Charlatans of Cyber: Today’s Reality

Some are riding the Cyber-Wave, only to leave innocent business owners in their wake. 

Augusta’s Cyber Journey

When the Augusta canal was completed in 1847, it offered Augusta the foundation for growth and was quickly recognized as a leading example in the Southern US.  When it was enlarged in 1875, it sparked a major industrial boom, bringing the building of many mills and industries along the canal.  With the new technology, jobs, and opportunity in Augusta – it quickly drew people from all over to take advantage of these opportunities, thus pushing our city forward in so many ways.

It is unusual for a city to have two significant opportunities for this type of revolution and growth.  However, one can’t help to think that “Cyber” is our second chance for a regional economic revolution.

We are in different times – as technology, business, and the world as a whole are moving at a much faster rate.  Augusta and the CSRA region has a smaller window to execute on this opportunity than we did in the past and an even smaller window than other cities that have experienced the “Cyber Boom” like San Antonio – Texas, Bossier City – Louisiana and Colorado Springs – Colorado.  We do, however, have some excellent data and examples of lessons learned from those cities’ rapid growth and the demand it introduced on their infrastructure, schools, and housing.  This data, if used correctly, can help us reduce the pitfalls and maximize this incredible opportunity.

The word “Cyber” is defined by Merriam-Webster as – of, relating to, or involving computers or computer networks (such as the Internet).  In recent years, the word has had negative connotations like cyberbullying, cyber warfare, and cyberstalking. These terms associated cyber as an uncomfortable or invasive act.

However, what put this word on Augusta’s radar is “Cybersecurity,” defined as – measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.  It was previously associated with Government and Nation-State level computer information protection – precisely what sparked the passion in our area.

Today “Cybersecurity” is associated with the use of advanced technology, systems, techniques, and information by highly trained and skilled personnel to protect systems and data – both in Government and the private sector.

With the increased use of digital devices to exchange data, the demand for instant access, and an almost visceral reliance on technology in our daily lives, cybersecurity has become the new battlefront for everyone.

Bad actors want to exploit this technology for their own benefit or for your harm.  There is a worldwide and hyper-realization that we are all at risk.  This has fueled a frenzy and demand for trained professionals, technology, and companies to help protect these systems and devices.

Today, everyone including trained professionals are using the words Cyber and Cybersecurity interchangeably for ease of conversation – however that leads to an opportunity for “charlatans of cyber” to appear.

Here in the CSRA, we have some great things happening in the world of cybersecurity – Army Cyber Command, the NSA’s Expansion, Hull McKnight Georgia Cyber Center for Innovation and Training, and large companies like Unisys, Booze Allen, Raytheon and others coming to the area to support the Cyber Mission at hand.

There are many Department of Defense (DOD) and cyber-focused companies establishing a presence in the region for current opportunities and future expansion, including, including start-up companies founded by qualified cyber practitioners seeing an opportunity to help further the Cyber Mission and to become entrepreneurs.

Cyber education in the Augusta area is at an all-time high, corresponding to the same incredible demand for skilled cybersecurity workers.  Local universities and technical schools such as Augusta University, Augusta Tech, Aiken Tech and many others are attracting not only local talent but talent from across the world that want to become cyber professionals. This is an excellent opportunity to train and grow these professionals locally, where they can work, live, and play right here in the CSRA.

Much of this momentum is focused around DOD and National Defense initiatives and taking advantage of open positions and demands created by the growth and directly supporting Fort Gordon and our U.S. national security stance.

Some forget in this new “Cyber Boom” at Fort Gordon that Augusta is also home to some other great companies. Although not traditional cybersecurity providers, these companies employ and engage with cybersecurity professionals daily to protect their information and customer base. Examples include TaxSlayer, ADP, EZ-GO and many more.

Other cities in America that grew from their cyber opportunity, all took advantage of the initial government investment in infrastructure, job creation, and their relocation of personnel (and families) to the area.  This was the springboard for the city’s economic boost that fostered incubation of new companies, expansion of their education system, the attraction of companies that indirectly support the mission, and most importantly the attraction of many other private sector technology companies.

The convergence and concentration of smart, talented, and technology-minded professionals from both the government and private sectors started in motion a technology movement that continued to gain momentum.  With the local chambers of commerce, education systems, private investors, local business leaders, developers, along with state and local government officials all working together for the advancement of common goals.

Their goals were clear:

–    Help support the full ramp-up of the mission: workforce, housing, infrastructure, schools

–    Build a full ecosystem for long-term success: educating a K-12 future workforce, business level support for companies relocating to the area, help incubate new companies with real expertise to help the mission, and continually improve the city’s offering that attracts new business and workforce

Community leaders in these cities realized early on that working together is the only way to have long-term success.  The government has a mission that protects all of the United States from our enemies and failure is not an option. Even though the city was afforded the opportunity to benefit from the government’s investment if the area cannot adapt, grow and offer all of the resources needed to support the mission – the mission will eventually move elsewhere.

