Cyber sages help small businesses tighten up
Photo by Kathy F. Atkinson and Beth Miller October 30, 2017
UD cybersecurity training goes national and student consultants go local
While you're out there living your life, cybercriminals are at work trying to get something that isn't theirs - all day, every night, on weekends and holidays, 24/7.
You can see the constant combat on a map of the world - hundreds of thousands of real-time attacks - on security websites such as FireEye, whose CEO, David DeWalt, earned his degree in computer science at the University of Delaware.
What's a small business to do? UD is addressing that question in significant ways, building a cadre of trainers and consultants and a menu of programs that can help everyone shore up their cyber lives.
"We feel we have a responsibility to contribute to the economic health of the state," said David Weir, director of the University's Office of Economic Innovation and Partnerships, "and we're working hand-in-glove with the state's Department of Technology and Information (DTI) to do it.... It's the leading edge of a remarkable partnership developing in Delaware, where the public, private and educational sectors are working together to develop secure cyber space as the underpinning of a solid economic development program."
Daniel Eliot, for example, has done exemplary work toward this at the Delaware Small Business Development Center, a unit of OEIP.
Eliot, manager of SBDC's technology business development, launched a program called DatAssured in 2016 and more than 250 small businesses have taken the training, which focuses on operational and behavioral aspects of security. The program has received national attention and high marks from the U.S. Department of Homeland Security, which shared it as a "Resource of the Month." Eleven other states have adopted the training program so far.
"Our goal is to help you integrate cybersecurity into your business strategy," Eliot said. "The butcher, the baker, the biotech CEO who has no background in Information Technology - all of them can understand this."
And they really need to.
"Every business today is a tech-based business," Eliot said. "And if businesses want to stay in business, they have to take cybersecurity seriously. You can't just say 'I didn't know' or 'I'm not an IT person.'
"Many small businesses don't want to talk about cybersecurity, floods or fires until something happens - but by then it's too late," he said. "Statistics show most will go out of business after a cyber breach. So we're trying to help them make a reasonable effort. They're all struggling to meet payroll and keep the doors open, but they have to take time out for this. We can give them a foundation, raise awareness and connect them to the state's resources and experts who do specialize in it."
The idea isn't to make coders or tech experts out of everyone. The idea is to help small businesses shield themselves from disaster - in industry-specific ways - because it's especially tough for them to recover from a security hack and its far-reaching repercussions.
"Who's the lowest-hanging fruit out there?" said J. Michael "Mike" Bowman, state director of Delaware's SBDC. "That's what we don't want small businesses to be."
Aren't small businesses too small to be a profitable target, as some believe?
"The reality is the exact opposite," Eliot said. "Small businesses are easy targets and hackers are specifically looking at small businesses as an easy target to get to a larger fish."
Through SBDC, small businesses in Delaware now have access to training that will help them develop strategies, skills and safer cyber practices, no matter what their business focus is.
Just as a storefront needs security, so does an online business. Insurers and lenders want a good security plan in place before issuing cybersecurity insurance or lines of credit.
"Whether you are in pharmaceuticals or baby clothing, there are security concerns with personally identifiable information, credit card information," Eliot said. "Cyber is that sweet spot that touches every business.... No matter if you are a solo-preneur or a Fortune 500 company, you are vulnerable. There is no way to be 100 percent secure. What we're talking about is making a reasonable effort."
A new team of UD students now is offering cyber expertise to area businesses. It's a free service to the five clients on the team's list so far, but it's likely a fee will be added as their work becomes known and demand increases.
"There is a very high demand for security services," said David Geron-Neubauer, a senior computer science major, with a cybersecurity minor, from Wyncote, Pennsylvania, "especially in this day and age when we are seeing many more cyber attacks on major players such as Equifax, the Democratic National Committee, the WannaCry ransomware, the Wikileaks CIA vault - and those were all just this past year. Unfortunately many businesses think they have no reason to be targeted, don't have the resources to pool into security, don't know where to look for help, or are concerned about asking for it. Everybody needs to have security in mind. The majority of malactors will go for the easiest target."
