ON SEPTEMBER 26, Equifax announced that CEO Richard Smith, who had led the credit reporting agency since 2005, was resigning his position. Smith’s unceremonious departure was just one of many September exits made by the embattled Equifax leadership team, including its chief security officer and chief information officer. And the timing of the exodus wasn’t accidental.
On September 7, the company publicly disclosed that hackers had exploited a software flaw in order to steal Social Security numbers, birthdates, and other personal data that provides the keys to identify theft. Some 143 million Americans were impacted by the breach, and the Atlanta-based company’s stock price has since plummeted, costing it billions of dollars in valuation.
Equifax is just one of many high-profile breaches, across multiple sectors of the global economy. Cybercrime is a booming industry and, it should come as no surprise, so is cybersecurity.
From bored hackers to organized cybercriminals
Cyber-threats keep evolving, getting more complex in their scope and execution. If you’re preparing to fight yesterday’s cyberattack, you’re preparing for failure, says Charles Wiseman, chair of Wentworth’s Department of Computer Science and Networking.
“In the past, many big cybersecurity incidents were hackers trying to knock companies offline through denial-of-service attacks,” says Wiseman, “but now we’re seeing companies breached by cybercriminals looking to sell stolen data on the black market or dark web. It’s no longer just bored hackers attacking, but active criminal enterprises looking to make money.”
As cyberattacks proliferate, the supply of cybersecurity professionals prepared to defend against them has not kept pace. “There is a huge demand for cybersecurity professionals right now, in all market sectors and in government,” explains Wiseman. “A recent study projected a shortfall of 2 million workers just in cybersecurity in the next five years.”
Developing tomorrow’s cybersecurity professionals
To close the gap, Wentworth is developing a new cybersecurity program that will prepare students to fight the cyber threats of tomorrow. The program is being created with industry input and collaboration, which will ensure that students have the skills needed to meet demand in the job marketplace and have an impactful, lifelong career in security— a particularly difficult challenge given the pace at which cybersecurity technology evolves.
The program proposal reflects a multidisciplinary approach, providing students with the know-how to find or create technical solutions to cyberdefense problems that are based on the needs of the business as a whole, says Wiseman. This is reinforced by real-world cybersecurity experience that every student in the program would gain through co-operative education and internships.
“We want our students to have a holistic view of cybercrime, not just from a computational standpoint, but from a societal standpoint that lets them understand some of the drivers behind cybercrime, and the psychologies and beliefs of some of these attackers,” says Professor Raymond Hansen, who is working with Wiseman to build the new program. Teaching just the technology is a strategy for failure: We’ll also be teaching students the mentality to understand how cyberattacks will be evolving in the future.”
President Zorica Pantic was named to Massachusetts Gov. Charlie Baker’s Cybersecurity Strategy Council. The panel will work with the Massachusetts Cybersecurity Growth and Development Center to provide strategy and counsel for the state’s cybersecurity effort.
Building your defenses
Professor Raymond Hansen also offers tips that any organization can adopt to defend against the increasing incidence of cyberattacks:
- Take simple steps
“Even as cyberattacks become more complex, many of the simple steps remain effective. Things like keeping anti-malware installed and updated, as well as patching the operating system and your major software. In the Equifax breach, for example, there appears to have been a patch readily available for the exploited vulnerability, but it wasn’t applied.”
- Put a plan in place
“You need to know your risks. Ask some basic questions, like: What are our assets? Which ones are priorities for us to protect? What are the specific vulnerabilities we face? And how might we be attacked? Then build security approaches around those potential attacks, which might mean firewalls or intrusion prevention systems or any number of things.”
- Conduct fire drills
“Test your tools, make sure your people know how to use them, and ensure they understand who reports what to whom. You need to practice for a cyber-event before that cyber-event happens, and share ensuing feedback about how to improve your processes.”
- Prepare users, too
“Leaving users out of cybersecurity training is asking for failure, because users are one of the weakest parts of any cybersecurity system. Users need to be aware of potential cyber threats, such as phishing attacks like the ones asking unsuspecting users to ‘Enter your payment information by clicking here,’ and others. Just a 2 to 3 percent user-response rate to phishing like that can mean hundreds of thousands of dollars for cybercriminals.”
- Don’t blame until later
“Don’t attempt to assign blame until you’re really sure what’s happened. There are too many unknowns early on to consider assigning blame. You need to respond first, and then you can assign blame in the post-mortem phase.”
- Plan to continue operating during attacks
“Your business continuity plan needs to explain what will happen if you need to shut down a particular cyber system that’s under attack. For instance, will you run in manual mode or stand up a redundant [backup] system while you remedy the system under attack? Plan ahead and communicate your plans to people impacted.”
– Chuck Leddy