The Charlatans Appear

Augusta (the whole CSRA), has started our cyber journey and the changes are already evident in the community.  Just looking around Fort Gordon, Columbia County, North Augusta, and especially in downtown Augusta, it is easy to see the positive influence this opportunity is already having.  This type of expansion in a community helps everyone, either directly or indirectly.

However, there is another, darker side of this “Cyber Wave” that is developing that must be brought to light.  This story seems to be the same throughout history. The efforts and hard work of some are often used and exploited by others looking to take advantage of business owners and executives.

It takes real skills to combat real attackers.

There are many companies new to the area that provide services to the federal government. These companies have to be vetted, and their personnel have to be cleared in extensive background and polygraph processes by the government.  The companies vary in size and are evaluated by past performance, and there are strict accountability and ongoing assessment by the government to verify qualifications and adherence to standards.

The real problems exist with technology companies that are not required to adhere to these standards.  There are many IT companies, and new ones popping up weekly, that offer “Cybersecurity” to private businesses, local and municipal government, and non-profits.  These are the potential clients that typically have the least understanding of what qualifications should be vetted when evaluating an IT or cybersecurity provider.

“Today, Cybersecurity conversations are moving from the Server Room to the Board Room.”

• Board of Director Members (public companies, private companies, and non-profits) are becoming aware of increased scrutiny and potential liability for not performing their due diligence in protecting the organization’s data and business continuity.

•  City / County Council Members and Commissioners are also facing the daunting challenge of being good stewards of public money while providing the real safeguards to protect their constituents’ data.

•  Business owners (especially the small to mid-sized) are busy in the daily hustle of running and growing their business. They typically rely on someone else (many times the secretary or admin assistant) to identify their IT / IT Security provider.

Much like the old saying “ignorance of the law is no excuse”…business and civic leaders are no longer able to be uninformed about the risk of a cyber-attack that will affect their business operations, reputation, or security of their customers after an incident.  Almost daily there are examples in the news and hyper-awareness nationally of the potential for cyber-attack.  Leaders don’t have to be cyber or IT experts, but they are expected to understand how to qualify and vet the vendors they are considering.

These leaders consider their professional relationships (attorneys and accountants) as key to their success and trusted business advisors.  However, when it comes to their IT relationships, many consider it merely SG&A (sales, general & administrative) expense, in other words, “a commodity and just plain overhead.”  Yet, for most, their technology is critical to daily operations – their data and their client’s data must be protected.

IT & Cybersecurity relationships should be formed on the same basis as any other professional relationship.  Just like the criteria used when considering which legal firm to hire.

• Leadership – are the owners/partners certified subject matter experts with years of experience advising similarly sized businesses?
•  Capabilities & Capacity – is the company comprised of specialized groups of certified experts with an experienced management team and expert practitioners?
•  Reputation & Experience – is the company continually recognized as a leader in the area and in their industry?

In today’s cyber environment, it seems everyone claims to be an expert – right up until there is a problem and it takes real skills to combat real attackers – individuals that are looking to destroy your livelihood and harm your clients.

For example, some accounting firms are even offering “cybersecurity.”  Yes, they may be very good at auditing against a standard, but do they know how to secure your network?  There is nothing wrong with being an expert in a field and staying in that lane.

Most small and mid-sized business owners consider that business their livelihood and retirement avenue. Many spend years sacrificing and laboring to build a business that provides for their family now and in the future.  Yet, they don’t always take the time to qualify the IT or cybersecurity provider they pay to protect their hard work.

There are many examples of “Charlatans of Cyber”- companies and individuals that just want to ride the cyber wave trying to capitalize and profit from the buzzword alone.  They have no real training, experience, advanced tools, certifications, or dedicated staff to claim to be cybersecurity experts.  Somehow, they convince a normally savvy business owner to take their word for their abilities to protect their business.

Examples are emerging daily across the country:

• General IT Companies– small companies that have been around for years offering the same basic IT services. Overnight they put “cybersecurity” on their website and call themselves cyber experts.  They may even hire or have “that guy” that gets a valid certification. Wanting to raise your skills and offerings is not a bad thing – recognizing that it takes years of experience, a team of professionals, advanced technology, and proven discipline before you are qualified to combat today’s ever-changing threat landscape is important.  The poor businesses that trust them without verifying could be left in the wake when a cyber-incident occurs.

