nPowerTech LLC:
The Consultants that work for you!
Christian Bowen
Old Dominion University
CYSE-494: Entrepreneurship in Cybersecurity
Professor Porcher
June 6, 2023
With the increasing advancement in technology, there is also a surge in skilled actors that are capable of exploiting others for gain. With every passing day, there are several ongoing attacks to databases, servers, and files that many people are not aware of. In the workplace setting (depending on the workplace) there are confidential agreements and personal data that is used daily to personalize the client-sales/service relationship. In many fields, people who use this technology for their jobs are unaware of the dangers that come with the usage of the technology for workplace efficiency. With the increase in social engineering attacks, many businesses are being left vulnerable to data leaks, and ransomware that alter the trust between business and clients. The goal is to protect the data that keeps businesses running.
Abstract
Problems are emerging in society due to the rapid change in technology, and this leaves room for exploitation from bad actors wanting to get ahead. With the issues in email phishing, cell phone exploitation, ransomware/malware techniques, and ignorance in cybersecurity fields, many employees fall victim to these schemes. To ensure the problem is fixed, the consultation firm nPowerTech LLC will be created as a cheap security backbone for many companies that need cybersecurity support. With the help of this team, several millions of dollars could be cycled back into the pockets of business owners by mitigating the exploitations that can occur from ignorant employees. By doing so, nPowerTech LLC hopes to enable the further development of technological tools and software that will aid and grow businesses trying to succeed in the online marketplace.
The need for Security Experts
One of the biggest exploits used by many threat actors is the art of social engineering. Major social engineering attacks include email phishing, pharming, whaling, and DNS phishing. With the combination of these four attacks, in 2021 alone that made up to 25 percent of the major cybersecurity incidents in the United States (Falowo et al, 2023). That statistic is not including malware incidents which totaled to be a 50 percent increase from the previous years, capping it at 50 percent of the total major incidents that occurred to businesses in 2021. Since most malware is considered the result of social engineering attacks, it becomes clearer that the biggest security risk in a company, is the human factor. The impact COVID had on the workforce reinforced this statement, as with each year expanding the use of remote work, more breaches were being reported by email to employees. The lack of knowledge on certain aspects of social engineering gave them unspoken permission to click on those emails assuming it was work related. The lack of vigilance and awareness of the threats that come with the territory of using Internet access creates a huge risk for business data and profits. In 2021 alone, a record of 4.7 billion dollars of revenue was lost to businesses due to cyber attacks (Rajeswary & Thirumaran, 2023).
Ransomware is another attack on businesses that is primarily done through the social vector of a business. Many of the big payout’s companies will give to these attackers are done by shutting down systems/servers or locking all the data until financial compensation is given. In a report by Danyal Farhat and Malik Shahzad Awan, successful ransomware attacks were caused by phishing messages 67 percent of the time, and weak passwords/bad management roughly made up the other 30 percent (Farhat & Awan, 2021). Several companies are losing hundreds of thousands of dollars in one event for the chance they get their data back. With a majority of these attacks done through human error, the correction path becomes a clear one.
While this data may be apparent to security experts like us, many people do not see cybersecurity in such a manner. Many potential customers see data breaches that happen in these companies and often choose not to associate or do business with these companies (Business, 2020). The public mainly associates failure to maintain confidential data on the company itself instead of the actions that lead to the breach. Even without the negative publicity, with the customers the breach affected, legal stances will be taken against the company for that breach, and this will cause several hassles for the owners. With several other topics to worry about, business owners want to have faith in the employees they hire to maintain policy and professionalism in the workplace, but even the most faithful employees are subject to grave mistakes like this. It is a tough pill to swallow, but the data backs up the claim. Studies show that after a breach a business will lose is roughly 12 percent of partners, 25 percent of revenue in fines, 50 percent of money in restitution for the affected, and have a 42 percent increase in difficulty attracting new customers (Business, 2020).
Many policies on proper internet use will fly under the radar for majority of small-medium sized businesses. An example of a big risk that flies under the radar for industries is the bring your own device (BYOD) policies given. With the emergence of smarter technology, many people have made their phones multipurpose, but with this policy, security breaches are likely to happen on a smaller but scarier scale. Without going into the dangers of having a portable physical device that can be lost, phones are often subjected to data breaches because of how the data is stored in a phone’s SIM card. Many devices do not automatically come with encrypted storage, so all it would take is access to the phone’s backend software data to alter or collect operational data on what the owner has been using the phone for (Bubakayr & Almaiah, 2021). Combine this with connectivity to unstable networks as the devices are transported everywhere the employee goes, there becomes a recipe for a small breach. The breach may not immediately show itself and cause harm to the company, however, there are instances where devices can be turned into bots or even listening devices to record activities the phone is used for. That can give more information than a zero day in software code.
