The Arkansas Economic Development Commission is coordinating cybersecurity assessments and providing cybersecurity training to help employers square off against cybercrime, because falling prey to it can cause them to fold or lose big bucks.
Either could mean fewer jobs for Arkansans, and part of the agency’s mission is to preserve jobs.
According to the National Cyber Security Alliance, 60% of small and medium-sized companies go under within six months of being hacked. The alliance, headquartered in Washington, is a nonprofit, public-private partnership that works with the Department of Homeland Security, numerous corporate sponsors and other nonprofits to promote cybersecurity awareness.
The average total cost of a data breach has reached $3.86 million, according to the Ponemon Institute’s “2018 Cost of a Data Breach Study: Global Overview.” That study was sponsored by IBM.
Cybersecurity professionals have told this reporter that having an assessment done is the first step a company should take to avoid becoming a victim. The AEDC can help with that. It became involved with assessments about a year ago and has been providing training for about two years, according to Client Services Manager Rudy Ortiz.
So far, the agency has coordinated four assessments and held nine of its three-hour training sessions, he said.
A company interested in having an assessment can contact the agency, which then conducts a preliminary assessment that is used to figure out “how big the project is,” Ortiz said. There is no charge for the preliminary assessment.
It determines how many computers, people and other equipment the company has as well as other factors. That information informs a quote that is given to the company. Quotes given so far have been between $4,000 and $5,000, Ortiz said.
The state and the AEDC have a network of third-party providers willing to do the full assessments. The AEDC pays that provider upfront, through its operational expenses budget, and the company pays the AEDC.
Ortiz said the full assessments are comprehensive: 30-40 pages depending on the company’s size and the size of its cyber infrastructure.
They spell out where a company is compliant with any applicable regulations, where it isn’t compliant, what the risks to the business are, the level of those risks and what it will take to fix any cybersecurity issues.
The next step, for some, is to hire an outside firm to fix the issues. For other companies, internal IT staffs might be up to the task, Ortiz said.
As for the training sessions, they are offered to companies through the agency’s Manufacturing Solutions program, which is an affiliate of the National Institute of Standards & Technology Manufacturing Extension Partnership.
Companies choose who to send to the training. “Could be the owner, an IT employee or both. Usually both,” Ortiz said.
The three-hour training sessions cost $25. They feature four speakers: someone with the FBI or Secret Service who shares cybercrime trends; a banker or finance professional who talks about how to protect assets from cybercriminals; a risk mitigation professional who speaks on insurance-related instruments a company can have in place to fund a recovery if it is hacked and the different things a company needs to make sure its insurance policy covers; and a cybersecurity professional who shares preventive measures, including what employers should be teaching their employees (like how to spot a phishing email, for example).
The sessions are also funded through the AEDC’s operational expenses budget.
In addition, AEDC-MEP partners with the Arkansas Procurement Technical Assistance Center, or Arkansas PTAC, a Department of Defense-funded agency housed at the Cooperative Extension Service that is part of the University of Arkansas System’s Division of Agriculture.
Together, AEDC-MEP and PTAC provide six- to seven-hour training sessions for government contractors and subcontractors that need to meet certain cybersecurity requirements in order to keep their contracts. The sessions are free because PTAC has been awarded a DOD grant to fund them. AEDC promotes and is a sponsor of the training sessions.
Ortiz said the AEDC is involved in all of these services because it’s concerned with businesses closing and jobs being lost. “We’re not trying to make money on this deal. We’re just trying to make sure the companies are secure because that’s the future of Arkansas,” Ortiz said. “AEDC, at the end of the day, is all about creating and maintaining jobs. We have all sorts of tools that we utilize to meet that goal. That is the mission of AEDC.”