• The Beloved Board Members – small IT company owner, volunteers on every board, loved in the community and attends events as their sales strategy. They rely on relationships versus expertise when talking with a business owners at Rotary or other events to gain trust, saying that they can protect your business “just like the “big” (qualified) guys for less.” Don’t trust your livelihood and business to any company based on the owner’s civic activity, advertising, or social media posts.  Yes – every business owner needs to support their community; the real problem is when there is no substance behind their professional claims.  VERIFY their true qualifications!  Riding the popularity wave should be left to politics and not IT and especially not securing your business and reputation.

•  Digital Gurus – using their marketing skills and “cooldomainname.com” to blog and establish a “cyber” buzz under the pretense of having the expertise, security operations center, and credentialed staff. Uniting people toward a common goal is not a bad thing, but some are claiming to be cybersecurity professionals and yes, even start “cybersecurity companies” – putting the words they hear from real professionals on a website.  Perception may be the reality in marketing…but in the real world of protecting a business it takes more than blogging and lunches.  Go visit their office (you can’t visit a virtual office), meet their certified professionals (not some contract person) and make them demonstrate their methodology (not just the process of you writing a check)…don’t become a victim.

•  Insurance Pushers – selling “cyber insurance coverage” as the solution to secure your business. The little secret and “the fine print” with their coverage is that if you don’t have ALL of the advanced technical systems in place – your claim will be denied.  In the IT Security world, you have to identify your risks, install the various systems to mitigate and reduce those risks as much as possible, and then (the last step) is to transfer the remaining risk to an insurance company.  Insurance is not IT security.  Insurance is a key part of an overall business strategy.  The insurance policy is there to cover damages from risks that cannot be avoided, but only after YOUR due diligence is followed.    Don’t be fooled into a false sense of security, even if you do receive cash after a cyber-incident…it will not restore your reputation or customer confidence.

•  Compliance Sellers – companies selling compliance audits/assessments/reviews and claiming this shows that your company is secure. Many industries are bound by compliance standards (both technology-related and procedural).  There is no shortage of examples (HIPAA, PCI, ALTA, CJIS and many more) imposed by government or industry organizations to force processes and standards. . . and there can be hefty fines for non-compliance.  It is beneficial to have validation periodically by a 3rd party (prior to an official audit from the regulating body).  Many IT companies are claiming to do these reviews –ask and understand the following things.  1. These companies cannot certify that you are compliant (only the regulating body can), they can only help identify gaps.  2. What makes them qualified to do the review? Do they have certified IT auditors that are also formally trained on these standards (and not by a $49 online course)?  3. Compliance does not equal secure.  When the famous Target breach occurred, they were PCI compliant.  These standards only address a small subset of items needed to truly have a secure network.  Don’t be swayed or convinced because a company knows these acronyms.  Understand your need, understand their real knowledge, and understand that there is more to securing your data.

The IT industry is one of the most important to businesses, yet the least regulated.  There are not many industries that you can make any claim and go unchecked. For instance, you could not put up a sign and start seeing patients as a doctor without being thrown in jail.  The local roofer has to adhere to county building regulations and have an inspection to verify adherence to the code.  Even the person cutting your hair has to be tested at the state level and have continuing education to renew their license.  Yet, any person or company can claim to be an IT security expert, and some people just believe them.

It’s a buyer beware landscape. Don’t take any IT or security solution provider’s claims at face value.  Make sure to verify the qualifications of any provider that is protecting your livelihood.  It takes advanced technology, mature systems, established processes, and highly trained and skilled personnel to protect systems and data.  It takes the whole package to be qualified…and the diligence to be on 24×7.  The bad guys only have to be right once to destroy a lifetime of work.

Cybersecurity – Understanding the Differences

On average a hacker takes less than an hour to get into a system and dwells inside the network for over 300 days.  Not until they exhaust all usefulness of your network (exfiltrate data, gained competitive insight, made changes to key data) will they throw a final grenade of ransomware as they exit.  This is either to cover their tracks or to simply gain the final bit of profit they can from you.

Understanding the different Cybersecurity Services:

• Audit – is against a standard (HIPAA, PCI DSS, NIST, etc.) You are told what the standard is, and the audit is to identify non-compliant areas or gaps.  It typically involves following a checklist and verifying just the areas that are part of the standard.  Compliance is not security.

• Assessment – typically a “security assessment” is designed to give a thorough overview of the security stance of a company.  It involves a much broader scope and is intended to find potential security vulnerabilities (from inside and outside your organization).  This process is only as good as the person or firm doing the assessment. It takes certified, experienced professionals, to properly perform an assessment.  Running a canned tool and having it produce a generic report is not what a company needs – even if it is “free.”

