Content sponsored by Eleven Fifty Academy, Sondhi Solutions, Pondurance, and Anderson University

Top executives at Pondurance, Sondhi Solutions, Anderson University and Eleven Fifty Academy discuss escalating cybersecurity threats, how companies can fight them and the job opportunities being created along the way.

How have the pandemic and upcoming election influenced cybersecurity?

Jason Johns: Cybercriminals don’t care about the pandemic or the election, but they are absolutely going to use to their advantage the fear and confusion associated with both events. Early in the pandemic, cybercriminals used the economic stimulus as a way to exploit individuals and companies. Now, they’re using the pandemic AND the election to do more of the same. Understanding the mindset of a cybercriminal is important here. The costs and risks associated with perpetrating a cybercrime are negligible, and the rewards are relatively lucrative. For companies, the three pillars of cybersecurity still apply: management, monitoring, and training. Leadership is ultimately responsible for creating a policy framework that enables IT to effectively create a defensible environment. Ongoing training ensures all users have the skills to identify and report potential attacks.

Dewand Neely: The pandemic forced almost every corporation to extend their company networks into the homes of their workforce. Companies that had to move quickly may have taken shortcuts and allowed their users to have access without a security tunnel and without proper network protections. Bad actors are having a field day. That’s scary. The upcoming election will probably be one of our most difficult in terms of misinformation being spread across the web. We need verification of sources and tamper-proof mechanisms for our most trusted websites.

Ron Pelletier: The digital world we know today was long imagined and coveted, but its convenience and availability come with baggage that the cybersecurity industry was created to deal with. The pandemic largely confines the workforce to remote connectivity, which can remove certain protections for digital assets. It is critical in these cases that the endpoints themselves be adequately protected, with due consideration of advanced malware prevention and detection. The election poses a host of risk issues, not the least of which is data integrity. If we cannot have more than reasonable assurance that this data cannot be tampered with or compromised in some way, then we are forsaking integrity for convenience.

John Pistole: Since the start of the pandemic, there has been a significant increase in the number of cybersecurity attacks, particularly phishing emails and online scams. With so many employees working from home, companies are forced to make tough choices between security and productivity, when they are already experiencing unprecedented organizational stress from the pandemic and have fewer resources. As for the election, the cyberattacks of 2016 and attempts to penetrate election administration databases in multiple states have demonstrated the need for parties, campaigns, and local governments to increase efforts to protect election infrastructure. This has resulted in the departments of Defense, Homeland Security, and the FBI, among others, developing partnerships with state and local governments, pooling resources against attacks from a growing list of foreign actors.

How has artificial intelligence affected the way business is conducted today and how can business leaders leverage it to improve productivity and efficiency and reduce risks?

John Pistole: Lots of possibilities are opened up with AI, depending on the needs and possible uses of the information. For example, AI helps business leaders assess options using predictive analysis, thereby reducing the time and expense of typical decision making. This is a multi-faceted question better answered in a more detailed forum.

Jason Johns: The capabilities and adoption of artificial intelligence have exploded in the last few years. Currently, AI is exceptional at learning, handling complex, repetitive tasks, and making decisions based on data. If you aren't actively using AI in your business, you're probably taking advantage of services that are.

From a cybersecurity perspective, Sondhi Solutions uses advanced AI to identify, triage and, in many cases, prevent or remediate known threats in near-real time. Our AI learns how our clients’ environment looks normally and can quickly detect abnormalities and match those against a global database of known threats. This frees up our cybersecurity experts to focus on maturing our clients’ security postures. We can do more with less, and ultimately, pass those savings along to our clients.

Dewand Neely: AI has helped to improve front-end support systems, whether it’s helpdesk-type services, chatbots or a simple intake system or process. This has helped to free up staff to focus on more value-added tasks in the organization.

AI has also helped to reduce risk in the area of fraud and anomaly detection. AI capabilities are exponentially greater than that of humans at analyzing millions of transactions and behaviors and establishing a definition of normality. This makes it easier to spot abnormalities. Eleven Fifty’s cyber graduates have extensive experience using our multi-million dollar “Cyber Range,” which simulates real-life attack scenarios and allows graduates to effectively use tools that leverage AI to efficiently reduce risks.

