BOSTON (SHNS) – The COVID-19 pandemic changed the ways that businesses operate and people interact, but the shift towards even greater reliance on digital technologies has created new opportunities for cybercriminals and highlighted the state’s need for more skilled workers in the cybersecurity field.
As he kicked off the annual Massachusetts Cybersecurity Forum on Thursday, CyberArk founder and CEO Udi Mokady put a fine point on the ways that bad actors have sought to take advantage of the pandemic-influenced shift to remote work and the rise in online payments and services.
“Since last year’s forum, the world has seen a lot of change. We’ve seen cyberattacks become much more targeted and damaging, with the goals of those attacks ranging from critical infrastructure disruption to massive financial damage,” he said from his company’s Newton headquarters.
Mokady added, “The rapid movement to work from anywhere dissolved any remaining notions of a traditional network-based security perimeter, and attackers haven’t stopped innovating. Attackers are becoming bolder, with nearly all cyberattacks centered on compromised identities.”
The FBI has said that Massachusetts residents lost around $100 million from reported cybercrimes in 2020 and a survey that NBC10 conducted in 2019 found that at least one out of six Massachusetts municipalities had been hit with a ransomware attack.
This spring, a malware attack forced the state’s auto inspection system offline for nearly three weeks and a ransomware attack on the Steamship Authority caused delays for vacationers and residents trying to get to Martha’s Vineyard or Nantucket.
More than 275 Massachusetts companies focus on cybersecurity products and services, Secretary Mike Kennealy said in his remarks Thursday morning, but the hundreds of open jobs threaten to keep a damper on the sector’s growth. Former Sen. Vinny deMacedo, who is working to establish a statewide cybersecurity consortium, estimated last month that there were 13,000 open cybersecurity positions in Massachusetts.
“It’s clear that we need more skilled workers,” Kennealy said, adding that cybersecurity is a “critically important growth industry for the Massachusetts economy.”
Kennealy’s remarks echoed those of Gov. Charlie Baker. Both said the administration is prioritizing partnerships with the private sector, including a mentorship program, investing in workforce development programs, encouraging higher education institutions to help bolster the talent pipeline here, and promoting a diverse talent pool.
“Technology will continue to transform and permeate our society, meaning cyber jobs will be critically important for generations. So those who enter the field will see demand for their skills for years to come,” Baker said. “Cybersecurity has a clear employee talent gap, we need to open up new opportunities to enter the sector and to find ways to ensure new employees stick with this new career path. As a commonwealth, we need to do everything we can to promote the entry of diverse talent into our workforce … because a more diverse cybersecurity workforce would be better equipped to defend the commonwealth, our municipalities and our leading organizations against any threats we face.”
Because municipalities are regular targets of ransomware attacks and often lack a dedicated cybersecurity employee, Baker on Thursday reminded cities and towns that the MassCyberCenter, in conjunction with the Massachusetts Municipal Association, has suggested a minimum baseline of cybersecurity policies for them.
“I urge municipalities to act with a sense of urgency to achieve the minimum baseline of cybersecurity and move on to improve areas of highest priority to your local communities,” the governor said. “The minimum baseline can be achieved, but it does require an investment of time and a commitment by municipal leaders.”
The MassCyberCenter’s suggested policies include things like annual employee cybersecurity awareness training, connecting with other municipalities to share threat information, creating a cyber incident response plan, and adopting technology best practices like requiring strong passwords and regularly updating systems.
When the idea of legislation to enshrine in law minimum cybersecurity standards for the public and private sectors came up during a September hearing of the Legislature’s new Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, the proposal was met with pushback from local leaders.
MMA Executive Director Geoff Beckwith warned that legally requiring certain cybersecurity measures from municipalities could amount to an unfunded mandate. He said local officials with the MMA “really urge you not to consider a mandate or rigid requirement for baseline standards because it would be unenforceable and unaffordable and it would lead to all sorts of confusion at the local level.”
Baker on Thursday also called on the private sector to help bring cybersecurity “into the forefront of the lives of citizens across Massachusetts” and “to help us integrate cybersecurity into the fabric of civic life.”
Those comments echoed what Technology Services and Security Secretary Curt Wood told lawmakers last month about how government, businesses and people need to change their way of thinking to truly get a handle on cybersecurity.
“We cannot solve this by thinking the IT guy is going to be able to buy a new server or upgrade the software and eradicate or stop these threats. It’s just not real,” he said.