RENO, Nev. — By the end of 2016, businesses in the U.S. were falling victim to a ransomware attack every 40 seconds, according to Cybersecurity Ventures, a cybersecurity statistics company.
This year, companies are expected to face such hits every 14 seconds.
Indeed, the greatest threat to companies worldwide is a cyber attack, the fastest growing crime in the U.S. Cybercrime damages — from destruction of data to stolen money to lost productivity — are predicted to cost businesses more than $6 trillion annually by 2021.
“One of the challenges is more and more business functions that weren't digitized are becoming that way,” Brandon Peterson, chief information security officer and deputy CIO at the Desert Research Institute in Reno, told the NNBV recently. “Operations that classically never had anything to do with technology are now being operated with technology sensors and computers and all that.”
The numbers don't lie — cybersecurity is a major issue across America, and here in Northern Nevada. Graphic: Lauren SolingerIn other words, as the business world continues to rely more and more on technology and the Internet, the number — and size — of digital targets is exploding.
With that, it should come as no surprise that the Internet of Things (IoT) industry has seen a dramatic increase in the number of attacks targeting IoT devices.
Once a niche market, the IoT sector is anything but nowadays. According to Intel, the IoT world will balloon from 2 billion connected objects in 2006 to a projected 200 billion by 2020.
But with an incredibly high demand comes a low emphasis on security by the device manufacturers, said Peterson.
“... Why that presents such a big challenge is a lot of these manufacturers are on a very rapid development and production schedule,” Peterson said. “In order for them to make money, they have to build these things as quickly and as inexpensively as they possibly can and get them to market. So that doesn't leave a whole lot of time for security testing and quality assurance testing. We're deploying them like crazy, and most of them have little to no security.”
In fact, according to tech news website IoT For All, only 10 percent of device manufacturers feel fully confident their devices had adequate security precautions in place. Alarmingly still, just over 10 percent of businesses deploying Industrial IoT (IIoT) devices had generalized security best practices and developed actionable cybersecurity strategies, according to an IBM survey of 700 companies across 18 countries.
Allison Clift-Jennings, co-founder and CEO of Reno-based Filament, which builds enterprise blockchain systems for the IIoT, said the lack of clarity surrounding firmware updates and when they get released is one of the problems facing the industry.
“All IoT devices have firmware,” she explained, “and if you don't have a good process through which you sign and verify that firmware — often through security hardware — it's very difficult to determine what's running where and if there's any vulnerabilities.”
With that in mind, Clift-Jennings said many enterprise and industrial companies are mandating robust security policies when rolling anything out in the IoT space.
“That's a lot of what Filament is building our company's strategy upon,” she added. “It's got to be built in and it's got to be future-proof — it's no longer optional or even negotiable.”
In the banking industry, firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other sectors — in other words, while the typical U.S. business is attacked 4 million times per year, the typical U.S. financial services firm is attacked a staggering 1 billion times per year, according to Forbes. This leads to an estimated 9 million Americans getting their identities stolen each year, per the Federal Trade Commission.
And cybercriminals are only strengthening their techniques for stealing personal and financial information from individuals and businesses, said Karl Mattson, senior VP and CISO at City National Bank, which has a branch in Reno.
“Identity theft continues to evolve as attackers create new ways of tricking people, whether it's through email or voice,” said Mattson, referring to different phishing methods. “So that continues to be the problem space where we are continually trying to address the area of identity authentication.”
With data breaches only increasing, Mattson said City National Bank, for one, has pathways established to share information “rapidly” with other banks. The collaboration, however, shouldn't stop there, he added.
“We take what we've done in the financial sector and we're looking to model that out and build those practices with other industries,” he said. “Because the cybersecurity attacks banks face are often not unique to banks — they are the same types of attacks, such as ransomware, that a hospital or a university faces. So can we create pathways for sharing information with other industries? That's something that I think all industries are invested in.
“We have to partner with private industry, we have to partner with the public sector, if we're going to be effective overall.”
Looking forward, Mattson said there are “extremely important” innovations taking place that are poised to significantly mitigate identity-related cyber attacks. Specifically, he pointed to biometric authentication, which relies on the unique biological characteristic of an individual to verify his or her identity, eliminating the need for hackable usernames and passwords.
“I look at biometrics as a real game-changer to equalize the playing field for those of us trying to defend networks and defend identity,” Mattson said. “I have real optimism that in the next two to four years we're going to see a measurable reduction because we're taking advantage of technologies that are much harder to compromise or impersonate.”
Meanwhile, in the healthcare industry, ransomware attacks are predicted to quadruple between 2017 and 2020, according to Cybersecurity Ventures. This is due to hospitals using outdated systems, having low cyber/IT personnel on staff — and possessing highly valuable and personal data.
Georgia Stedronsky, information services director at Northern Nevada Medical Center in Reno, said the combination of using 24/7 scanning, firewalls, email filtering and security training has enabled them to prevent threats to their local Electronic Medical Record system.
“It's just keeping up on it and doing that scanning real-time,” Stedronsky said. “Any time that program sees an opportunity, we immediately get a ticket sent to us to look into that server and make sure that there's not something going on. We're continually upgrading as the threats are becoming more and more sophisticated.”
Jamii Uboldi, director of marketing and communications at NNMC, noted that the hospital has not experienced significant cyber attacks, even minor ones, in “years and years.”
At the end of the workday, the biggest challenge facing businesses? The cybersecurity workforce is lagging behind the dramatic surge in cybercrime. “Getting qualified people that understand all the bits and pieces of cybersecurity remains a huge challenge,” Peterson said. “And part of that is because you have to have such a complex understanding of all these technologies.”
Currently, there are more than 313,000 cybersecurity jobs unfilled in the U.S., according to CyberSeek. In Nevada, more than 1,900 such jobs are open. In neighboring California, there are more than 36,000 vacant positions.
These alarming stats and facts have propelled higher education institutions in Nevada to boot up cybersecurity programs over the past few years. Last year alone, DRI, Western Nevada College and Reno Technology Academy all launched cybersecurity programs.
Notably, salaries for information security analysts in the state have a median wage of $76,130, according to the Nevada Department of Employment, Training and Rehabilitation.
“We know that there's no way that the traditional school system can pump out enough cybersecurity experts to fill the demand projected for the next 10 years — it's just impossible,” said Peterson, noting that as a reason DRI started a cybersecurity internship program. “We need to go around the traditional education model and come up with some type of workforce development that can help bridge the gap.”
And the gap is widening every year. Cybersecurity Ventures predicts there will be 3.5 million unfilled positions by 2021.
Peterson said implementing security awareness training and wiring that mindset into the culture is crucial for any organization.
“In the end people are still going to be the weakest link,” Peterson said. “And a simple email can override pretty much any security technology that we currently have or could put in place.”