"A lot of people think of cybersecurity and they think big companies, places like banks and hospitals," says Troy Baker, Manager of BBB Communications. "There's a perception that the scammers are targeting the big places, and the little places don't have to worry about it. But that is not true at all. Every business has a cybersecurity issue. Every single one."
When it comes to cybercrime, the question is no longer if you will be affected, but when.
By 2021, more than 3 billion humans will be sharing the details of their lives on social media. Right now, that accounts for 79 percent of all Americans, more than 161.6 million of whom use online banking services.
An increasing amount of our lives is being spent and shared online, and that means more personal information is exposed to malicious hackers. A single database of email addresses and plain-text passwords is all someone needs to exploit the financial accounts of many more individuals. And, when you hear about a credit card company, email server, or even a menial mobile app company suffering a data breach, this is often times exactly what is happening.
By 2021, more than 3 billion humans will be sharing the details of their lives on social media.Making matters worse, those at risk may not be alerted until months after the breach has taken place and the hacked company has prepared an official statement.
"As we're connecting more and more things to the internet, as we're doing business around the world, we've got malicious actors and foreign nation states that are trying to harness that information and upset things," says Anthony Tuttle, Program Manager of Cyber and Tech Initiatives at the West Michigan Center for Arts + Technology. "It's really important for us as a nation; it's really important for our state and local economies to protect that information."
What do we have to fear?
We’re all familiar with spam, but that doesn’t make it any less a threat to security. Even low-tech versions in the form of fraudulent invoices sent by unscrupulous individuals posing as reputable vendors are effective traps, Baker says.
While working with a business in Battle Creek, Baker became well acquainted with the damage a “spear phishing” attack can do. A scammer used personal details about the CEO of the business to connect with the head of human resources within his own company. Using a simple email address, the hacker masqueraded as the company's CEO, told HR he had recently changed banks, and used the direct deposit forms to divert the CEO’s paycheck to a bank in California.
Who can help?
The Cyber Hub at WMCAT is providing opportunities for high school students, established professionals, and those interested in augmenting their skill sets to enter the field. As an extension of the Michigan Cyber Range, powered by Merit Networks, the Cyber Hub is focused on educating and certifying the public in cybersecurity careers. And, as part of WMCAT, the hub has integrated elements of design thinking into its evolution. It is connecting with people who are already equipped to work in cybersecurity and preparing them for open positions in the community before moving on to those who are less prepared.
Anthony Tuttle“We need cybersecurity people to protect our data," Tuttle says. "And our critical infrastructure today is not fully covered. That's only going to get worse as our lives are increasingly online."
Most small businesses don’t actually have an IT security analyst to protect that data. According to Scott Taber, cybersecurity awareness program specialist at the Michigan Small Business Development Center, more common is the general IT manager who makes sure the network is up and running, or a managed service provider that performs a lot of the same tasks.
The SBDC offers instruction for businesses looking to improve their approach to cybersecurity. The Small Business Big Threat assessments are targeted at non-technical small businesses and government contractors, both of whom need to be aware of the threats they face, Taber says.
The assessment can point out vulnerabilities in a security strategy, but ongoing education can take it one step further and turn non-techies into a business’ critical defense against hackers.
That’s the route many more are expected to take at the Cyber Hub.
Tuttle admits, he also took a different approach to joining the tech industry. After receiving his undergraduate degree at North Carolina State University, he got a business degree at Wake Forest and started working at Steelcase in 2012.
"I was sort of sitting on the fence between furniture, technology, higher ed, and corporate sales channels," he says.
From there, he moved up to managing an interactive whiteboard and making sure the software data remained secure across a large user base. Now, he manages the Cyber Hub.
Like other WMCAT programs, the Cyber Hub will serve high school students and those who have less prior exposure to the field. In the immediate future, the classes are aimed at individuals who might have a background in computer science or technical experience they aren't putting to use. Smart Zone LDF funding further decreases the barriers to entry, which is important to the state's economy.
Where will they work?
In the next decade, an estimated 1 to 3 million cybersecurity jobs will be available, but unfilled. Today there are 313,000 positions available, at least 6,800 in Michigan alone. Many of the applicants who eventually fill those positions may come from the Cyber Hub.
"We want to hopefully keep them at home where they already have roots, rather than saying, 'You have this great set of skills, we're going to hire you to go work at Target in Minneapolis or recruit you out to Silicon Valley,'" Tuttle says.
A handful of certification boot camps at the Cyber Hub certify students in (ISC)² Certified Information Systems Security Professional (CISSP), CompTIA – Security+, and EC-Council – Certified Ethical Hacking. They prepare students for the next step in IT management. The instructors are arranged through the Merit network, and sourced locally, whenever possible.