Risk assessment is a type of report that we do for business owners when consulting them on the security actions that must be taken. Vulnerabilities and risk are measured through a quantitative model of their system to indicate failure of systems and the possible solutions for those times of failure. By using this method of risk assessment given by Semertzis and others, owners have the ability to understand the time to replace model, time to repair model, and the median time to return to business model. This part of the quantitative model focuses on the lifetime the hardware will have in the business cycle (Semertzis et al., 2022). The loss in software and hardware for the company is done by combining what it will take to restore systems (data servers and computers), the impact it will have on the network, the scenarios in which a breach could occur, and the likelihood that those scenarios happen. (Semertzix et al., 2022). To determine the likelihood, there must be a reason to attack, whether there is information that can lead to monetary gain, or if it is information directly related to money such as bank accounts. Adding these factors creates the formula of risk for a company against possible cyber-attacks.
In a business, there are several job functions that can be put together like a puzzle in order to make money. The owners of these establishments especially have the most to lose from a data breach in their systems. As the entrepreneur of their market, the owner does not have the ability to concern themselves with learning the latest technology and all the security holes that come with it. A majority of the time, a business owner’s job is to maintain positive cash flow and figure out a way to promote and expand the business to generate more revenue. With already a lot on their plate, nPowerTech comes in to go over solutions that allow the company to meet good standards and policies (influenced by NIST and other guidelines) to run their business securely. Implementing policies, educating employees, and submitting analysis sheets for the owner to think and act on will be the core principles of our duties to the company that contracts us to consult them on cybersecurity issues.
Target Market for potential growth
Since the business we are creating deals with cybersecurity, it is easy to overlook the different disciplines that need to use security in their devices and software in order to protect that data that is making them money. For starters, any sort of business that uses money (cards, and online payments) fall into the procedures involving PCI-DSS data which must be protected under federal law. Any insurance business deals with personal information must store confidential data securely. In the event that data becomes stolen, the bad actors can use that information to open many doors at the expense of the person whose data was stolen. Many legal firms are switching to online processing of cases and evidence, which are extremely confidential. Although there is no legal procedure on how they must handle these online documents, policies are set up to protect the confidentiality of the data so due process can occur.
Although the safest place for people with no name or much experience is aiding small-medium sized businesses, there are several types of businesses that our company can aid. Since money and taxes are the lifeline of companies, small accounting firms doing taxes for people are bound to have many vulnerabilities in their system. Since accounting firms deal with a lot of data involving money and finances, it is important for both the reputation and the legal standing of the company to keep their data secure from threat actors. With our help, not only will the accountants themselves be more vigilant to attacks towards them, but the owners of these firms will save a lot of money using our services to mitigate the loss they will have from threat actors annually.
Many sales companies are now doing e-commerce as their main method of selling products, and with data stored on local servers, there are many instances where that data can be breached due to someone’s ignorance or negligence. By giving basic social engineering training to the salesmen/saleswomen they will have an easier time navigating emails and online services with their newly acquired knowledge of what attackers try to do. These two are just some of the many examples of small firms and businesses that could use our help to secure their systems.
Efficacy of LLC contribution to the Security Problem
The results of security training among businesses prove to be effective and lasting. A study done in a Thailand business displayed two types of workers, social fields, and Tech fields. The survey started out with tallying initially who opens the manufactured fake email, who clicks the link, and who puts their information into the fake website the email hyperlinks to. Among these studies, over half of the social workers got to the information part of the test, and over half of the tech workers stopped after clicking the email. This then used a compare results model to show improvement in that area. They found that in both social and tech employees, “cybersecurity awareness processes are important to improve the level of awareness to cyber threats among the company (Daengsi et al, 2021).
The following results indicate that it is imperative to use education as a form of prevention. Doing so will mitigate and possibly prevent successful cyber-attacks from happening to businesses annually. The company we are creating is centered around training, whether it is consulting CEOs on policy for employees, CIOs on security framework for their network/hardware, making brochures for employees to refer to, or aiding employer training for employees in software services, potential attack vectors online, and more efficient ways to safely do their work. With a team that keeps up with the changing of technology, the number of services given by the firm will aid any business in their security needs.
Statistically, human error is the root cause to 90 percent of data breaches in any company (Business, 2020). The business model set up for the firm will gear itself to attacking the human factor on security. Leaving all the technical issues for just the IT department to handle becomes an overburden when on top of their responsibilities, they have to be the teachers of the other departments in a company. Our company model aids them in specific ways, (such as AWS training python training, etc.) while also maintaining the training for the rest of the employees to increase their awareness of cyber threats.
One of the biggest indicators that a training session has been a success in teaching the employees would be Key Indicators of our training performance. These include questions answered in a matter that allows the person asking to understand the solution. Since there are so many different guidelines and rules, we would pick out one or two ways for the participants to be vigilant to ongoing threats in their cyber workspace and give them details on those couple ways. The last indication that the training would be a success is the amount of attention and possible questions they will have about the information on the brochures. The brochure will have a majority of the possible attacks they may see in their line of work, and with the comfort in reading and understanding the material in the brochures, it is safe to say it will be a flyer that will constantly be used to mitigate threats in the future.
Work necessary to produce Results.
