Home Posts tagged cybersecurity
Cybersecurity Special Coverage

Risk and Reward

If the COVID-19 pandemic has taught businesses anything, it’s that employees, in many cases, can do their jobs from home — which can, in theory, lead to cost savings. But also expenses — the type of expense that, if ignored, can lead to much bigger losses.

We’re talking about data security. And what remote workers need depends, in many cases, on how long they plan on staying home, said Sean Hogan, president and CEO of Hogan Communications in Easthampton.

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease,” he told BusinessWest. “But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

And a sometimes messy one. In a shared workplace, Hogan noted, “you might have great security, firewalls, routers, you have security installed, you make sure all the security is updated, you constantly have the latest patches and revisions.”

But working from home poses all kinds of issues with the unknown, the most pressing being, what programs are running on home devices, whether those devices are loaded with viruses, and whether they can infect the company’s servers when they connect remotely.

“We’re trying to control security at someone’s own bandwidth at the house, where three, four, or five people may be trying to jump on at the same time,” he added. “It’s not shaped at all; it doesn’t prioritize any applications or traffic. Now, there are ways to do that — we can install SD-WAN software that allows us to monitor the connection and prioritize traffic like Zoom, Microsoft Teams, or GoToMeeting. That way, you don’t have everyone breaking up and having issues.”

Sean Hogan

Sean Hogan

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease. But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

But that doesn’t solve the issues of security holes in the home wi-fi — which have weaker protocols, allowing hackers easier access to the network’s traffic — as well as the human element that makes workers vulnerable to phishing scams, which are the top cause of data breaches, and insecure passwords, which allow hackers easy access to multiple accounts in a short period of time.

“The Internet has become the Wild West over the last 10 years,” said Jeremiah Beaudry, president of Bloo Solutions in Chicopee, starting with scam e-mails — from phishing attacks to realistic-looking but nefarious sites that try to wrench passwords and data from users and install malware on their computers.

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client,’” he noted. “You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

That combination of possibly flawed technology and human errors make the home office a particular concern in the world of cybersecurity.

“Nobody has the exact answers right now for how to make the most secure connection at a remote office,” Hogan said, adding that going to the cloud has been an effective measure for many businesses, while others have taken the more drastic step of setting up physical firewalls at remote sites for key employees — say, for the CEO or CFO. “We’ll lock them down if they’re actually connecting to files and servers that are really confidential.”

Possible solutions are plenty, he said — but it all begins with knowing exactly what equipment remote employees are dealing with, and what threats they pose.

Viral Spread

COVID-19 isn’t the only fast-spreading infection going around, Hogan said. In fact, “45% of home computers are infected with malware. That’s an eye opener for many people. It’s a huge issue, and removing it is a huge challenge.”

One problem is the human element — specifically, how users invite threats in by not recognizing them when they pop up. Take the broad realm of phishing — the setting in which people receive such pitches can actually make a difference in how they respond, Beaudry said.

“It’s harder to sift through it when working from home; it’s not natural. You’re out of your element when you’re sitting at our desk in your pajamas, as opposed to being in your office at work. You may not be reading your e-mail as carefully as you normally would. You may not be on alert.”

A big piece of the puzzle is end-user awareness, he said. “You want to have your employees educated about what’s out there, so they know how to spot forgeries.”

Alex Willis, BlackBerry’s vice president of Sales Engineering and ISV Partners, recently told Forbes that companies trust their employees to do the right thing, and workers are generally honest, but trust can be a dangerous thing.

“The problem with just trusting people is that employees don’t always do this on purpose,” Willis said. “Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.”

Jeremiah Beaudry

Jeremiah Beaudry says home networks aren’t typically built to run as efficiently — or safely — as those in a workplace.

Again, it’s that issue of the unknown, Beaudry told BusinessWest. “You don’t know what they have going on with their home networks. We didn’t set up the home connection, we don’t know what they have, and everyone has different people on it. Some are borrowing it from their apartment complex or sharing it with the neighbors, and they expect the internet to work perfectly. It’s not going to.”

In an office, on the other hand, everyone is using the same network, running at the same speed, with the same level of security and firewall protection. “Then, when they go home, there are so many variables.”

The best-case scenario is to give employer-owned devices to employees so they can remotely manage information.

“You can put antivirus on an employer-owned device; when they’re using their own devices, you don’t know what they’re doing to protect it,” Beaudry added. “And if the employee is laid off or fired, you would have the ability to control any employer-owned data.”