If I'm a company executive, and I'm being told that we are having a cybersecurity incident, what should my immediate reactions be? When do I get law enforcement involved?

Ron Pelletier: My advice to any executive is to follow your well-rehearsed, documented incident response plan. Hopefully, however, this is a question asked and answered during a period of calm and not at time of the event. For instance, if you rely on third parties for services such as legal or incident response/forensics, I want to have communication protocols nailed down and rapport to have been established to assure a quicker and more organized response. I also need to make sure I’ve cleared my preferred providers with my cyber liability insurance company, so that I’m not forced into an arranged marriage of sorts.

Jason Johns: My best advice is to have an incident response plan so you don't have to answer this question in real time. This plan should be your company’s step-by-step playbook, including when to contact law enforcement. As a business owner, your immediate reaction should be to ensure your team follows the established checklist.

Unfortunately, cybersecurity incidents aren't always as clear cut as incidents in the "real world," and given the number of state, federal and international laws around data privacy and protection, this is a case where an ounce of prevention equals a pound of cure. Your IT service provider should have the majority of this plan in place, but it’s a good idea to connect them with your legal counsel and insurance provider to make sure you're completely covered.

Dewand Neely: Hopefully, the company chief information security officer has created a response plan that details what happens, who should be notified within the company and who is running point on the response. Eleven Fifty Academy’s cyber graduates would be especially useful in helping respond to these types of incidents. Unauthorized access to any network is a crime, so technically one should always let law enforcement know, particularly the FBI. Some companies are wary or fearful of this, but nine times out of 10, someone else has experienced a similar incident. Notifying the FBI can help find the culprit.

John Pistole: The FBI and local law enforcement can be invaluable resources in an incident response situation. Aside from helping with the resolution, they also can help spread awareness to keep other organizations safe.

So far, there has not been a lot of consensus on who to call first. It really depends on the resources of the jurisdiction you’re in. Many of the cybercrime losses that a business may experience don't reach the prosecutive guidelines used by the US Attorney's Office, for example, or the FBI, as a way of prioritizing their work. There are other reasons, though, that you might need to notify law enforcement. For instance, if you have a cyber-insurance policy or can determine data breach, it may demand that a business notify law enforcement.

If you were to make minimum recommendations to your customers to protect their digital assets, what would they be?

John Pistole: According to the US Small Business Administration, small businesses make up 99 percent of US businesses. Unfortunately, small businesses are also one of the most targeted by threats.

Fortunately, the National Institute of Standards and Technology has created many documents for standards and guidance in the realm of cybersecurity. Suppose you are a business that has not addressed cybersecurity risks before. If that is the case, one great document to start with is the NISTIR 7621 Revision 1 Document "Small Business Information Security, the Fundamentals." It will walk you through how to manage cybersecurity risk and the NIST cybersecurity framework to protect your environment.

Two additional resources are the Indiana Cybersecurity Scorecard and the Critical Security Controls top 20, which describes tools organizations can employ to control most cyber risk.

Jason Johns: It’s not a matter of if your organization will get attacked, but when. So, being able to quickly recover from a cyberattack should be a priority. If you can’t do anything else, having a well-maintained and thoroughly tested data backup plan is a good first step. Storing those backups in a secure location separate from your network is key. I can’t stress enough that fully testing backups should be a priority. Believe me—you do not want to find out about the gaps in your backups when you're trying to recover from a ransomware attack at three in the morning. Second, having a comprehensive disaster recovery plan will decrease the amount of time you'll be down when you are inevitably attacked. Finally, train your employees. They are your first line of defense in the war on cybercrime.

Dewand Neely: I would recommend creating a “risk register” for all digital assets and systems in order to set priorities and make sure those delineated assets are genuinely protected using “best in class” methods and tools. For those who don’t already have the expertise in house, Eleven Fifty Academy has one of the best cybersecurity programs in the nation, so we have many graduates who are experts who can help.