With the creation of nPowerTech LLC, starting off, clients will be able to have a small group of cybersecurity specialists as consultants for certain actions that may need security solutions for their technical tools used to complete the job. With the firm being small and spread out, the fees will start off lower than a big firm, and many of the normal office expenses will be decreased to the expenses it will take to work from home. This makes finances less out of pocket for maintenance of a central office, and extensive travel. With how spread out we are, there are different ways to help each other out which include brochure creation, training sessions completed, and finding potential clients through online lookup of small-medium businesses looking to try ecommerce. The budget for the first year is just shy of 3 million dollars to maintain the business, but with the way the market is, there is an immense amount of potential in this firm.
Feedback is a big aspect of how we determine the result of the aid we offer to these companies. The point of a feedback is to establish the impression and behavior associated with staying secure in their cyber workplace. Reading and adjusting the training because of the client feedback will increase the value of each lesson, and doing so will create better results for those clients next time we come back. This way, even future clients will benefit greatly from the teaching experience gained through each course. Since technology is an ongoing field that continuously changes every week, by adapting each lecture to fit the needs of the client, the lectures can start to cover more of the changes in those technical tools used. By signing with us, we give the business a leg up on actively gaining more money within the fiscal year.
Summary and Next Steps toward business growth
With the increased usage of technology, and the rapid development of ways to conduct business, security is a big issue, now more than ever before. Throughout the past few years, phishing attacks have been the biggest loss to companies done through employee ignorance. In order to combat this problem, we need a continuous solution that nips the problem at the source to lighten the load of IT teams in small-medium sized businesses. By implementing a consulting firm, my colleagues and I are taking an effort to use education as the foundation for mitigating the losses companies will have due to social engineering cyber-attacks.
To start the business, there must be a consultation of lawyers in the room to talk about the split of profit, the copyright name for business, signing NDAs, and forming the business ID to operate in the state of Virginia. Once all legal and insurance steps have been taken, the start of the business will begin with seeking out clientele by viewing the list of smaller commercial businesses and seeking them out like salespeople for the company. After several attempts, statistically a couple would be interested, which will kick off the start of revenue in the company.
After the introduction of the company to the workforce, the expansion will be done purely off results of the work we do. After obtaining clientele and consulting them on matters of security, the idea is to keep in touch with the new software coming out and introduce workshops, classes, training, and lectures to give to those employers to strengthen the skills in these software applications and give vigilance to their employees on how they can do their part to secure the workplace network. These training courses will include simple lectures like identifying phishing emails to advanced lectures such as applying services given by AWS/Azure to make certain tasks more efficient. Along with keeping up with the new technology, as growth continues for the company, it is important to dive into the data laws in the rest of the states of this country. Once we start having a consistent profit for businesses in the state, the next place of growth would be how big of a distance our consultation will reach in the nation. To accomplish this growth, there needs to be time set aside to keep up with data privacy laws in each state, and how they affect the business model we have. Each of our members are knowledgeable and proficient in the field of security, although it may take a few years to markup profits, this team has the right amount of diversity in skills to complement each other like a puzzle to create a profitable business.
References
1. T. Daengsi, P. Wuttidittachotti, P. Pornpongtechavanich and N. Utakrit, “A Comparative Study of Cybersecurity Awareness on Phishing Among Employees from Different Departments in an Organization,” 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE), Cameron Highlands, Malaysia, 2021, pp. 102-106, doi: 10.1109/ICSCEE50312.2021.9498208.
2. O. I. Falowo, S. Popoola, J. Riep, V. A. Adewopo and J. Koch, “Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents,” in IEEE Access, vol. 10, pp. 134038-134051, 2022, doi: 10.1109/ACCESS.2022.3231847.
3. C. Rajeswary and M. Thirumaran, “A Comprehensive Survey of Automated Website Phishing Detection Techniques: A Perspective of Artificial Intelligence and Human Behaviors,” 2023 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India, 2023, pp. 420-427, doi: 10.1109/ICSCDS56580.2023.10104988.
4. M. A. S. Bubukayr and M. A. Almaiah, “Cybersecurity Concerns in Smart-phones and applications: A survey,” 2021 International Conference on Information Technology (ICIT), Amman, Jordan, 2021, pp. 725-731, doi: 10.1109/ICIT52682.2021.9491691.
5. Business, V. R. (Ed.). (2020). Cybersecurity in business valuation : Addressing the impact of data breaches on value (a bvr briefing). (1), pgs. 8-10. Business Valuation Resources, LLC.
6. D. Farhat and M. S. Awan, “A Brief Survey on Ransomware with the Perspective of Internet Security Threat Reports,” 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, pp. 1-6, doi: 10.1109/ISDFS52919.2021.9486348.
7. I. Semertzis, V. S. Rajkumar, A. Ştefanov, F. Fransen and P. Palensky, “Quantitative Risk Assessment of Cyber Attacks on Cyber-Physical Systems using Attack Graphs,” 2022 10th Workshop on Modelling and Simulation of Cyber-Physical Energy Systems (MSCPES), Milan, Italy, 2022, pp. 1-6, doi: 10.1109/MSCPES55116.2022.9770140.