• Monitoring – active monitoring for alerts, signs of compromise and anomalous activity. These services are delivered from a Security Operations Center (SOC) with highly trained and certified security professionals.  Hackers never sleep and are from every time zone; the good guys have to be watching and responding 24×7 to truly protect.  Many companies state they have a 24×7 SOC, yet they have a small technical staff.  How can they provide that coverage?  They simply cannot…not internally they can’t.  They are typically outsourcing the service to a 3rd party or trying to deceive by saying their systems run 24×7 (but no staff are available).  There is a new phrase emerging in cybersecurity, “detection is the new prevention.”  Meaning there is no way to stop 100% of all threats…the goal is to be alerted instantly when there is a problem, so professionals can stop the threat and contain any data loss.

• Incident Response – when a security incident happens (outside hacker, ransomware, malware, insider threat, or email system compromise) you need a team of experts that are choreographed to respond, stop the threat, and get your systems and business back to a functional state. Choosing the right IR team is important – are they formally trained and certified, do they follow a structured IR methodology they can demonstrate, and do they have the tools to preserve evidence forensically.

• Forensics / Internal Investigation – finding out the facts after an incident is sometimes a must. Many times an incident results in loss of money or loss of data for a company (caused by someone inside or outside of their organization).  It is imperative that the company understand the chain of digital events that led to the loss, how extensive the incident was, and hope to prove who committed the act.  The incident may involve law enforcement or an insurance claim.  In either case, you need a trained team that understands how to preserve evidence while performing your internal investigation.  Law enforcement will conduct their own criminal investigation and will want data and systems in their original state.  After a suspected incident occurs, no one should access the system(s) until a digitally-sound duplicate of the system (using specialized software that law enforcement acknowledges and guarantees an exact bit level copy) is performed.

• Education & Testing – end users tend to be the weakest link in a comprehensive IT security plan. In today’s fast-paced world, employees are inundated with emails daily, and most organizations are expecting more work from fewer people.  Many times, in the effort to keep up, a user will mistakenly click on a malicious (phishing) email attachment (that executes software or allows access to their system) or act on a social engineering email (that instructs them to take some action like wire money, give passwords, or visit a rogue website).  It is important to have consistent education for users but also to test the effectiveness of those programs.  Testing is done throughout the year in the form of professional phishing tests (well-crafted emails that use the same evolving techniques as the bad guys).  Company results are reported to the proper person (typically HR), and if a user fails a test (clicks on something they should not have) that user is notified and a short video is shared with the user on ways to avoid being tricked in the future.

Some organizations have internal IT staff, and others contract with a company to provide their IT services.  Internal IT staff members have a very tough role.  They are typically expected to be experts at everything (networking, communications, disaster recovery, end-user support, and security).  It is simply impossible to be an expert in all of these areas.

Companies that choose to outsource their IT support are typically with a Managed Service Provider or “MSP” (meaning they are to provide a fully managed IT environment). This means they are responsible for the day to day operations and critical items like applying system updates and patches, firewall management, managing Antivirus and other malware protection, managing the backups, and of course providing support for the end users.

Business owners should not be lured into a false sense of security.  Like any industry, there are the leaders in their trade, the pretenders…and many in between.  There is a vast difference between the leading MSPs and those claiming to be.  Even if you are with a world-class MSP that invests in the people, the technology, documentation, and have the regimented processes in place…then at best, they are providing “Foundational Security.”  Meaning these are the basic things needed to provide protection from the average attacker (the script kiddie) that downloads hacking tools and tries them on you.  Without foundational security, your network would be a wide-open target to that type of mischief daily.

Today, there are much more sophisticated threat actors.  These actors are world-class programmers and are out for every financial gain they can get, and nation-state actors are trying to infiltrate companies for some strategic gain.

Cybersecurity of today is much more than just foundational security.  It’s the use of advanced techniques, knowledge, data correlation, specialized tools and especially the diligence to be on 24×7.  It is not as simple as installing a piece of hardware or software.

When evaluating any provider….verify everything!  Go to their location, meet their people, and see their processes.  Any qualified IT or Cybersecurity Company will be able to show their response strategy, team qualifications and an interaction plan for your firm.  Then visit the other companies you are evaluating.  The time you spend up front will save you exponentially in the long run.

We, as a community, an industry, and as business owners need to self-regulate what is happening here in the CSRA before it’s too late.   Area chambers, business organizations, and industry groups should help educate and validate.   It is up to all of us to be informed and vocal.  Don’t let the Charlatans take advantage of you or your friends.  This deception is only going to set our efforts back and derail the CSRA from becoming one of the top Cyber and Technology cities in the country.

Charles K. Johnson

President of Corsica Cybersecurity
CISSP, CISA, CISM, CCFP, CBCP