The team - known as GMSecurity - includes high-level UD computer science students at the undergraduate and graduate levels, many of whom have industry experience. All are skilled in assessing systems, developing protective processes and helping businesses take steps to strengthen security.
The team works under the direction of UD Assistant Professor Andrew Novocin, an expert in cryptography, who also leads the University's Vertically Integrated Projects (VIP) program that links undergraduates with graduate students and faculty members to address a wide range of practical challenges. Some students in VIP's "Crypto-Cloud" team are in training now and plan to join the cyber consultants in the spring semester.
The student-led team has expertise in encryption, malware detection and cleanup, password practices and data storage.
In addition to Geron-Neubauer, the core of the team now includes Teddy Katayama, a doctoral student from Virginia Beach, Virginia, with experience in network security, and two other senior undergraduates - John Roberts (management information systems), who has experience in software development, and Ryan Barbera (computer and information science), who has experience in full-stack web development, both of Newark, Delaware.
In their first visit to a client's business, students talk with the owner or manager to learn about their concerns, get an inventory of the office computer network and how it operates. Later, they test systems and programs, looking for vulnerabilities and weaknesses that should be addressed. They work in confidence throughout the project, protecting data, proprietary and personally identifiable information. And they offer an intrusion detection system that can automatically notify the team when something happens that requires attention.
All of that requires a level of trust that the team's association with Novocin and UD and its growing menu of cybersecurity programs helps to provide.
UD's Cybersecurity Initiative has been designated a Center of Academic Excellence in Cybersecurity by the U.S Department of Homeland Security and the National Security Administration. UD offers an undergraduate minor in cyberscurity, a master's degree, professional certification and other customized training opportunities.
"Everything in this realm is about trust," Novocin said. "Ideally, we've got mechanisms in place where I don't have to trust anybody for anything. But when you open a link in your email, if you see that it's 'google.com' you trust it. Why? Like anything, it's all about relationships. You tend to trust somebody if you understand their motivations, you understand their character and their culture. When somebody sits down and they understand what is motivating you, they will be more likely to trust you."
UD also participates in several statewide cybersecurity efforts and Weir and Eliot both serve on a subcommittee of the Governor's Cyber Security Advisory Council.
Elayne Starkey, who has a statewide view of cyber issues as chief information security officer for the Delaware Department of Technology and Information (DTI), sees UD as a pivotal part of a growing network committed to strengthening the state's security.
"It's not just about combating the threats we face every day - and there are many," she said. "We've been thrilled to partner with the University of Delaware in training up the next generation of cybersecurity professionals. We have made such great strides and we all have a similar passion, whether it's finding new tools to defend networks, training a new generation or making sure small businesses are equipped to build up their defense. We have found all kinds of opportunities to link arms and move forward together.
"You'll never hear me say we've done all we can do," Starkey said. "We have a mantra with my team - 'this is a race with no finish line....' The hackers just have to be right once. We have to be right all the time. So we never say we've got this covered. It just doesn't work that way.
"But at the end of the day, we feel like we have a very deliberate plan.... We're at a point in our progress where we're hopeful."
As he reviews the ever-changing cyber landscape, OEIP's Weir agrees that the state is moving in the right direction.
"The partnerships between OEIP, DTI under the leadership of Elayne Starkey and James Collins, and UD’s Department of Electrical and Computer Engineering under the leadership of Chair Ken Barner and Professor Chase Cotton are of inestimable value," he said. "With such a broad set of integrated capabilities, I believe as a state we are in the position to meet future cyber challenges with greater confidence, alignment and effectiveness."
Those links strengthen everyone, Eliot said.
"It's so important that we don't work in silos," he said. "That doesn't help anyone. We have to work together to secure the small-business community, the individual citizens of the state and the state itself."