experience working with employers to implement options for addressing these challenges. Project research and evaluation will be undertaken to confirm that the internship will meet the needs of employers who require prior experience.”
Like we said, that pretty much sums it all up — at least from the student intern side of the equation. In addition to classroom learning, experience in the field is necessary to break into the cybersecurity sector, said Loper, and such experience is difficult to attain. This pilot program will help several dozen students get it.
Meanwhile, the program will address the other side of the equation, the needs of small manufacturers in the supply chain — and this region has dozens, if not hundreds of them, who face many challenges in their quest to become safe (or at least much safer) from security breaches, a pre-requisite for being able to do business these days.
For an explanation, we return to the project summary:
“The majority of cybersecurity breaches occur in smaller supply chain companies, threatening the entire supply chain. Yet these companies often cannot afford the staff or resources to address ongoing needs for ensuring a cyber-safe ecosystem,” the solicitation notes. “Partnering with the MassHire Hampden Workforce Board, the MassHire Franklin Hampshire Workforce Board, and the Economic Development Council of Western Massachusetts, the project will engage 45 small to mid-size supply chain companies in the advance manufacturing sector in western Massachusetts in cybersecurity audits. This strategy will be disseminated as a model for how other Massachusetts higher education institutions with cybersecurity programs can partner with employers and their regional planning teams to strengthen the cybersecurity ecosystem across the Commonwealth.”
Elaborating, Loper said the cost of a cybersecurity assessment (that term is preferred over ‘audit,’ is approximately $1,500, an amount that challenges many smaller companies and is the primary reason why relatively few are done.
The pilot program will pay roughly two-thirds the total cost of an assessment, thus bringing assessments within the reach of more companies, which need to ramp up their cybersecurity systems and methods if they are going to keep doing business with most of their clients.
“Things are starting to change,” said Sullivan. “Cybersecurity and the threats that are out there are real, and this pilot program is an attempt to get ahead of all that, to educate and assess the smaller businesses here, with the next step being to hopefully address those needs so they can stay compliant, because that’s an extremely important part of our economy here.”
Sullivan said the EDC and other agencies will work to build awareness of this program and sign on participants. There has already been interest expressed by many of these smaller manufacturers, and he expects it will only grow as awareness of the project — as well as the need to be cyber secure — grows.
What the Hack?
For the record, and as noted earlier, the Mass. Technology Collaborative came up with another $135,000 to award for other pilot projects to help prepare entry-level cybersecurity job seekers to both meet the needs of employers, and address the growing cybersecurity job crisis.
The first, a $61,178 grant, involves an entity called STEMatch, which proposed a creative collaboration between community colleges, Massachusetts-based cybersecurity service and technology providers, and end-user businesses to expand the pool of potential cybersecurity to under-represented groups and displaced workers. The other, a $74,690 award, was given to the MassHire Greater New Bedford Workforce Board to advance a public-private partnership between the regional workforce boards of Southeastern Massachusetts, Bristol Community College, and the South Coast Chamber of Commerce, and employers in that region. The pilot is designed to help address the lack of skills and work experiences affecting Massachusetts employers and will utilize best practices developed in Israel to create training and work experiences for students in grades 10-12.
“The majority of cybersecurity breaches occur in smaller supply chain companies, threatening the entire supply chain. Yet these companies often cannot afford the staff or resources to address ongoing needs for ensuring a cyber-safe ecosystem.”
Those projects, as well as the Bay Path initiative, drive home the fact that there is not just a gap, but a real crisis when it comes to filling jobs in this emerging and now all-important sector.
“Companies are craving talent,” said Matthew Smith, director of Computer Science & Cyber Security Programs at Bay Path and assistant professor of Computer Science & Cyber Security in the School of Science and Management, as he attempted to qualify a problem that’s difficult to quantify.
That’s because while there are posted positions within this sector — many of them lacking candidates — many of the jobs are not posted, increasing the size of the gap.
Closing it requires not merely people with degrees in Cybersecurity, although that’s essentially a pre-requisite, said Smith, but individuals with what could be called real-world experience on their resumes, he said.
The pilot program will allow students at Bay Path and STCC to put five cybersecurity assessments on their portfolio, which should certainly help open some doors for them.
“Our students won’t just be getting a degree, but also the necessary talent to be contributing to the workforce on day one,” Smith told BusinessWest. “Once they have these assessments and use these tools that are industry standards, they’re going to be thrown right to the top of the application pool, because most of those are search-engine driven, so once they put these key words in there, they’re going to be very marketable.”
This marketability should only help further develop the graduate and undergraduate cybersecurity programs at Bay Path (both traditional and online) that are already seeing explosive growth, said Smith, adding that the industry needs not only workers, but gender diversity as well.
“Only 11% of the jobs in the field are held by women,” he said. “The gender imbalance is very real, and it’s our main mission to provide these women the skills and get them their degrees, so they jump into the cybersecurity workforce and start taking those unfilled positions and close that gender imbalance; many companies are craving diversity in their workforce.”
Securing a Better Future
As noted earlier, the name on this project is long and cumbersome. But it breaks the problem and one possible solution into one highly efficient and effective phrase.
The pilot program will set a high bar when it comes to potential outcomes and goals for achieving progress with the many significant challenges facing the cybersecurity sector and the cyber safety of individual companies.
But a high bar is necessary because the problems are real, they are growing, and solutions are needed.
This program was conceived to not only help this region clear that bar, but provide a roadmap for other regions to follow. If it can do all that, the state’s sizable investment will yield huge dividends.
George O’Brien can be reached at [email protected]
