VICEROY program seeks to meet U.S. DoD cyber-workforce demands

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

“Through the latest round of the VICEROY Program, we are advancing the mission of preparing a highly skilled cybersecurity workforce for the Department of Defense. These virtual institutes, in collaboration with esteemed academic partners, augment traditional curricula, providing hands-on, experiential learning, and internships tailored to meet the demands of the Armed Services, DoD, and Defense […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

VIEWPOINT: Cybersecure Your IoT

Business Mentors, Regional News, Subscriber Only, Technology

Internet of Things (IoT) technologies employ embedded devices to sense, and sometimes control, the physical world around us. They offer several benefits that range from general awareness to improved operational efficiency, or just plain convenience. IoT solutions have supported all of this nation’s critical-infrastructure sectors, from commercial facilities and transportation to food and agriculture, while

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

As estimates for world-wide IoT adoption approach nearly 43 billion IoT devices in 2023, it is widely acknowledged that this technology has created an immense (and growing) threat landscape for cybersecurity attacks. Accordingly, IoT security has increasingly become a national priority, dating back to Executive Order (EO) 14028 (2021), “Improving the Nation’s Cybersecurity,” which tasked the National Institute of Standards and Technology (NIST) to initiate programs addressing the cybersecurity capabilities of consumer IoT devices.

The broadened attack surface, which results from the widespread deployment of disparate devices, as well as their respective firmware, operating systems, and wireless-communication protocols, increases the security risk based on the complexity of the connectivity models and the often ad-hoc implementation of these solutions. The ramifications of an exploited IoT device, connection, or cloud service present a significant risk to businesses and consumers alike, with the potential to result in far-reaching intrusions that can laterally impact business systems, sensitive customer data, and/or any number of enterprise infrastructure. Recent high-profile attacks have shown that this not only can happen, but that when it does, recovery costs can run millions of dollars, not to mention the inevitable impact on their brand’s reputation.

While the complexity of the IoT arena can seem daunting, there are a handful of simple strategic protections that can be levied at different levels of the architectural model. The following practices are strongly encouraged within an organization to protect critical information-system assets.

• Device: Prior to acquiring and deploying an edge device, research the different manufacturers and the products they offer. The manufacturer’s country of origin and provided support should be considered, in addition to device-specific factors such as the operating system, any onboard software, the use of encryption, etc. When setting up the device, ensure that it has the latest firmware update, and determine the method by which the device can be updated in the future (e.g., wirelessly, serial, etc.).

• Connection: There are several wired and wireless-communication technologies that can connect devices to cloud-service providers and user applications. The requirements of each use case should typically dictate which is best suited to the planned implementation. While security tips would ideally be tailored to the selected means of communication, general suggestions involve changing default settings (e.g., access point name, password), employing the strongest encryption methods, and disabling any unused features, ports, etc.

• Application: Multifactor authentication (MFA) is a buzzword in the cybersecurity realm for a reason — it is one of the most-effective deterrents because it relies on two or more methods of verification to log into an account. These authenticators fall into the following categories: something you know (e.g., passwords), something you have (e.g., smart cards, authenticator app, or password token), and something you are, (e.g., a thumbprint or facial recognition). Ensuring devices and logins have MFA enabled is one of your best protections for user sign-ins.

• Zero-trust security model: A more-complete approach involves the implementation of a zero-trust security model, which replaces legacy-network, perimeter-security strategies by validating each access request while employing strong authentication and least privilege. The zero-trust model treats every request as if it was coming from a vulnerable open network, which means maximized scrutiny and security are required for each request. This model also enables real-time identification of vulnerabilities to proactively stop cybersecurity attacks before they start.

The implementation of these basic security practices can serve as an effective first step toward securing one’s IoT solutions, whether they include home devices or more significant industrial equipment. Per EO 14028, NIST has more recently released a collection of guidance for both consumers’ and the federal government’s adoption of IoT technologies which provides a more complete set of security safeguards and related considerations. Readers interested in learning more are encouraged to consult the publications provided by NIST’s Computer Security Resource Center (CSRC).

John Reade is IT systems lead at Quanterion Solutions Inc., a Utica–based provider of cutting-edge analytical services, products, and training across a range of disciplines including cybersecurity; managed-cloud services; reliability, maintainability, and quality; information-systems management; software development; information and knowledge management; and more. Email IoT@Quanterion.com with any questions or to learn more about securing your IoT devices, cloud, or connectivity.

