From left, Tasha Cornish, executive director of the Cybersecurity Association of Maryland, and Timothy Shilbach, Penacity LLC CEO, were panelists at the Baltimore Regional Tech Council’s cybersecurity forum at bwtech@UMBC’s office on September 14. (Submitted photos)
A panel of four experts warns executives’ lack of urgency in fixing vulnerabilities, lax data security and complacency about safety measures present the most significant cybersecurity threats to businesses.
The warnings come as cyberattacks have increased sharply in recent years as more business is conducted digitally and the number of people working remotely has significantly increased.
“Business owners too often are not taking cybersecurity seriously until it’s too late,” Penacity LLC CEO Timothy Shilbach said during the Baltimore Regional Tech Council’s cybersecurity forum
The discussion, held at bwtech@UMBC’s offices at the University of Maryland, Baltimore County’s Catonsville campus, focused on the impact of cybersecurity on individuals, companies, states and nations.
Tasha Cornish, executive director of the Cybersecurity Association of Maryland, said a company emphasizing the importance of cybersecurity internally is not enough. Firms often leave themselves vulnerable to supply chain attacks, she said, because of weaknesses in a partner’s systems and protocols.
“Until we get true visibility… into what our partners and vendors are doing, that’s going to keep me up at night,” Cornish said.
Galaxkey CEO Randhir Shinde said too many businesses approach cybersecurity with the idea that if they set up a firewall and intermittently change passwords, they’re protected from external and internal dangers.
“If someone tells you: ‘This is the solution,’ don’t take it as a final solution. It’s an ongoing problem,” Shinde said.
From left, Randhir Shinde, Galaxkey CEO, and Sameer Ahirrao, Ardent Privacy CEO, were panelists at the Baltimore Regional Tech Council’s cybersecurity forum at bwtech@UMBC’s office on September 14. (Submitted photos)
Ardent Privacy CEO Sameer Ahirrao said firms must emphasize aligning cybersecurity measures with their whole business. That’s particularly important when securing data. Executives need to ask questions, he said, and decide whether to spotlight securing personal data or supply chain data.
“It’s all perception-based,” Ahirrao said.
Panelists’ warnings come at a time when cybersecurity threats to businesses are rising sharply. The average number of cyberattacks and breaches rose sharply year-over-year in 2021, according to think tank ThoughtLab’s “Cybersecurity Solutions for a Riskier World” report. During that time, overall incidents jumped 15.1%, while the number of material breaches shot up 24.5%.
As a result, cybersecurity budgets from 2021 to 2022 as a share of overall revenue, according to ThoughLab, rose from 0.53% to 0.80%, which is an increase of 51%. By comparison, cybersecurity spending in 2019, the first year ThoughtLab issued the report, companies spent .09% of revenue on cybersecurity.
At the same time, cybersecurity spending is taking up a more significant share of corporate information technology spending. Corporate cybersecurity budgets will represent up to 15% of overall IT spending this year, according to ThoughtLab. Previously spending between 5-7% of IT budget on cybersecurity was “considered the gold standard.”
Arguably the biggest threat to businesses is the number of cyber security professionals entering the field won’t meet the demand for those employees.
To attract enough people to these well-paying positions, Shinde said, schools and companies alike need to address biases when considering who to steer into or hire for cybersecurity jobs.
One particular myth, Shinde said, is that the best cybersecurity workers are always ex-military. That, he said, is simply not the case.
He also said the male-dominated field needs to do a better job attracting women. That’s because, Shinde said, research shows women are better multitaskers, and good cybersecurity professionals need to be able to efficiently manage multiple threats and projects at the same time.
“Women do a better job finding problems than men. We really need women in the field,” he said.
Another significant challenge in providing the cybersecurity workforce companies needs, Shilbach said, is ensuring educators are preparing future cybersecurity workers for real-world jobs. That means students must be versed in what he called the three pillars of cybersecurity: governance, operations, and engineering.
“These are the true skills in the workforce needed before they come to us,” he said.