The frequency and severity of cyber-attacks are growing every year.
Employee behaviors are still one of the leading causes of security incidents, according to Taleena Stanbrough, director of people operations at Five Nines.
“Employee training is a key component of a well-rounded security strategy and one that far too few businesses actually invest in,” she said. “There is more to security awareness training than just spotting email phishing attempts.”
“Train your employees on the use of password management software—[such as] 1Password, Bit Warden, and Lastpass — and mandate via policy and training that they use one,” said Blaine Kahle, director of technology at Five Nines. “Provide one to all employees as a cost of [doing] business. Compromised passwords due to password re-use is a frequent cause of initial breach entry points, and educating employees on how to address that issue is important. Combining good password hygiene with multi-factor authentication (MFA) on all internet-facing services will address a substantial portion of initial breach risk.”
The reality for businesses is that a data breach or cyber incident is a matter of “when” not “if.” Beyond technical specialists and project leaders, attorneys help businesses respond to intrusions by determining their duties to their clients and ensuring they’re being responsive to state and federal laws protecting data.
Because complying with these laws is challenging, and data breaches are more and more common, these types of jobs are becoming commonplace both at law firms and in-house at companies.
Juris Doctor students in UNL’s College of Law can specialize in any part of the Space, Cyber, and Telecommunications Law program, including cybersecurity, according to Elsbeth Magilton, executive director of the Space, Cyber and Telecom Law Program.
“We also have an LLM program for practicing attorneys who return to school to specialize in a specific area of the law,” she said.
“We offer a range of classes, including several classes on legal and regulatory issues in technology, as well as specific classes relating to cybersecurity law and policy issues,” said Gus Hurwitz, the menard director of the Nebraska Governance and Technology Center [NGTC] and co-director of the Space, Cyber and Telecom Law Program. “Most of our classes are geared towards law students, but we are working to increase opportunities for non-law students to enroll, as well.”
Cybersecurity as a specific field continues to grow at a rapid pace, both on the technical side and the legal side. But the bigger trend on the legal side is recognizing that cybersecurity issues are everywhere so many lawyers need to have some rudimentary understanding of cybersecurity.
“It’s hard to imagine being a lawyer today without occasionally coming across a cybersecurity issue, even if you don’t specialize in the field,” Hurwitz said. “You really need to know at least enough to recognize when you need to bring a specialist into work with you and your clients.”
Cybersecurity is part of many areas of law, and it is changing rapidly in all of these areas. There are state laws dealing with data breaches and consumer privacy, regulatory rules governing how banks and health care providers handle customer data, challenging issues in criminal law involving encryption, and vast international law issues.
“The role of cybersecurity in all of these areas is quite unsettled and rapidly evolving,” Hurwitz said.
Businesses must be responsive to local and national consumer protection statutes and other data protection rules.
“In general, as citizens, your personal identifying information is protected,” Magilton said.
“If a company who holds that data experiences a breach, they have to inform you and in some cases they may have additional responsibilities to remedy the situation. There is a wide array of rules state to state, with new concerns and ideas being brought up consistently.”
Five Nines’ Stanbrough said the first step to starting a career in cybersecurity is to understand what businesses expect from those who manage that segment of IT.
“All businesses are ultimately focused on avoiding security incidents that expose their clients, employees, and proprietary business information, but there are many other expectations,” she said. “Many industries have security standards with which they must comply, and are required to provide documentation for audits, and expect communicated training and best practices for their teams. Consider your strengths and how they apply to the needs of the profession.”
Before embarking on a cybersecurity career, seek to better understand what educational institution will help best meet goals for the career desired.
Second, stay up to date on current events in the world of cybersecurity — new methods of attack, tools for protection, and best practices are ever-changing.
“The experience required will largely depend on the level of the role for which you are applying,” Stanbrough said. “Don’t discount the benefit you can get from experience in a role that isn’t specifically cybersecurity-focused. The most skilled cybersecurity professionals have a vast understanding of all aspects of IT and where vulnerabilities exist within it.”
Southeast Community College (SCC) offers a cybersecurity focus within the computer information technology program.
“This focus was developed as part of a grant awarded by the National Science Foundation in 2014 and prepares a CIT graduate to enter the workforce as a network or security technician,” CIT instructor and cybersecurity student advisor Norman Stimbert said.
Employers today want a workforce which understands that they are part of a human firewall. Completion of security education training and awareness programs are becoming standard requirements for all team members within many organizations. Employees tasked with day-to-day cybersecurity operations are expected to understand how to secure the organization’s digital environment using products, people, and procedures as well as possessing hands-on experience with perimeter security devices such as routers, firewalls, intrusion recognition, and proxy devices.
“The industry also requires a lot of new and constant learning to keep up with trends and products,” Stimbert said. “Today’s organizations also expect employees to have soft skills [like] verbal, written, and teamwork capabilities when entering the workforce.”
The SCC Career Services office keeps students updated on jobs and internship opportunities available in the area. Employer-initiated on-campus recruiting events targeting CIT students and graduates take place regularly.
