The underlying agenda was subtle: A Boston firm that sells cybersecurity training wanted a survey done that would quantify the need for companies to provide their employees with such training.
The company wanted the survey done by an outside source to lend legitimacy to the findings, and it was offering money to help fund it.
That’s how the first Employee Threat Readiness Survey came to fruition last year at the University of Massachusetts Dartmouth, according to Tim Shea, an associate professor of decision and information sciences who oversaw the survey with a colleague.
The company didn’t try to influence the results, Shea said. However, for a repeat survey this year, he and UMass Dartmouth management and marketing professor Steve White moved ahead without the company’s financial involvement, as there were other research funds available.
The episode is emblematic of a widespread concern unique to the digital age – cybersecurity – and an industry that has sprung up to address it. Today cybersecurity is a billion-dollar business that, according to observers, at times is fueled as much by hype and hidden agendas as it is by facts.
“In much the same way that the military-industrial complex thrives on the fear of war, the [information technology] industrial complex benefits from public paranoia,” Rachel Marsden wrote in a column titled “Separating Cybersecurity Hype from Reality” for news website Townhall.
Take the massive 2003 blackout that cut power in eight states. Cybersecurity officials originally claimed the blackout had been traced to hackers in China. However, a 228-page investigation by the North American Electric Reliability Corp. later pointed to numerous sources of the problem – and hackers weren’t among them, according to an American Civil Liberties Union report on national security and technology.
“That does not mean the threat is not out there,” ACLU specialists concluded. “A future cyberattack could be destructive and we should be taking common-sense steps to try to prevent it.
“But the truth is no one knows just how real this risk is,” they added. “Let’s have a cybersecurity debate based on the real facts, not hyperbole.”
Another set of frightening headlines came out after the failure of a utility’s water pumps in Illinois. Computer logs indicated the system’s computers had been “hacked into” from a computer in Russia, the ACLU said.
Reports claimed it “could be the first known foreign cyberattack on a U.S. industrial system.” However, it soon emerged that the story was whipped up by overexcited analysts at the Illinois Statewide Terrorism and Intelligence Center.
It turned out the pump failure was a routine burnout, the ACLU said, and it was an American contractor vacationing with his family in Russia who had logged into – not hacked – the Illinois computers remotely.
As Shea put it, the cybersecurity dramas playing out across the globe generally have three types of characters:
•
“Black hats.” These are the malicious hackers and assorted villains carrying out cyberattacks for their personal gain or cause or simply to create havoc.
•
“White hats.” These are the do-gooders, from government and corporate officials to techno-experts honestly trying to prevent attacks and the harm they can do.
•
“Gray hats.” These may be the most intriguing of the bunch, residing in the gray area between both worlds, moving in one direction or the other, depending on what suits their immediate goals. As Shea said, “They’re trying to play both sides.”
Citing data from the FBI, Shea said the number of cyberattacks has dropped but the damage done by each attack has increased. What that suggests, he agreed, is that lesser-skilled hackers aren’t breaking through as often as cybersecurity has improved, but the best hackers with the resources for big attacks can still get through.
‘[Hacking] is becoming more of an organized effort.’
TIM SHEA, UMass Dartmouth associate professor of decision and information sciences
“This is becoming more of an organized effort,” Shea said about hackers. “It is the little guy who is going away.”
This year’s survey by UMass found that companies are most vulnerable to cyberattacks due to a lack of employee awareness and training – a weakness in what it called “the human firewall.”
While some would argue the findings are what the cybersecurity training firm that initiated last year’s survey would have wanted, Shea said the survey still is useful because it illuminates part of the problem: a lack of person-to-person communication.
Without involvement from the Boston training firm, Shea said, UMass hired a market-research company that queried about 800 employees around the country.
The research company sought out respondents whose work involves computers and who fit “across a variety of indicators – gender, age, income, ethnicity, education,” he added.
Key findings included:
• Thirty percent said their companies do not provide easy access to support for any cybersecurity questions they may have.
• Thirty percent said their companies do not have a clearly defined process for reporting suspected security breaches.
• Twenty-five percent said their employers do not consider cybersecurity to be important.
Though most of the workers reported that their employers have provided them with adequate training and information to prevent a cyberattack, Shea said, the fact that 25 percent to 30 percent of them are not doing enough means many businesses still are vulnerable.
“Companies are working to get the message out there,” he added. “And three-quarters of [employees] may feel good about their cybersecurity skills, but that’s not close to enough.”
Scott Blake is a PBN staff writer. Email him at Blake@PBN.com.
