Airpark cybersecurity firms are flourishing by protecting corporations against the biggest threat to their business data today: their own smartphone-addicted employees
By Jimmy Magahern
It’s the day of the Ashley Madison data dump, when hackers released on the Internet 10 gigabytes of stolen personal information on the customers of the controversial extramarital affair site. Drew Smith is reeling from what can only be described as his most awkward series of business meetings ever.
“I’ve had too much coffee today,” Smith confesses, talking a bit breathlessly about the series of emergency meetings and phone calls his Scottsdale-based cybersecurity company, InfoArmor, has been having with clients ever since the hacktivist group Impact Team publicly posted the data, which included customers’ first and last names, addresses and partial credit card transactions—not to mention their potentially embarrassing extramarital sex preferences.
InfoArmor, a firm specializing in protecting large corporations against data breaches, actually got ahold of the compromised data the day before (“We have access to a lot of proprietary intelligence,” Smith explains), and Smith’s team immediately went to work combing through the massive database of roughly 36 million e-mail addresses for any that might be connected to their corporate clients. To Smith’s dismay, they found several clearly belonging to employees of some of their biggest firms.
“You’d think people wouldn’t be dumb enough to create accounts on a site like that using their corporate e-mail address—and then use the same password as their corporate account,” Smith says, with a tired laugh. “But the reality is, a lot of times people do just that. So we had the pleasure today of letting our corporate clients know they have employees who created Ashley Madison accounts using their corporate e-mail addresses. It’s a sensitive topic, and we had some discussions around here that it could potentially be embarrassing information to share. But companies pay us for intelligence, and we can’t worry about looking like the morality police. They have to protect their information and know what their employees are doing.”
InfoArmor is one of a growing group of companies located in and around the Scottsdale Airpark specializing in corporate cybersecurity. Only a decade ago, corporate computer security meant little more than installing firewalls and blocking suspicious e-mail attachments on the company PCs to guard against virus-carrying malware deployed by mischievous outside hackers. Today, however, the biggest threat to a company’s computer data may be its own employees, who each carry into work every day their own powerful Wi-Fi-equipped devices capable of infiltrating the company’s system.
“More and more companies are letting their employees use their own devices at work,” says Smith. “It’s called BYOD—‘Bring Your Own Device.’ So you’ve got potentially hundreds of employees bringing their devices into the office, and it can become an unruly mess to keep secure.”
There are many advantages to letting employees conduct business on the smartphones and tablets they’re already comfortable with. For starters, a BYOD policy shifts a lot of the cost on to the user: While the company may chip in for a fraction of the voice or data services, the worker generally pays the bulk of the monthly expenses. Secondly, employees have been found to be more productive working on the mobile devices they already spend most of their time on, and tend to upgrade on their own to the latest hardware and software much more frequently than the IT department can typically refresh the old company-supplied BlackBerrys.
But opening up the company network to an array of mobile devices also opens doors to sensitive corporate data that the company may have trouble controlling. Instead of managing a bank of PCs outfitted with company-issued security software tightly controlled by the IT department, companies are faced with managing hundreds of pocket-sized computers accessing the business network with varying degrees of protection in place. Access is harder to regulate, and, as seen in the Ashley Madison breach, sometimes employees may even use the company’s network to conduct nefarious activities they’re more fearful of their spouses discovering than their employer.
“It really is like the wild wild west,” says Smith of the current cybersecurity environment. “These cyber criminals set up systems that go around targeting machines on the Internet and they’re looking for vulnerabilities that haven’t been fixed. And the lowest-hanging fruit right now for hackers are all the devices brought in by company’s own employees.”
The Hillary Effect
“In a nutshell, people are incredibly tied to their mobile devices and using their personal devices for work, which is dangerously blending business data with personal data,” says Kathy Kim, vice president of marketing for CellTrust Corp., another Airpark-based cybersecurity firm, this one specializing in securing voice calls and texting for business on mobile devices. “This is causing huge issues in highly regulated industries such as financial services, healthcare and the public sector, where business communications—both text and voice—on mobile devices must be traced and archived for regulatory compliance.”
To the general public, the best example of this dangerous blend of private and work-based data can be found in the recent e-mail controversy surrounding Hillary Clinton. The former secretary of state and current presidential candidate came under fire for using her private e-mail address and server, rather than departmental ones, to conduct most of her communications on, leading to a national debate on the challenges of distinguishing work-related messages from personal messages in our hyperconnected world.
“We could have helped Hillary,” jokes Sean Moshir, co-founder and CEO of CellTrust, located just south of the Scottsdale Quarter near 73rd Street and Butherus. The 9-year-old company’s core product is a technology called SecureLine, an app which enables secure partitions on a smartphone to keep personal and business communications separate on a single device. In August, Good Technology, which provides secure mobility solutions for Wall Street’s biggest players including Citigroup, JPMorgan and Credit Suisse, began integrating CellTrust’s SecureLine technology into its own integrated solutions.
“The way it works is, by installing our app on your phone, you get a second phone number assigned to that phone that’s your business number, and so the app acts like a virtual phone where you have in essence two phones in one,” says Moshir. “People can call either your business number or your personal number, and if they call your business number, your voice and text messages go into a different in-box, and your business contacts don’t get mixed in with your personal contacts. You’re provided with a dual persona, per se, on the phone, and this dual persona allows you to separate all your personal stuff from your corporate stuff.”
Moshir, a 20-year veteran in the cybersecurity business, says CellTrust first developed the technology for the financial sector, where voice and text conversations typically need to be archived, and later adapted it for use in the health field, where HIPAA’s privacy rules dictate a separation between private and work-related communications. They soon discovered that every business could benefit from such partitioning, and users also appreciated the fact that their private information was kept separate from their employer’s prying eyes.