Workforce Leadership Teams, consisting of employers from the community, provide guidance and up-to-date information to the CIT Program regarding skills applicants need in order to work in the information technology [IT] and cybersecurity sector.
Those with cybersecurity skills enjoy an outstanding employment outlook.
“Positions include security technicians, firewall engineers, data analysts, security architects, and vulnerability assessment analysts with many of these roles paying six figures,” Stimbert said. “Applicants can validate their cybersecurity skill sets to employers through education and training, certifications, and work experience.”
Employers are not finding enough people to fill cybersecurity openings.
“In 2021, it was estimated that the United States employs well over 1.25 million people in cybersecurity roles, but it has 300,000 to 400,000 unfilled positions due to a lack of qualified individuals,” Stimbert said. “Worldwide, that number is expected to go to over three million openings by 2025.
“Those interested in a career in cybersecurity need to possess strong analytical and problem-solving skills, understand networking and digital devices, enjoy the ever changing areas of technology, and most importantly aspire for perfection. In cybersecurity, you need to be right every time. The attacker only needs to be right once.”
Banks have the highest level of security among critical U.S. industries — including energy and telecommunications — and the most stringent regulatory requirements, according to Kara Heideman, director of communications and marketing for the Nebraska Bankers Association, which with its cybersecurity partner, SBS CyberSecurity, offers an online cybersecurity certification that is tailored specifically to banking needs.
“This unique series of role-based cybersecurity certifications provides industry-specific information security awareness and risk management skills,” she said.
The certifications prepare students and their financial institutions for cybersecurity threats and regulations and create confidence with examiners and auditors. Each course is tailored to specific roles within an institution.
The Executive Learning Path prepares students to lead organizations.
The Manager Learning Path prepares students to mature and manage an institution’s information security program, build a comprehensive vendor management program, and build a valuable and repeatable business continuity plan.
The Technical Learning Path prepares students for jobs such as IT manager, network administrator, and IT Specialist in digital forensics and incident response. They learn how to remediate vulnerabilities and understand techniques of today’s hackers to better defend their organizations.
According to a Forbes HR Council post, 74% of companies recently surveyed said that the skills shortage is impacting their business, including the ability to keep their information secure.
“There is a high demand for cybersecurity professionals, so get started and ask many questions,” said Frank Hulscher, IT auditor at SBS CyberSecurity.
Terry Kuxhaus, senior information security consultant with SBS, said that with the wide range of career paths in cybersecurity, the opportunities are endless.
“Get an education and pursue certifications, make connections with others as they are invaluable, and stay current with trends and current events in cybersecurity,” Kuxhaus said.
The cybersecurity, information security, digital forensics, and incident response fields are ever-changing, and cybersecurity professionals must evolve with them.
“The advice I could give to someone interested in pursuing [a cybersecurity career] is to get comfortable with being uncomfortable,” said Kelley Hesse, information security consultant and DFIR analyst at SBS. “Take every opportunity you can to learn, even if you think it will be challenging.”
“Don’t be afraid to fail or make mistakes, but make sure that you pay attention to what those mistakes or failures are teaching you,” said Jon Waldman, co-founder of SBS. “Some lessons are more significant, some smaller, but overall, they’ll always teach you an important lesson.”
Cyber Liability Insurance
According to UNL’s Hurwitz, much of the burden for cybersecurity is being placed on businesses to secure systems that often can’t be secured.
“If you’re a business and you’re not thinking about security, you’re planning to be breached,” he said. “Any business today should have commercial insurance that covers cyber incidents. Basic cyber hygiene, the term for safe online practices, is the best protection.”
“Each cyber liability policy is a little different, so it’s important for people to understand what they’re buying,” said Megan Hatch, commercial risk consultant with UNICO Group.
Some typical policies cover things like ransomware, extortion, social engineering, and data breach.
Small companies face the same cyber threats as large corporations, the main difference being limits of coverage, depending on exposure. For instance, a health care company may need a $5 million or $10 million limit, whereas another firm might only have a $1 million limit.
“We’ve seen an increase in attacks to small and mid-sized firms over the past year to 18 months because bigger companies are putting more protections in place to try to avoid some of these hacks, and that costs a lot of money,” Hatch said.
What a cyber liability policy does not cover depends on the way the policy is written. For instance, some types of third-party losses and some business incomes may not be covered, although firms can get policies to cover them.
Cyber liability insurance is changing rapidly. Not only have cyber claims increased in frequency, but the size of payment per claim has increased.
“We’re [also] seeing more types of losses,” Hatch said. “Five to ten years ago you thought of cyber insurance as covering a data breach. While those still occur, we’re seeing new and different kinds of losses. Hackers have improved on how they’re getting into systems and obtaining money.”
Many insurance companies have requirements firms must meet in order to be insured. The big one is multifactor authentication. Carriers also place high importance on phishing training — training employees to watch for suspicious emails.
Roughly $2,000 to $5,000 a year is fairly standard for a cyber liability policy, but UNICO sees policies as large as $100,000 to $200,000 a year.
“It’s in the best interest of all business owners to know what risks there are and how to prevent them,” Hatch said.