Outside of the certification boot camps, each comprising 40 hours of coursework, the Cyber Hub offers two to three-day workshops and training focused on a specific topic. Students won't leave with credentials, but they will understand much more about the subject.
WMCAT will host boot camps for people looking for cyber security certifications."The boot camps are geared more towards people who already have a background, or already have a career, and are looking for that next step up," Tuttle says. "The labs are going to be geared towards people who are less technically skilled, newer to the industry, and more interested in building out their skills."
Over time, the Cyber Hub could create its own sustainable economy, too. There is a shortage of qualified cybersecurity educators, and as more students go through the hub, as classes are added and students return to act as mentors, it becomes a greater community resource.
Soft skills in tech
Hundreds of thousands of open positions in cybersecurity mean that certified professionals have little between them and gainful employment. It also means they may be entering positions in which they are the only cybersecurity professional in the organization. General purpose IT managers are valuable, but they can also be overwhelmed with every technical issue that comes up in a less-than-technical organization.
That's when a few soft skills can make a difference.
WMCAT and the Cyber Hub are uniquely prepared to impart these skills to cybersecurity professionals. It's a neutral non-profit environment, not an accredited university or private undertaking. Its administrators work with adults, employers, and K-12 students.
As the name implies, WMCAT embodies a nexus of understanding between arts and technology, with public and private partnerships, with programs like Public Agency, Ambrose, and its own workforce development department to vouch for it.
Like IBM, whose CEO Ginny Rometti spends half a billion dollars a year on rescaling her company’s workforce around creative problem solvers, the Cyber Hub values those with a liberal arts background, critical thinking and communication skills that are more important to the technology industry than previously recognized.
Strength in diversity
There's a stigma that follows the cybersecurity field, and that may be one of its biggest vulnerabilities.
The stereotypical IT professional is a white male. He may be sitting in a basement or in a dark closet, wearing a hoodie, hacking away in the dark.
"The skill base is largely white and is largely male," Tuttle says. "And if you think about creative problem solving, how do you flesh out the way that your organization solves problems differently? You have people who have different lived experiences. So, how do we tap the talent portals, communities of color, the women who are pretty heavily underrepresented in these careers?"
The answers to those questions may not be found in traditional approaches. The status quo only furthers the stereotype, and companies that are breaking that barrier are putting a large number of resources toward innovation.
What's needed for the job is not always technical mastery, but effective communication. Cybersecurity pros need to communicate the value of risk to an executive board, they need to point out vulnerabilities on a network, present the cost of taking action and the cost of not taking action, and which is the best path to take.
That will take new faces of color and breaking stigmas.
"I'm looking at the makeup of people in cybersecurity positions, and they're largely white, largely male, and there's a lot of underrepresentation just from people of color," Tuttle says. "A lot of times, there's peer pressure within our communities. Something may be seen it's nerdy, or uncool. And I might be really excited about it. But I will sort of self-select or opt out because it's not culturally accepted. We're working on building the pipeline for talent, providing not only the access, but the exposure, excitement, awareness, support, and permission for people of color, for women, for anybody to get into this career, and see it as just a fun, cool skill to have."
Funding the Cyber Hub
For the next two years, the Cyber Hub is contracted by the city of Grand Rapids through the Smart Zone Local Development Finance Authority. Through that contract, more specifically a memorandum of understanding, the Cyber Hub is also obligated to support the West Michigan Cyber Security Consortium (WMCSC), a group of more than 700 practitioners in Michigan's fifth district.
"They've been around for about 10 years, and just by virtue of how they've been funded in contracts with the Department of Homeland Security, they didn't have a web presence," Tuttle says. "So we were able to stand up a website for them and run an events calendar through that, helping them provide a presence at GrrCon, a hacker conference in the fall."
The Cyber Hub maintains partnerships with the City of Grand Rapids, MEDC SmartZone, Michigan Defense Center, Michigan Cyber Range, and WMCSC, which connect the organization to financial and personnel resources.
Cybersecurity isn't something you can close the book on after taking a class. It's constantly evolving. New threats appear almost daily, and new ways of mitigating them.
"When it comes to IT security, it is a continuous education," Baker says.
The IT professional at the BBB works on five different IT related blogs every day. He is constantly improving his skill set, learning about what's coming next, and making sure he isn't working in a vacuum.
"You either need to have somebody specific at a business to watch your back as an IT person, or you need to do it yourself," Baker says. "Small businesses might not be able to hire a standard full-time IT person, but they need to make sure they're staying educated themselves. It is almost a full-time job."
For those looking to take that job, classes begin soon.
Urban Innovation Exchange highlights the people and projects transforming West Michigan through sustainable efforts. Matthew Russell is the editor for UIX Grand Rapids. Contact him at [email protected].
Photography by Adam Bird of Bird + Bird Studio.