“What used to be a problem for employees is that many worried that if the corporation installed an app on their phone to conduct business with, the company would have access to their personal information, their contact list, their communications with their spouse and so on,” he says. “Most people don’t feel comfortable with that. So by us partitioning the phone, giving it a dual persona, we give employees additional privacy. Everything’s separated so the organization can access only what’s in our app and nothing beyond it.”
The company, in turn, benefits by having employees conduct business through voice and messaging systems that are controlled, archived and even time-logged for cost reimbursement purposes in accordance with its policies.
“You can even have messages that have a lifespan, where you can only read them one time and they’ll disappear and get deleted from the system,” Moshir says. “Or you can set it so they only live on your phone for five or 10 minutes and then get deleted. That might have come in handy for Hillary,” he adds, with a laugh.
Joe Loomis likes comparing cybersecurity to firefighting.
“My dad is a retired fire chief, and I pretty much grew up on a fire truck,” says the founder and CEO of CyberSponse, an Airpark-based company that markets a secure Incident Management System (IMS) for business that helps minimize response time in the event of cyber attacks. “That was my life as a kid. I didn’t play with Tonkas, I followed my dad around on a fire truck. So I learned about incident response and responding to threats and disasters and catastrophes.”
Loomis resisted the impulse to follow in his dad’s footsteps and become a firefighter. “My dad was pretty high-ranking, and I didn’t want to be in his shadow for the rest of my life,” he says. Instead, Loomis enlisted in the Navy where he worked from his station in Newport, Rhode Island, as an electronics technician specializing in cryptography and computer networking. Upon moving to Arizona in 2003, Loomis formed a couple of technology companies that for a time focused on combating online fraud and counterfeiting. In 2011 he founded CyberSponse to specifically help organizations respond to different types of cyber threats.
“I knew that as the world became more dependent on convenience—for online banking, shopping and business—there’d undoubtedly be the evil twin of vulnerability to contend with,” he says. Inevitably he wound up running a modern variation of a firehouse. “More cybersecurity people should follow the tactics and mentality of firefighters, because in reality, you’re just putting out digital fires. There’s a very close relation between the two mindsets.”
Loomis says that with the sophistication of today’s cyber criminals, no company can ever be completely shielded from digital attacks. The best corporations can hope to do is to maximize response efficiency to attacks, minimize the damage and put safeguards in place to prevent repeat intrusions. He says the growing trend of employees using their own devices at work has compounded companies’ vulnerability to cyber attacks.
“The dangerous thing about BYOD is that when your phone connects to the network at your office, it provides more opportunities to let the bad guys in the door,” he says. “If people have bad apps installed on their phones, it exposes their phones to attacks but it also exposes where they connect their phones to.” Loomis adds that the Phoenix area in general is more susceptible to cyber attacks because of its high percentage of data and call centers. According to recent labor statistics, the Valley employs almost twice the amount of customer service representatives than any other metropolitan area in the country, with companies such as State Farm Insurance, Amazon and American Express operating some of the largest call centers in the United States here. Loomis says the proliferation of data centers in the Valley makes it a particularly attractive target for cyber criminals.
“They’re kind of like breeding grounds,” he says. “With data centers, there’s a lot of computers in them, so it provides a very targeted area to get access to a lot of machines and then control those machines to do bad things for you. Even if you’re not interested in stealing anything from the particular server the computers are connected to, you may be interested in using the server to steal information from another location. It’s a treasure trove. If you want to install drones on a bunch of machines to do your dirty work for you, a data center is the best place to target.”
Hot Job Field
There are other reasons why so many cybersecurity firms are choosing the Valley—and in particular the Scottsdale Airpark—to set up shop. Aaron Bartrim, CEO of Early Warning, an Airpark-based risk management and fraud prevention company that’s owned and governed by a collective of five of the largest banks in the United States to facilitate a data exchange system based on collaborative, shared intelligence, says North Scottsdale is becoming a hub for people skilled in cutting-edge technology fields.
“There really are a lot of good people here,” says Bartrim, who moved to Arizona from Australia about 10 years ago and says it’s the first place he’s lived where he wasn’t aching to get back to his homeland.
“The people with the really specialized engineering skills are difficult to find anywhere. They tend to congregate around Silicon Valley and, in our field, on the East Coast where the banks are. That said, because of the type of data we work with and the unique organization we have, we’ve been able to attract some very good people here locally.”
Mosir says his firm chose Scottsdale because of the higher quality of life available here relative to wages. “The average engineer here in Scottsdale has a good house and good life, whereas in Silicon Valley, you’re lucky to be able to afford a tiny condo at best!” he says with a laugh. “Out here, even though the pay scale is slightly less than in California, the lifestyle you get to live on that income is considerably better than what you can afford there.”
Because of the secretive nature of the field—and their own attractiveness to cyber criminals—Mosier says a lot of cybersecurity firms in the Valley operate in “stealth mode,” with some even keeping their physical locations hidden on the Web. But in an effort to recruit more professionals to their rosters, several of the leading companies, including CellTrust, Early Warning and CyberSponse, recently teamed up with the governor’s and the mayor’s offices of Phoenix and Scottsdale to form a nonprofit coalition called Security Canyon aimed at attracting and retaining cyber talent in Arizona. “There are a ton of jobs here in this field,” Mosir says.
Bartrim says Early Warning, which has already added over 70 new hires this year to expand its data sciences and analytics departments, was recently awarded a major government contract to work on research relating to sussing out signs of potential terrorism in public data, and is actively recruiting professionals to work in that space as well.
“We’re really pushing to bring in interns, work with the universities, even investing in training resources so that we can continue to bring people into this field,” he says. “We’re not going anywhere soon.”