Ron Pelletier: There are five key things I would recommend, at minimum, to any organization. Those are: Vulnerability Management (patch your systems continually, and monitor for configuration weaknesses); Multifactor Authentication (a password as a single authentication mechanism is too easy to compromise … trust me); Next Generation Antivirus (next gen programs work on a math model or algorithm whereas legacy antivirus works on the basis of signatures … a small change in malware code can render the signature ineffective); Human-Centric Threat Hunting and Response (if you over-rely on technology and prevention, you are more likely to miss the actions of a dedicated attacker. Our adversaries are human, and as such we need humans to offer equal counter); Awareness Training (it’s often said that people are the weakest link in the security chain. A bit of situational awareness can go a long way to prevent phishing, vishing, or other forms of attack that might lead to a further exploitation or compromise).

Let’s talk for a moment about jobs in cybersecurity. Where are the jobs in cybersecurity these days, how much do they pay, and how does one become qualified?

Dewand Neely: Pay for cybersecurity jobs can range from $50,000 to more than $150,000. For a typical company, there is perimeter (network) security, application security and cyber risk/governance. Those typically involve different people with various skillsets. Network security personnel may have a bevy of certifications from Cisco and CompTia or other security hardware manufacturer certifications, which, by the way, can be acquired through Eleven Fifty Academy in 14 weeks. Application security folks may have penetration/vulnerability testing, remediation experience, and system administration skills, which are all available from Eleven Fifty’s programs, too. Cyber risk/governance roles are typically CISOs or equivalent who may or may not be a Certified Information Systems Security Professional but require deep experience in assessing business and operational risk in corporate environments.

John Pistole: In the next 10 years, cybersecurity jobs are projected to grow at a rate of 31%, much faster than the 4% average for all occupations, according to the US Bureau of Labor Statistics. These jobs span from intensely technical technology-focused positions, to the workforce education cyber specialists, to national-security related government positions. The demand for these jobs will be challenging to meet. Anderson University has designed its cybersecurity major as an interdisciplinary program, designed to produce graduates with not only the best technical skills, but also a deep understanding of the national security landscape, as well as excellent communication and critical thinking skills due to an outstanding liberal arts education.

What types of people gravitate toward and are good at cybersecurity jobs?

Ron Pelletier: Fortunately, there is an array of functions and skillsets that provide a career path. Critical thinkers can be successful in providing data analytics and process control evaluation, so long as there is a basis of risk knowledge that can be appropriately applied. On the more technical side of security, this is more than a 9-to-5 job; it’s an obsession. The most successful technical analysts are those who are never satisfied with what they know. Rather, they are driven by what they don’t know. They are always doing research and testing methods that provide a basis for counter and mitigation. They do this on weekends, vacation, in their sleep. It’s a lifestyle that flirts with compulsion … and I couldn’t be happier that there are those out there that do this for the good and not the bad.

John Pistole: The cybersecurity program at AU is designed for students who seek to defend against cyber threats in industry and public service. People who gravitate toward cybersecurity typically enjoy solving puzzles, digging down to find the root cause of a problem, and integrating information from many sources into a whole. Being detail oriented is important, because sometimes the smallest breadcrumb is the key to cracking the case.

Dewand Neely: We look for candidates who have a knack for spotting things that “don’t fit” or seem “out of place.” For instance, actuaries or accountants would typically be great candidates to work in cybersecurity. Also, those individuals who would be a traditional crime fighter in the sense of a policeman, or who come from the military, are drawn to cybersecurity because, in the end, you are just trying to protect people in a different space: the digital world.

What role can colleges and universities play in helping educate the public about cyber threats and cybersecurity?

Dewand Neely: I don’t know how much or how often this is done today but creating “public service announcements” on the common threats and helping with training the layperson on what threats are and how they occur could be extremely valuable. There are new areas of the country getting connected to high-speed internet every day and there are new generations of young people who discover the internet every day. Learning to be vigilant from the start will go a long way to help us all be better protected. Our programs are extremely effective at providing this education on either a full-time or part-time basis.

John Pistole: Anderson University’s Center for Security Studies and Cyber Defense was established through a $1 million Lilly Endowment grant to support our students and community. The CSSCD supports the mission of Anderson University’s Security Studies Program to develop a pipeline of graduates with excellent technical skills and a desire to serve on the front lines in defending all of us from threats, foreign and domestic, in both the physical and cyber realms. The CSSCD supports the community by providing a number of low- or no-cost security services to local and regional constituents. These include cybersecurity audits, monitoring through the CSSCD's Security Operations Center, penetration testing, and table-top exercises for testing organizational responses to security threats. The Center also offers training and certification for the local workforce through workshops and seminars taught by security studies faculty, CSSCD staff, and field experts.