At the very least, he said, companies should encrypt the traffic between their network and individual users’ home computers.

“We put monitoring agents on remote clients that monitor for any viruses or malware and will update their antivirus and malware protection in some cases,” Hogan added.

Vigilant Approach

None of this completely addresses the speed and efficiency issues of home devices. “Usually, in a home office, they pay for their own bandwidth, and the business can’t say, ‘we don’t want your kid playing Fortnite,’” Hogan said. “That’s the challenge.”

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client.’ You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

“Some clients will pay for a second, business-only connection for remote workers, he added. “But that’s pretty extreme; not many are doing that.”

More popular — and effective — is the move to a virtual environment. Working in the cloud, he noted, means not worrying about the hub-and-spoke relationship between physical servers and computers that’s the biggest weak point for security. “Most of my clients have eliminated that weakness.”

For some clients, the cybersecurity issue is especially critical — take medical businesses, for whom privacy is paramount in the HIPAA era. “That changes the game completely,” Hogan said, noting that one resource for companies handling sensitive data is a SOC, or security operations center.

“Clients who really value security can sign up with a SOC team that responds in case of a breach,” he explained. “It’s a lot of monitoring, detecting, and responding.”

Delcie Bean, CEO of Paragus IT, said any investment in platform migration and remote work has to be accompanied by investment in strong security tools — and education.

“The legacy tools and technologies used to secure networks for the past 10 years need not apply for this next wave of mobile workers,” he told BusinessWest. “Security of the future will be a lot more about multi-factor authentication, deep encryption, and will involve a lot more end-user training as well as testing than the command-and-control style approach of the past.”

Hogan agreed. “Password management is so massive,” he said, noting that people resist simple protections like multi-factor authentication, or even just using complicated passwords, or different passwords for different sites.

“We are also dark-web monitoring pretty consistently,” he added. “The dark web has been on fire lately — a lot of breaches.” Once data fall into those hands, the damage is done, he added, “but the important thing is to know what got breached, and if you can tell what credentials are out there, so you can change them.”

The bottom line, Beaudry said, is to make sure employees use unique passwords and encrypt connections remotely, and not using tools that are potentially vulnerable.

“And there’s a long list of tools known to be exploited by hackers, so it’s good to check with an IT professional before using any remote desktop method,” he added. “Some methods require you to open firewall ports that can leave you vulnerable to ransomware and all sorts of awful data breaches. The main thing is to make sure your firewall is locked down and no unnecessary ports are open, and you have backups of all data.”

That’s a lot to consider when moving into an era of expanded remote work — some of which comes at a cost. But the cost of ignoring it is much higher.

Joseph Bednar can be reached at [email protected]

Technology

Into the Breach

Cybersecurity experts say there’s still plenty of misunderstanding when it comes to the reality of data threats. For example, it’s not just big companies being attacked — these days, everyone is a target, and data thieves are becoming more subtle and savvy with their methods. That means companies need to be more vigilant — but it also means career opportunities abound in a field that desperately needs more young talent.

Everyone knows what cybersecurity is. Fewer know what people who work in the field actually do — and how much they earn.

And that’s a problem, Tom Loper said, when it comes to drawing young talent into a field that desperately needs it — and will need it for many years to come, as the breadth and complexity of data threats continue to evolve.

“That’s why we need to start with the high-school students,” said Loper, associate provost and dean of the School of Science and Management at Bay Path University. “They don’t really understand cybersecurity, and that’s a big problem because we have this incredible shortage of folks qualified to work in cybersecurity.”

Bay Path is doing its part, he said, not only with two undergraduate programs in the field and a graduate program in cybersecurity management, but by actively promoting those tracks to incoming students with undecided majors.

“We allow them to take cyber courses that first semester just to try it out, and the whole faculty is steering them toward it because the pay is so good in this field. Most of the ones who take it, believe it or not, they stay in that field,” he said, noting that about 90 students are currently enrolled in the three programs. “That’s a pretty good number for a small school like this. Now, we’re trying to get more high-school students to understand.”

“Companies are becoming more savvy. They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked.”

Loper said Bay Path’s programs are tailored specifically to the requirements of various cybersecurity careers, so students can get entry-level jobs immediately and go on to earn whatever further industry certifications they may need. “We have graduates making $60,000 to $80,000 coming out of school with these degrees. And if they get some experience before graduation, they’re worth even more.”

Tom Loper said cybersecurity is a complex challenge best tackled from a region-wide, ‘ecosystem’ perspective.

