March 24, 2015

(Martinsville Bulletin) -- Providing cybersecurity is a business, and — for better or worse — business is booming, according to speakers at a Virginia Cyber Security Commission town hall meeting.


More than 50 people attended the meeting Monday at the New College Institute. It was one of five meetings the commission, formed last year by Gov. Terry McAuliffe, is holding across the state.


Keynote speakers included Bill Donohue, president of GENEDGE, a business consulting organization based in Martinsville; Tom Bowers, principal security strategist with ePlus of Herndon; and Rhonda Eldridge, director of engineering with Technica Corp., which is based in Dulles.


A panel discussion also featured Jennifer Bisceglie, CEO of Interos Solutions, which has an office in McLean, and retired Coast Guard Rear Adm. Bob Day, executive director of the commission.


“Cybersecurity is a business,” Donohue said. “It’s about protecting critical information. It’s about protecting physical and infrastructure systems from harm. It’s a business, and that’s why the commonwealth of Virginia is so interested in this.”


Providing effective cybersecurity is a fast-growing challenge, Donohue said. From 2014 to 2015, he said, there was a 48 percent increase in global security incidents; for the sake of comparison, the global smartphone market grew by only 22 percent in the same time period.


In 2013, Donohue said, companies spent an estimated $90 billion on cybersecurity to prevent hacks and breaches.


“When I look at statistics like that, I can say, ‘Oh, woe is me, this is not good,’ or I could also say, ‘While it’s a problem, it’s a very high growth market,’” Donohue said. “Where there are problems to be solved, generally what can follow? Jobs.”


The majority of the companies getting attacked, he said, are large businesses with annual revenues between $100 million and $1 billion. The source of the hacks can vary wildly, from foreign nations to activists to organized crime.


“In a lot of cases though, companies don’t think about the fact that a lot of their risk is inside their walls,” he said. “It’s inside their security networks. It’s current employees, it’s former employees, it’s contractors.”


A career in cybersecurity can be a lucrative one, Donohue said, with average annual incomes around $102,000. The majority of professionals in the industry have bachelor’s or master’s degrees, he added.


“Continuing education and certifications, much like the New College Institute is setting up to do for advanced manufacturing technology ... can do the same thing for cybersecurity,” Donohue said.


Bowers, who also is a founding board member and current chairman of the National Cyber Security Partnership, said that if a group of hackers makes an organized effort to hack into a company, there’s little anyone can do to stop it.


“As a chief information security officer, my colleagues and I simply assume that we’ve been breached,” Bowers said. “We just don’t know how long and how bad. ... If hackers want to get in, they’re going to get in.”


Right now, Bowers said, the health care industry is seeing more data breaches than any other field.


“Why health care?” he asked. “When Target got breached, those credit cards were worth about $25 apiece. When a health care record gets stolen, they’re worth between $250 and $500 per record. There are at least seven different ways to conduct prescription fraud, insurance fraud, identity theft ... health care is under siege right now.”


After the 2008 recession, Bowers said, many companies fired their cybersecurity staffs to save money. Within two years, he said, many of those companies were experiencing huge data breaches.


The best practice, he said, is for companies to adopt “reasonable person” standards for cybersecurity — that is, implementing the amount of security that a reasonable person would find sufficient. Otherwise, the legal consequences could be dire.


Some firms that have seen their data breached are likely “to get shell-shocked when they see the shareholder lawsuits,” Bowers predicted. Others probably will face fines, he said.


Eldridge said that one of the main goals of cybersecurity is protecting the people who might be endangered if their data is compromised. Additionally, she said, if a company’s network is breached, it can have disastrous effects on the company’s ability to function.


“One of the things that happens if somebody hacks a system or does a denial of service attack is that it shuts down your business,” she said. “We all know about that day when we try to come into work, log into the system, and either we can’t log in or we just don’t have access to the Internet, and we are dead in the water. We cannot even get work done. That’s a problem.”


Although data may be protected by firewalls and logins and passwords, once an employee is “in” the system, he or she often has access to sensitive information throughout the system.


“How many of us are part of organizations where once you’re in, you can go anywhere you want on the shared drive?” she asked. “In the engineering group, you can see what’s going on in accounting, in accounting, you can see what’s going on in the H.R. group. ... You can go anywhere you want. Nothing’s locked down, because we trust each other.”


Over time, Eldridge said, many security experts have realized that level of trust may be dangerous. In 2010, she said, the Cloud Security Alliance wrote the Zero Trust Model, which dictates that all resources must be kept secure at all times, with access controlled on a strict need-to-know basis.


Virginia, Donohue said, is poised to serve as a cybersecurity hub for the United States, due to good fiberoptic networks and high connectivity and a well-trained information technology workforce.


“We have a consortium of great companies and nonprofits that want to see this industry grow,” he said.


See story on Martinsville Bulletin's site here.