What should smaller businesses who cannot afford cybersecurity staff do? What resources are out there for them?

Dewand Neely: Security training and awareness. Say it three times. If computers were left to run themselves there would be no vulnerabilities exposed, but people hold the keys: login credentials and access. The more people are trained on good cyber hygiene and practice it daily, the safer your business will be. Security Mentor, KnowBe4 and Media Pro are a few resources that offer effective employee training and ways to test your employees.

Ron Pelletier: Do not overengineer your program. Start with a risk assessment. Understand what it is you have, who would want it, how they might get it, what impact it causes if they do, and finally what risk you are willing to accept. I’ve seen small companies spend a fortune on security tools, only to unintentionally weaken their programs because they don’t have enough people to manage the inputs and outputs of those tools, including the discernment of what is real or a false positive.

John Pistole: The Center for Security Studies and Cyber Defense at Anderson University is a great resource for small businesses. A second resource is free guidance from standards groups like NIST, PCI-DSS, DISA, and the Center for Internet Security. Another option is to get involved in your local information sharing group. This may be the Information Systems Security Association, The Indiana Information Sharing and Analysis Center (IN-ISAC), or the public-private FBI partnership program Infragard.

Jason Johns: There are a couple of strategies that can help improve security posture without breaking the bank. Some organizations might find investing in training for their existing IT teams is a good place to start. Improving the level of education of your best and brightest can kickstart an organization’s security. We often see companies that know they need help securing their IT environment but can't afford adding full-time equivalents. In this case, outsourcing to a managed services security provider can be a good choice.

Beyond the pandemic, what are some upcoming cyber threats and risks that you foresee and how can companies prepare best to mitigate them?

Jason Johns: Cybercriminals are starting to use artificial intelligence and machine learning to more quickly and effectively conduct advanced cyberattacks. As companies continue to adopt cloud environments, you can be sure that cybercriminals will seek ways to exploit misconfigurations. Beyond that, social engineering attacks like phishing continue to escalate, and soon, those attacks will move beyond email to text messaging and other platforms. While the fundamentals of information security still apply, securing your company's digital assets requires constant vigilance, and a DIY approach is unlikely to cut it.

Dewand Neely: Ransomware threats are becoming increasingly complex. I would recommend companies work now to have a quick and effective business recovery plan and a way to restore their most critical data without having to pay ransomware authors for it. Eleven Fifty Academy is helping students achieve the skills needed to preemptively defend against or react to these threats and risks.

John Pistole: Much of the increase in cyber-attacks has been driven by nations and terrorist organizations. They assemble teams of hackers to fund their operations through cyber-based extortion, which is fueling the increase in ransomware. Another threat is the theft of intellectual property. To best prepare for this threat, companies must recognize their trade secrets are potentially at risk and identify the vulnerabilities in where those secrets are stored. Companies need safe storage practices, workforce training for awareness of phishing attacks and password security, and real-time monitoring for security breaches.

Finally, how can technology aid in maintaining workforce morale and employee engagement?

John Pistole: Simply by making relevant information more widely available on a timely basis, providing transparency throughout the company.

Jason Johns: The single biggest shift for us was not having natural face-to-face collaboration in the office. Since we lost the ability to have those brief conversations at the water cooler or in the elevator, we had to pivot and be much more intentional about engaging. First, we embraced the video call. Seeing each other in our "natural habitats" has been great. Meeting folks' pets and hearing the kids play in the background has helped bring us together in ways we couldn't easily accomplish in the office. Second, we started celebrating the small stuff. We take full advantage of our "All Company" channel to welcome new employees and celebrate birthdays and anniversaries.

Dewand Neely: Companies need to bring in new communication and collaboration tools that are purpose-built for employee engagement. Companies will need to be intentional in this effort and leverage technology to do the normal check-ins and feedback discovery that we used to be able to do on a daily basis at the water cooler or break room. Companies need to communicate much more often and effectively. Tools such as PeakMind are helping companies leverage tech to address issues in this area.