A new phase of Russian aggression and high-profile Oregon cyberattacks have firms investing more heavily into cybersecurity, leading to a new era of business for IT firms — and competition for talent.
Two years ago, talking to clients about raising their cybersecurity hygiene was “nearly impossible,” says Mark Tishenko, CEO of Edge Networks, a Portland information technology firm.
“When we asked someone about their cybersecurity plan they looked back at us with these blank stares,” Tishenko says. “Clients would always say, ‘Of course we don’t need it. We don’t have anything valuable.’”
But all of that has changed.
“People are really starting to pay attention now,” Tishenko says. “Now 40% of what we do is cybersecurity and 60% is tech work. But in the next two years those numbers will probably swing in the other direction.”
Online cyber attackers have been more active since Russian forces invaded neighboring Ukraine in late February. High-profile attacks have led more companies to seek cybersecurity help and education, leading to growth in the IT sector, according to Tishenko. Despite increased demand, the tech talent shortage, as well as competition with lucrative government cybersecurity jobs, is a persistent constraint on the industry. Industry leaders suggest a new approach to cybersecurity, which might involve more public collaboration, could be on the horizon.
According to CrowdStrike CEO George Kurtz, cybercrime has been on the rise since Russia invaded neighboring Ukraine in February. The hackers may view these attacks as a way to disrupt the U.S. economy as the Biden administration launches historically crippling sanctions against the country.
“At this point these pro-Russian hacktivists and security groups are fully engaged with what they’re doing. They’re going after financial, retail, small federal agencies, healthcare, transportation, and hospitality as we saw with the McMenamins attack,” says Dan Pritzlaff, director of cybersecurity at Edge Networks, an IT firm in Portland.
Pritzlaff says the December cyberattack against the hotel and brewpub chain has served as a teachable moment for clients. A class-action lawsuit filed against the chain in January has made even more clients take the cybersecurity threat seriously.
“I’ve been using McMenamins as an example for a lot of clients about why they need to have a data destruction policy. Why do we need data from employees from ‘78? If they had had something like that, that would have saved McMenamins a lot of headache,” says Pritzlaff.
According to an industry report from tech interest group CompTIA, the technology industry is expected to grow between 5 and 6 percent next year, and could bring tech services up with it. According to Tishenko, Edge Networks has doubled in size twice since the onset of COVID-19 from four to eight employees from 2020 to 2021 — and to 16 employees in the last seven months.
Cybersecurity expert Adam Levin, host of cyber true crime podcast “What the Hack?” says cybercrime is here to stay, no matter how world events shape up in the coming years. With businesses and clients more connected online, and more people working remotely, attackers have their pick of ports by which to infiltrate companies.
“As we all know, people tend to have notoriously weak cybersecurity protections in their homes, and they tend to share devices within the family. Children, God bless them, are weapons of mass destruction when it comes to cybersecurity,” says Levin.
“Billions of people’s files that contain the most sensitive information about them have been exposed. Like, Dr. Evil, pinky-to-the lip billions. These hacking groups are like businesses. They have management, talent scouting, they even have HR departments. We have to realize that if we haven’t been victimized that just means they haven’t gotten around to us yet.”
Another service IT firms can offer clients is mediation. Although the FBI strongly discourages negotiating with cyber attackers, when company software is locked down some businesses may feel they have no choice but to engage.
As cybersecurity demand continues to increase, Skip Newberry, president and CEO of the Technology Association of Oregon, says hiring talent remains one of the biggest challenges to growing Oregon’s IT industry.
“You have a tech worker shortage to begin with. Now you have to compete with high-level, high-paying government cybersecurity jobs that can pay in the hundreds of thousands,” says Newberry.
According to a 2021 survey from the tech research and analysis firm Gartner, IT executives say a talent shortage is the biggest barrier to the adoption of 64% of new technologies.
With more remote employees and more platform connectivity between businesses, services, clients and individuals, simply having high-level cybersecurity may not be enough to protect the private sector from harm. With a lack of cybersecurity talent, and competition between the private and public sector for the same applicant pool, Pritzlaff suggests new cybersecurity laws and strategies may need to be adopted to give businesses a fighting chance.
One way businesses are adapting is through cyber insurance coverage, a form of liability insurance that provides coverage in the event of cyberattacks.
Pritzlaff thinks it is unlikely an insurance plan would be able to adapt and cover different varieties of cybercrime as they spring up.
Pharmaceutical company Merck & Co won a lawsuitin January against its insurance providers who denied coverage for $1.4 billion in losses from a malware attack in 2017. That case involved an all-risk insurance policy, not a cyber-specific policy, but the point of contention was that the policy does not cover “acts of war” — a clause that’s also common in cyber insurance policies. It applied to the 2017 attack, which was attributed to Russia’s intelligence agency and likely deployed as part of a conflict with Ukraine.
Legal experts say the ruling will likely force insurers to clarify what their policies do and don’t cover.
Pritzlaff says as insurers realize the potential costs of covering cybercrime, they could become less likely to provide coverage against cyberattacks, or offer less coverage.
“You might think you’re getting full coverage but you turn around and you’re only getting $30,000 for the attack,” he says.
Pritzlaff suggested public-private cybersecurity partnerships could give individuals and small businesses a lower price point of entry for cybersecurity needs. The Biden Administration’s nearly $2 billion dollar investment in cybersecurity as part of the Infrastructure Investment and Jobs Act is, for him, a signal of the changing times.
He also says more laws, like California’s 2018 SB-327, will likely be required to hold businesses accountable for their employees and customer’s protection. Organizations like ISAC, that share information and security and analysis for free to the public will also become more needed in the future.
“Small businesses and individuals need the same protection as a big private company but they don’t have the money or the team to do it,” says Pritzlaff. “There will have to be incentives — dollar-for-dollar public matching. I see it on the horizon. There is a coming together on all that, but it’s not happening quick enough if I’m a smaller company.”
To subscribe to Oregon Business, click here.