To that end, Bay Path recently won a grant from the Mass Cyber Center at MassTech to support internship and workforce experiences for students. That’s just one aspect, he said, of the way the region can build a cybersecurity hub from what he calls an “ecosystem perspective,” one that encompasses high-school and college students, workforce-development programs, government agencies, and business sectors where cybersecurity is important. These days, that’s most of them.

“Companies are becoming more savvy,” said Mark Jardim, lead engineer at CMD Technology Group in East Longmeadow. “They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked. But they are calling us and saying, ‘how can we be more protected?’”

Chris Rivers, vice president of Phillips Insurance in Chicopee, agreed that more companies are coming around to the threat potential.

“It sometimes depends on whether they’ve had an incident or a near miss,” he said, adding that, while people may hear news reports about data breaches at large companies, no business of any size is totally immune.

In fact, “smaller businesses tend to have less security, and sometimes it’s easier for hackers to get in there, taking credit-card information or any type of information, really. Think of a law office, and the risk of private information being taken and used against clients.

“Things we’ve preached over the years still hold true — they just keep changing the vector of attack. And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”

“If you have a breach and data is stolen,” Rivers added, “it can get pretty costly.”

Data security has become a primary form of business insurance at all commercial agencies, but a policy to recover damages, even a comprehensive one, isn’t enough; the long-term brand damage, Rivers noted, is much harder to quantify. “Once your reputation is gone, it’s gone.”

The fact that businesses are catching on to this reality, combined with high-tech advances that will making defending against cybercrime more challenging, has created significant opportunities in what promises to be one of the most important career fields over the next decade.

Human Nature

Charlie Christianson, president of CMD and its sister company, Peritus Security, said data breaches cost companies $11.5 billion in 2019. And the threats come in many forms.

“Things we’ve preached over the years still hold true — they just keep changing the vector of attack,” he told BusinessWest. “And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”

The human element to data breaches is still prominent, as e-mail phishing schemes remain the number-one way cybercriminals gain access to networks. These often arrive with URLs that are very close to a legitimate address. More importantly, phishers are ever-honing their ability to replicate the tone, language, and content of the supposed sender.

“They look incredibly realistic,” Christianson said. “A week doesn’t go by where we don’t get one and say, ‘wow, this looks good.’ For people who don’t live it every day, it can be very easy to fall into the trap. The trick is to just stop and think about it before you click on it.”

These attacks are more specific and targeted in the past, he went on, but they’re not the only way data thieves are getting in. Another is through employees’ personal devices, which don’t typically boast the security features of a large corporate system.

“Devices are hit and used to launch an attack, or they’re infected and brought into a secure environment. What’s on that device can get into the corporate network and spread,” he explained, which is why many companies have tightened up their BYOD (bring your own device) policies.

“That’s slowing down as businesses are becoming aware of the risk,” Jardim added. “We’re actually seeing a trend of slowing down the bring-your-own-device idea in the workforce; companies are saying, ‘maybe we shouldn’t do that because attackers are using those vulnerabilities.’”

The trend known as the internet of things, or IoT, poses new threats as well, Christianson said.

“When people think about securing their network, they think about their computers, their servers, their tablets, things like that. But they don’t think about the SimpliSafe security system or the time clock that hangs on the wall or the voice-over-IP phone system they use every day. You have all these devices that aren’t being maintained — they just let them run.”

He knows of one company that was attacked through its security-camera system, and said segmenting networks is one way to minimize such a threat. “That shouldn’t be on same network as your finances.”

The defenses against breach attempts are myriad, from password portals and multi-factor verification of online accounts to geoblocking traffic coming from overseas.

“A lot can be done with training,” Christianson said. “The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”

Mark Jardim (left) and Charlie Christianson say cybercrime is constantly evolving, and so must the strategies businesses employ to prevent it.

It’s definitely a challenge, Jardim added. “We have to protect every single door and window, we have to be right 100% of the time, and a hacker just needs to find one vulnerability.”

Cultivating an Ecosystem

That list of threats and defenses — which only skims the surface — drives home the need for a more robust cybersecurity workforce, Loper said.

“We believe you have to take a regional approach to cybersecurity,” he noted. “We don’t believe you can just think of yourself as island unto yourself. Whether you’re a big organization or a small organization, you’re part of the supply chain, and there are opportunities for breaches. Everyone is connected.”

