This story is the third in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. [Read the rest of the series here.]
It’s like leaving the keys inside the lock.
As our lives become more technologically connected, our sensitive information is increasingly at risk. Whether personal or business, networks are vulnerable to attacks every day. Fortunately for local small businesses, Michigan has been recognized as a state with serious cyber security credentials.
Designated by the National Security Agency (NSA) as “National Centers of Academic Excellence in Information Assurance,” five Michigan colleges – Walsh College, University of Detroit Mercy, Eastern Michigan University, Davenport University and Ferris State University – are leading the pack when it comes providing students with tools they need to work in the burgeoning field of cyber security.
The NSA and the Department of Homeland Security (DHS)
jointly announced in 2009 that the Michigan colleges are among “the first 44 institutions designated as NSA/DHS National Centers of Academic Excellence (CAE) in Information Assurance (IA)/Cyber Defense (CD). The updated criteria benefit not only the institution, but also students, employers and hiring managers throughout the nation.”
What this means for local small business owners is that they needn’t seek information from across the country, or around the world, to keep themselves and their customers safe from cyber-attacks. Everything they need is right here in Michigan.
Having the Internet of everything (IOE)
When breaches do occur, whether on the personal level, or the business level, having a contingency plan allows you to address them, says Dr. Pamela Imperato, the dean of Davenport University’s College of Business Leadership. Davenport University received its designation in 2011.
“We do have the Internet of everything (IOE), and we really want people to participate in the new economy…as much as it is important for companies to protect their networks, for us to provide those technical assurance, there’s also that intended responsibilities for us as educators – for us as community members and community members – to not have people fear the new frontier. That’s a profound and interesting challenge,” she continues.
Obtaining the NSA designation was part of rising to that challenge. “Initially, the part of getting the designation was just to reinforce that our curriculum was on target with what our students needed to learn to work in the industry,” says Professor Lonnie Decker, department chair of networking in College of Technology at Davenport. “Since then, it’s really become a part of us being part of the cyber defense community.”
With over 200 Centers of Academic Excellence designated by the NSA, Decker adds, they work together to advance the cyber security needs of the country. “Part of the role of this community is to provide graduates, to fill these needs in private sectors as well as government.”
The biggest challenge, says Bob Clarkson, associate dean of the College of Business Leadership at Davenport, is ensuring that the curriculum is broad enough to cover all aspects of the industry.
Risk security
For Barbara Ciaramitaro, lead professor of IT and cyber security at Walsh College in Troy, the NSA designation is key to Michigan’s success.
“Walsh was one of the first universities in Michigan to actually achieve that designation of a Center of Academic Excellence in Information Assurance,” Ciaramitaro says.
In 2013, the NSA tightened its requirements. “What the NSA and the Department of Defense and Department of Homeland Security said was ‘we no longer want to treat it as a silo,’ Ciaramitaro says. “’We want you to integrate these concepts into all of your courses.’ One of the things we did at Walsh was redesign our undergrad and graduate programs. In a way, that allowed us to fully integrate cyber security into all of our courses.”
Ciaramitaro says it’s not just about data breaches anymore. It’s about connectivity. Connected videos. Connected electric grids. Home alarms. Billions of devices are connected to the Internet, and what’s alarming, he says, is that a majority of those devices have no security protection at all.
“What I think people don’t realize is that connectivity is a playground for cyber criminals and other types of malicious attacks,” Ciaramitaro says.
Some companies are signing up for cyber risk insurance, and that might seem attractive for small business owners, however there are things to be aware of.
“When you look for cyber risk insurance, make sure that you truly understand what is required, what is covered, what is excluded,” Ciaramitaro says. “Most cyber insurance companies want you to follow a certain set of what they would call best practices or controls. You have to be vigilant.”
Not just an ‘IT issue’
The ISI (information security and intelligence) program at Ferris State in Big Rapids, was
the first university program in the United States to receive Department of Defense Cyber Crime Center and Air Force Office of Special Investigations Center designation as a National Center of Digital Forensics Academic Excellence.
“You have to map to certain competencies,” says Dr. Greg Gogolin, professor and program director for information and security at Ferris State. “You’ve got to show that the faculty is competent to deliver the curriculum. I thought that was an important step. You’ve got to have a minimal number of points, and minimal number of points overall to be certified. It helps to ensure a level of quality.”
Overall, Gogolin finds that small businesses are not always prepared. And often, they’re not looking at cyber security from the proper perspective.
“Within an organization, a lot of people view it as an IT issue,” Gogolin says. “Awareness is actually the number one challenge facing organizations in that everyday practices, most people don’t understand the impact of a lack of good practices. You can really put a lot of time and effort into our security, but you’re kind of at the mercy of other people or other organizations.”
Having a 'security mindset’
Eastern Michigan University (EMU) has been a Center of Excellence in Information Assurance Education since 2005. They recently re-designated under the new criteria (an updated version in 2015).
“It’s important to our school because it gives confidence to our students and their parents and helps us recruit students,” says Dr. Xiangdong “Sean” Che, assistant professor, CISSP, School of Information Security and Applied Computing. “This branding is going to be a shining point in their resumes when they try to look for a job. Also, this designation is often a requirement for the school to apply for more research and educational grants. It’s a big deal for everybody–especially our students.”
Che says that the designation is a group effort led by the school and fully supported by the faculty, staff, and administrators from all over the university. The university as a whole needs to comply with the NSA’s information security standards and follow all the policies commanded by NSA.
“Small business owners need cyber awareness and should always be aware that no matter how small your business is, you can be a target,” says Che. "It’s all about having a security mindset," he adds.
“Many times, it’s not the user’s fault, but the software itself,” says Che. In his experience, software developers should make their software more secure and less prone to malicious activities; however, many software companies will put productivity and profit before security and try to make money as fast as possible. This is an issue for the whole industry. They need to have a security mindset while they’re thinking about money.
Basic passwords such as “12345” are also part of the problem.
“Without a security mindset, your system might be compromised sooner or later,” Che says.
All in all, the efforts to secure Michigan’s businesses–particularly small businesses and employees–have been robust, an evolving series of steps for the ultimate goal: protecting our sensitive data.
The effect is cyclical. Institutions such as Walsh College, University of Detroit Mercy, Eastern Michigan University, Davenport University and Ferris State University are educating the cyber security experts of the future (and present).
Bottom line: It doesn’t matter what sector you work in, or how well you might safeguard your information. Everyone’s at risk.
“Businesses are struggling to identify the threats when they come in,” Ciaramitaro says. “It’s not
if, it’s
when.”
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.