By Lana Sweeten-Shults
GCU News Bureau
Mark Pribish spun a cautionary tale.
The CEO of a small company emailed the head of the company’s human resources department with a request: “Hey, I’d like to have the 300 W-2’s of our employees emailed to me this morning.”
The head of the HR department responded immediately.
When he saw the CEO three hours later, he asked, “Did you get that email on the W-2’s?”
The CEO responded, “What email?”
The HR representative unknowingly placed the tax information of 300 employees in the hands of hackers.
“There are hackers pretending to be CEOs with CEO-like emails that mirror CEOs’ emails so exact that we're not even paying attention. They’re counting on us multitasking,” said Pribish, the vice president of Merchants Information Solutions and a GCU Technology Advisory Board member who spoke on Wednesday to Grand Canyon University technology students about the new era of cybersecurity and, more importantly for them, the jobs open to them in the burgeoning field.
That scam -- the FBI calls it the Business Email Compromise -- has resulted in 40,000 businesses in the U.S. being compromised. The total cost: $5 billion.
It was just one of the cybersecurity nightmares Pribish shared with students during his talk, “Cybersecurity Career Opportunities Outside of IT.” It was the first talk in the Dean’s Speakers Series in the College of Science, Engineering and Technology. CSET has lined up three more speakers in the series for the academic year.
Pribish admitted, “I know nothing about technology.” So it’s ironic, he said, that he has become a nationally recognized cybersecurity expert.
“I was one of the first persons 21 years ago to sell cybersecurity liability insurance," he said. "People didn’t even know about ID theft or data breach 20 years ago. I was selling it to the large banks in the U.S. So my nine years of experience in cyber liability insurance put me in the cybersecurity space.”
It’s a space he said he is betting students would want to explore, as well.
“How many of you have even thought of being in the risk management business?” Pribish asked. When no one raised their hand, he said, “You know what? I’m going to change your minds.”
He relayed to students that, like him, they don’t need to be technology experts to work in the cybersecurity field.
Only 27 percent of all students who graduate from college work in a career in their major, he said, and challenged students to think beyond the traditional IT job: “When you have two, three, four years’ experience, you will be shocked at the job opportunities coming your way that don’t relate to what you currently do as an IT professional.”
Pribish advised students to become subject matter experts – to read and research as much as they can about cybersecurity, write papers and publish articles.
He said students might look into becoming certified information privacy professionals.
“It means you know all the state and national laws. It means when the Fortune 500 companies, or a company like GCU, when GCU experiences a data breach event, you’re the credentialed individual that’s going to tell the CEO here what to do based on the type of breach event, the volume of the breach event, the state and national laws. That’s something you can advise on.”
Other types of cybersecurity jobs: certified information privacy manager or certified information privacy technologist.
“Almost every Fortune 500 company has all three credentialed individuals, and a majority of them are not IT but are cybersecurity-educated individuals,” he said.
He also mentioned looking into cyber insurance, like Pribish did in his career, or going into the industry through the fields of law or accounting.
“I’m going to tell all of you right now – you’re in the risk management business," he said. "Every business has legal counsel, every business has an accountant or CPA firm, and every business has insurance. The lawyer, the accountant and the insurance broker, what do they do? They mitigate risk. That’s what they’re there for, to manage risk.”
Pribish called cybersecurity “the new risk mitigator.”
“Right now, every law firm in the U.S. that has 20 to 30 lawyers or more is scrambling because they’ve all created a brand new practice, a cybersecurity practice. … All these law firms are struggling to find talent and content and education within their lawyers.”
Insurance companies, he said, go into businesses to see how secure their server might be and inspect the software they use. “All these companies are looking to hire people like you who understand IT and cybersecurity. It's a fast track to a career.”
Businesses like his, Merchants Information Solutions, help companies respond to breach events.
“There are regulatory requirements, state and federal laws, now international laws, that are driving companies to be proactive … and push breach response.”
Pribish emphasized that if students want a career for the long haul, cybersecurity is it.
“The cybersecurity marketplace today is about a $60 billion a year marketplace, and I have this research report, they’re estimating in five years the cybersecurity marketplace will be $223 billion,” he said.
The industry will keep growing as long as cybercrimes keep happening – and they will.
He referred to a talk by retired Gen. Michael Hayden, former Director of the CIA and former Director of the National Security Agency. Hayden said, “'Here’s a fact: You can’t stop it. We are stopping 80 percent of it.' He told every company, every business, at this cyber conference, you need to focus on response and recovery.”
These data breach stories seem to make headlines again and again, from the Equifax hack in 2017, which compromised the identities of 145.5 million customers, to the biggest security breach in Facebook’s history in recent weeks, in which hackers gained access to 50 million accounts.
The tales of data breaches and identity theft are so constant, Pribish said, consumers are suffering from “breach fatigue." "As consumers, as business executives, we’re all sick and tired at all these headlines about ID theft and data breach. In fact, we’re so sick and tired about it, we’re beginning to ignore it, and ignoring these headline articles, we’re beginning to ignore the problem. So I need to bring some reality to all of you here – the reality of data breach, the reality of ID theft.”
Pribish said most data breaches are not related to an IT or hacking event.
According to a report by TrendMicro, of all the data breaches from 2005-2015, "75 percent of all the data breaches were what we call the insider threat,” Pribish said. Insider threats include former and current employees, contractors, vendors and the like. “Of the people, half the time it’s an accidental event -- what we call accidental release. The other half the time it’s a malicious event -- employees who are getting fired and say, 'I’m going to get back at you.'”
That statistic has been confirmed by other companies, such as cyber insurance company Beasley, one of the largest in the world, which reported that it received 2,500 claims in 2017 from 2,500 business clients who said their data was breached. Beasley learned that only 36 percent of the breaches were related to IT and hacking.
He added, “Isn’t that amazing that IT and hacking are the sizzle that make the news headlines? But it’s the people event that’s challenging businesses and organizations today.”
As far as identity theft, Pribish said the Federal Trade Commission reported that they are mostly nonfinancial events. Only 48 percent of identity theft is related to a victim’s bank accounts, credit or debit cards, home loans, auto loans and the like. The top three forms of ID theft in the United States are taxpayer identity theft and refund fraud, medical ID theft, and credential ID theft (driver's licenses, passports, employee IDs and the like used for fraudulent purposes).
The 2018 Identity Fraud Study released by Javelin Strategy & Research revealed there were 16.7 million victims of ID theft – 1.3 million more than a year ago. Twenty-one percent of all identity theft victims are young adults, including college-age students. Also last year, more Social Security numbers were stolen than credit card numbers, Pribish said, noting that the 2017 Equifax hack likely has had something to do with the rise of compromised Social Security numbers.
“When your Social Security number is stolen, it’s a lifelong event. It’s out there forever. According to the FBI, bad people will use your Social Security number up to 31 times before they stop using it.”
And here’s more bad news. Pribish said:
- The top 10 banks each have reported 100 data breaches or more since 2005.
- The top 10 health insurance companies have had a combined 101 data breach events since 2005.
- The credit bureaus have reported 52 breach events since 2005.
Of course, the good news is that for those who want to prevent cybercrimes from happening, as Pribish said, they'll have a career "forever." "A college education combined with one or two years of entry-level experience can propel you to unbelievable careers outside of IT."
Contact GCU senior writer Lana Sweeten-Shults at [email protected] or 602-639-7901.