Boosting workforce-development programs is one spoke on the wheel. “It needs more attention. At one point, we didn’t have enough tool and die makers. The Commonwealth got behind it, and now we have enough. Something like that is going to happen in the high schools, and across this region, where we’re retraining people to work in this space just because there are so many opportunities.”

“The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”

One plan is to develop a ‘cyber range,’ which is a simulated IT environment that emulates the IT structure of businesses, Loper explained. “We can bring people into the cyber range and help them deal with threats to a simulated environment.”

All these strategies are running headlong into the rise, in the very near future, of 5G wireless connectivity, which will dramatically increase data speed — and perhaps security threats as well.

“The threat we have now is going to go on steroids with 5G and with IoT,” Loper said. “The opportunties for business development will be greater than ever, and the opportunities for penetration will be greater than ever as well. It’s amazing what’s happening with 5G — it’s mostly good, but pretty darn challenging.”

Those threats provide business for commercial insurers, and that coverage is important, Rivers said, but businesses have to think about their own common-sense defenses as well.

“As we do renewals or reach out to clients, we try to bring out what policies are available to them to protect them from different things,” he noted. “It’s easy for us to recommend everything, but there’s a cost, so we try to inform them what’s out there so they can make decisions — ‘do I want this? Do I want that?’”

Rivers cited a statistic from Philadelphia Insurance Companies, which reports that the average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public-relations expenses to rebuild an organization’s reputation.

“It’s one thing to take the data out, but when your brand is affected because you’ve had this incredible breach, that’s something else,” Loper added. “Your brand is what people think it is; it’s not what you think it is, like in the old days. Now, just look on social media, and that tells you what your brand is. Cybersecurity is one of those things that, if not done properly, can undermine your brand so quickly.”

In the end, Jardim said, the idea is to minimize risk.

“I always joke, the most secure machine is one that’s shut off in a locked room, but you have to find a balance,” he said — one that employs measures from simple common sense to choosing the right firewall.

“We see clients who have $5 million businesses buying a $100 firewall from Staples. You’re not going to protect your infrastructrure with that. You need the right equipment for your size. You need professional stuff for your business — you can’t use the same equipment you buy for your house for your business.”

“Well, you can,” Christianson added quickly, noting just one more way people might take a limited view of cybersecurity threats — and come to regret it.

Joseph Bednar can be reached at [email protected]

Technology

Creating Cyber Solutions

Tom Loper says the ‘supply chain’ project will benefit the region

Tom Loper says the ‘supply chain’ project will benefit the region and its manufacturing sector while also giving cybersecurity students a leg up on jobs.

A group of regional partners, led by Bay Path University, has been awarded a $250,000 grant from the Mass. Technology Collaborative for a pilot program that will address a host of identified issues — from a critical shortage of workers in the cybersecurity field to the need for smaller manufacturers to become more cyber secure if they are going to keep doing business with their customers in the defense, aerospace, and other sectors.

The project’s name is long and quite cumbersome.

‘Engaging Student Interns in Cybersecurity Audits with Smaller Supply Chain Companies to Develop Experience for Entry-level Positions While Improving the Cybersecurity Ecosystem in Massachusetts.’

Yes, that’s really what it’s called. And while that’s a mouthful — not that anyone actually recites the whole thing anyway — it really does capture the essence of an ambitious initiative spearheaded by Bay Path University and its emerging cybersecurity programs, and also involving Springfield Technical Community College, Paragus Strategic IT, the Economic Development Council of Western Mass. (EDC), and other area partners.

Breaking down that long title into its component parts certainly helps to tell the story behind the $250,000 grant awarded recently by the Mass. Technology Collaborative. The program, set to commence early next year, will indeed engage students in Bay Path’s cybersecurity programs in internships with smaller supply chain companies across the region. They will be working with employees at Paragus to undertake cybersecurity assessments of these small manufacturing firms, essentially identifying holes where intruders can penetrate and possible methods for closing them.

And the program will provide needed experience that is difficult for such students to attain, but very necessary for them to land jobs in the field. And it will put more workers in the cybersecurity pipeline at a time when there is a considerable gap between the number that are available and the number that are needed — a gap approaching 9,000 specialists in this state alone. And it will bring more women into a field that has historically been dominated by men and is struggling desperately to achieve diversity.

That’s a lot of ‘ands.’

Which helps explain why the Mass. Technology Collaborative, which was planning to divide $250,000 among several entities, gave that entire amount to Bay Path’s proposal and then found another $135,000 to award to two other projects, said Tom Loper, associate provost and dean of the School of Arts, Sciences and Management at Bay Path, who started with the small supply-chain companies, as he explained the project’s importance.

