Government and academic leaders met with representatives from Vermont businesses and non-profits on Friday to help improve cybersecurity awareness, and a big part of that effort was reframing cybersecurity as something that everyone at an organization is responsible for.
If there was one message at the Understanding Digital Threats conference at Champlain College Friday, it was that any business can be a victim, and any employee can compromise a computer system.
For some context, here's what Gov. Phil Scott says the state government has dealt with in just the past two months:
“Almost 65,000 malware and phishing attempts, nearly 575,000 attacks against other state resources and over 19,000 remote scans that were all successfully blocked,” Scott said at the opening of the conference.
Cybercrime in Vermont doesn’t just target state government.
Kate Dodge and her husband own Putney Moutain Winery, with a full-time staff of fewer than 10 people. Dodge was at the conference because of what happened to a business owned by their friends who used a cloud-based point-of-sale system.
“They think — they don't really know how this happened — they opened an email that looked exactly like the emails from that company, and through that, somebody got in and basically used the point-of-sale system as a conduit for their illegal charges,” Dodge said.
Somebody was using the business' credit card system to fill up their own bank account with bogus charges — and Dodge says her friends' business was on the hook for $50,000 in fraudulent charges before the problem was discovered and stopped.
Dodge didn't want to wait until that happened to her business before taking countermeasures.
“It's a terrible experience — and meanwhile, you're trying to run your retail business,” Dodge said of her friends’ experience.
Part of the problem for many small businesses is that they're always just trying to run the business — unlike the state government, they don't have cybersecurity specialists on staff.
That's what Dodge asked presenters at the conference:
“We don't have security specialists. Where would we go to look for someone who could help us set up better systems?” Dodge asked a panel of cybersecurity experts.
The City of Burlington's chief innovation officer, Beth Anderson, said the city uses some local consulting firms but she also recognized that not all small businesses can afford those.
She pointed to Norwich University and Champlain College as good resources for security help.
“Some of the local consultants, which we use, and they're great but they're not inexpensive particularly for a small business,” Anderson said. “You have two universities — I hope you don't mind my pitching — that have great cybersecurity programs and students who'd probably love to do programs with businesses too.”
Dodge's business is already doing at least one thing right, though.
Champlain College Cybersecurity Professor Duane Dunston said that whoever is running security for businesses, it's not something that just happens — security is an investment, and everybody on staff needs training.
“Listen closely,” Dunston said, “It requires routine training. Not once-a-year security awareness training. You have to do this on a repeated basis. It takes time. It takes time out of people's normal production cycle. So that's why managements have to be involved to support this at the highest level.”
But for starters, presenters said it might help to just make sure nobody on staff is using the world's most common password: The word "password."