“These companies have a cyber vulnerability, in many cases, because they don’t have sophisticated systems and they don’t have sophisticated staff that can help create a cyber-safe environment,” he noted, adding that he took what he called a “Western Mass. approach” to the process of applying for the grant.

By that, he meant a focus on smaller businesses, as opposed to the larger defense contractors like Raytheon in the eastern part of the state, and also on schools like Bay Path (and its online component, The American Women’s College) and STCC that are graduating cybersecurity students but struggling to find them real-world experience to complement what they learn in the classroom.

Matthew Smith says that among the many potential benefits from the ‘supply chain’ project is much-needed gender diversity in the cybersecurity field.

Matthew Smith says that among the many potential benefits from the ‘supply chain’ project is much-needed gender diversity in the cybersecurity field.

Thus, the project is a potential win-win-win, with maybe a few more wins in there as well, said Rick Sullivan, president & CEO of the EDC, noting that winners include the individual students at Bay Path, the emerging cybersecurity industry, individual small manufacturing companies, and the region as a whole, which counts its precision manufacturing sector as a still-vital source of jobs and prestige.

“The large customers, the Department of Defense, the Department of Transportation … they’re really requiring, and rightfully so, very strict compliance with the highest cybersecurity techniques out there,” Sullivan said, referring to the requirements now being placed on smaller supply-chain companies. “When they go to the bigger companies, they have to certify their entire supply chains, and we have a lot of companies in this region that feed into that supply chain.”

Overall, the pilot program is a decidedly proactive initiative aimed at helping these smaller companies become aware of the requirements they will have to meet to keep doing business in such fields as defense and aerospace, and then help them meet those thresholds, starting with an assessment of their cybersecurity systems and immediate threats.

For this issue and its focus on technology, BusinessWest takes an in-depth look at the Bay Path-led project, its many goals, and how, if all goes as planned, it will close gaps in cybersecurity systems as well as gaps in that sector’s workforce, while also making the region’s manufacturing sector stronger and more resilient.

Day at the Breach

The project summary for the Bay Path initiative, as authored by Loper and others, does a very effective job of summing up both the many types of problems facing the state and its business community with regards to cybersecurity, and also how this pilot program will address several of the key concerns.

“Entry-level job postings for information security analysts and related cybersecurity positions typically require one to two years of experience in the field, making it challenging for recent college graduates with cybersecurity degrees to fill these positions,” the summary begins. “Bay Path University, a women’s university in Western Mass., will lead a project that will engage 30 undergraduate and graduate cybersecurity students, primarily women, in a full year of challenging experiences as paid interns on cybersecurity auditing teams.

Rick Sullivan

Rick Sullivan

“The large customers, the Department of Defense, the Department of Transportation … they’re really requiring, and rightfully so, very strict compliance with the highest cybersecurity techniques out there.”

“Teams will provide cybersecurity audits at a lower cost for small to mid-sized companies in the region,” the proposal continues. “Undergraduate cybersecurity interns from Bay Path University and Springfield Technical Community College will be assigned to auditing teams led by a graduate intern from Bay Path’s M.S. in Cybersecurity Management Program. Teams will be supervised throughout the audit process by seasoned cybersecurity specialists from Paragus Strategic IT. Through the internship, students will gain insight into the breadth and scope of challenges to the cyber ecosystem and hands-on experience working with employers to implement options for addressing these challenges. Project research and evaluation will be undertaken to confirm that the internship will meet the needs of employers who require prior experience.”

Like we said, that pretty much sums it all up — at least from the student intern side of the equation. In addition to classroom learning, experience in the field is necessary to break into the cybersecurity sector, said Loper, and such experience is difficult to attain. This pilot program will help several dozen students get it.

Meanwhile, the program will address the other side of the equation, the needs of small manufacturers in the supply chain — and this region has dozens, if not hundreds of them, who face many challenges in their quest to become safe (or at least much safer) from security breaches, a pre-requisite for being able to do business these days.

For an explanation, we return to the project summary:

“The majority of cybersecurity breaches occur in smaller supply chain companies, threatening the entire supply chain. Yet these companies often cannot afford the staff or resources to address ongoing needs for ensuring a cyber-safe ecosystem,” the solicitation notes. “Partnering with the MassHire Hampden Workforce Board, the MassHire Franklin Hampshire Workforce Board, and the Economic Development Council of Western Massachusetts, the project will engage 45 small to mid-size supply chain companies in the advance manufacturing sector in western Massachusetts in cybersecurity audits. This strategy will be disseminated as a model for how other Massachusetts higher education institutions with cybersecurity programs can partner with employers and their regional planning teams to strengthen the cybersecurity ecosystem across the Commonwealth.”

Elaborating, Loper said the cost of a cybersecurity assessment (that term is preferred over ‘audit,’ is approximately $1,500, an amount that challenges many smaller companies and is the primary reason why relatively few are done.

The pilot program will pay roughly two-thirds the total cost of an assessment, thus bringing assessments within the reach of more companies, which need to ramp up their cybersecurity systems and methods if they are going to keep doing business with most of their clients.

“Things are starting to change,” said Sullivan. “Cybersecurity and the threats that are out there are real, and this pilot program is an attempt to get ahead of all that, to educate and assess the smaller businesses here, with the next step being to hopefully address those needs so they can stay compliant, because that’s an extremely important part of our economy here.”

Sullivan said the EDC and other agencies will work to build awareness of this program and sign on participants. There has already been interest expressed by many of these smaller manufacturers, and he expects it will only grow as awareness of the project — as well as the need to be cyber secure — grows.

What the Hack?

For the record, and as noted earlier, the Mass. Technology Collaborative came up with another $135,000 to award for other pilot projects to help prepare entry-level cybersecurity job seekers to both meet the needs of employers, and address the growing cybersecurity job crisis.

The first, a $61,178 grant, involves an entity called STEMatch, which proposed a creative collaboration between community colleges, Massachusetts-based cybersecurity service and technology providers, and end-user businesses to expand the pool of potential cybersecurity to under-represented groups and displaced workers. The other, a $74,690 award, was given to the MassHire Greater New Bedford Workforce Board to advance a public-private partnership between the regional workforce boards of Southeastern Massachusetts, Bristol Community College, and the South Coast Chamber of Commerce, and employers in that region. The pilot is designed to help address the lack of skills and work experiences affecting Massachusetts employers and will utilize best practices developed in Israel to create training and work experiences for students in grades 10-12.

“The majority of cybersecurity breaches occur in smaller supply chain companies, threatening the entire supply chain. Yet these companies often cannot afford the staff or resources to address ongoing needs for ensuring a cyber-safe ecosystem.”

Those projects, as well as the Bay Path initiative, drive home the fact that there is not just a gap, but a real crisis when it comes to filling jobs in this emerging and now all-important sector.

“Companies are craving talent,” said Matthew Smith, director of Computer Science & Cyber Security Programs at Bay Path and assistant professor of Computer Science & Cyber Security in the School of Science and Management, as he attempted to qualify a problem that’s difficult to quantify.

That’s because while there are posted positions within this sector — many of them lacking candidates — many of the jobs are not posted, increasing the size of the gap.

Closing it requires not merely people with degrees in Cybersecurity, although that’s essentially a pre-requisite, said Smith, but individuals with what could be called real-world experience on their resumes, he said.

The pilot program will allow students at Bay Path and STCC to put five cybersecurity assessments on their portfolio, which should certainly help open some doors for them.

“Our students won’t just be getting a degree, but also the necessary talent to be contributing to the workforce on day one,” Smith told BusinessWest. “Once they have these assessments and use these tools that are industry standards, they’re going to be thrown right to the top of the application pool, because most of those are search-engine driven, so once they put these key words in there, they’re going to be very marketable.”

This marketability should only help further develop the graduate and undergraduate cybersecurity programs at Bay Path (both traditional and online) that are already seeing explosive growth, said Smith, adding that the industry needs not only workers, but gender diversity as well.

“Only 11% of the jobs in the field are held by women,” he said. “The gender imbalance is very real, and it’s our main mission to provide these women the skills and get them their degrees, so they jump into the cybersecurity workforce and start taking those unfilled positions and close that gender imbalance; many companies are craving diversity in their workforce.”

Securing a Better Future

As noted earlier, the name on this project is long and cumbersome. But it breaks the problem and one possible solution into one highly efficient and effective phrase.

The pilot program will set a high bar when it comes to potential outcomes and goals for achieving progress with the many significant challenges facing the cybersecurity sector and the cyber safety of individual companies.

But a high bar is necessary because the problems are real, they are growing, and solutions are needed.

This program was conceived to not only help this region clear that bar, but provide a roadmap for other regions to follow. If it can do all that, the state’s sizable investment will yield huge dividends.

George O’Brien can be reached at [email protected]