TechMD hires vCIO for Syracuse office

Small Business, Subscriber Only, Technology

SYRACUSE, N.Y. — TechMD, a technology management and cybersecurity company headquartered in Endicott, recently announced it has added David Kerrigan as vCIO. Kerrigan has more than 30 years of experience in the managed-IT field and has helped many small- to mid-size companies build and maintain their technology systems. As a vCIO at TechMD, he will

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Clarkson professors awarded $400,000 NSF cyber grant

Health Care, Regional News, Subscriber Only, Technology

POTSDAM — The National Science Foundation (NSF) has awarded a nearly $400,000 grant to four professors at Clarkson University to incorporate cybersecurity into their computing classes. The funding will help them “create and integrate” identity and access management (IAM)-themed, project-based learning (PBL) curriculum into existing computer-science and software engineering-related curricula, the university said in its

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

POTSDAM — The National Science Foundation (NSF) has awarded a nearly $400,000 grant to four professors at Clarkson University to incorporate cybersecurity into their computing classes.

The funding will help them “create and integrate” identity and access management (IAM)-themed, project-based learning (PBL) curriculum into existing computer-science and software engineering-related curricula, the university said in its Sept. 14 announcement.

This project is under the direction of Daqing Hou, professor of electrical and computer engineering and director of software engineering; Jeanna Matthews, professor of computer science; Jan DeWaters, associate professor in the Institute for STEM Education; and Faraz Hussain, assistant professor of electrical and computer engineering.

The Clarkson team will collaborate with researchers from the University of Texas at San Antonio, the school noted.

Project-based learning (PBL) and other active learning practices have been shown to increase student motivation and engagement, raise examination performance, and reduce failure rates, according to Clarkson.

Students will work on “authentic, real-world” problems similar to what they will encounter on the job, the university said. This approach will broadly expand cybersecurity education to all computing-related students, not only those enrolled in dedicated cybersecurity programs.

The project also seeks to broaden participation in computing disciplines. Ultimately, it will improve student-learning outcomes, including personal competencies, mastery of cybersecurity content, and higher-order thinking skills, Clarkson contends.

The project will design and develop a set of ready-to-use IAM-themed software course projects, along with supporting course modules and active learning activities, which will enable course instructors to assign and support take-home PBL projects.

At least 10 faculty members from multiple institutions will use the developed course materials in their classrooms, impacting more than 1,000 students, Clarkson said.

A pilot study will assess the promise of the developed projects in improving student-learning outcomes.

Clarkson said it will disseminate the overall framework and materials developed through websites, publications in conference proceedings and journals, and workshops.

New York names new chief information officer

Employee Benefits & Human Resources, Nonprofits, People on the Move, Subscriber Only, Technology

ALBANY, N.Y. — New York State has a new chief information officer (CIO) and director of the New York State Office of Information Technology Services. Dru Rai will lead the state’s ongoing digital transformation and will work with state agencies to create more seamless digital interactions with state government, the office of Gov. Kathy Hochul

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ALBANY, N.Y. — New York State has a new chief information officer (CIO) and director of the New York State Office of Information Technology Services.

Dru Rai will lead the state’s ongoing digital transformation and will work with state agencies to create more seamless digital interactions with state government, the office of Gov. Kathy Hochul said.

He succeeds Angelo (Tony) Riddick, who retired earlier this year.

The agency is charged by law with protecting the state’s systems from cyber intrusion and attack and is part of the team that operates the Joint Security Operations Center (JSOC) in Brooklyn, which has fostered a unique “whole of state” approach to cybersecurity, Hochul’s office said.

“Under Dru Rai’s direction, we will continue to innovate and grow to meet both the challenges and opportunities of this new digital age. Since the pandemic, our state has moved swiftly to develop new applications, new processes and a new way of thinking that seeks to meet New Yorkers where they are and where they will be. It is exciting to welcome someone of Dru’s caliber to this important role,” Hochul said in the Sept. 27 announcement.

Rai most recently served as chief digital and information officer of Quaker Houghton Company, which is headquartered in suburban Philadelphia, Pennsylvania.

He previously served as global CIO for the Ball Corporation, DuPont Coatings, and GE Advanced Material (a division of GE) and began his career at Ernst & Young.

A graduate of GB Pant University in India and the University of Connecticut, Rai also led and volunteered as the CIO for Goodwill Industries International and the American Cancer Society, helping each organization set their digital strategies and make technology-operational improvements.

“Under Governor Hochul’s leadership, I look forward to building a great team that will work cohesively to achieve the best possible digital solutions for all of our stakeholders,” Rai said. “We will lean on the expertise of ITS to bring about a digital transformation that will improve the user experience and strengthen the trust between New Yorkers and their government. And we will promote collaboration across state agencies to ensure alignment with the state’s strategic IT objectives, common technology solutions that work not just for some but for all, and a commitment to listening to our partners during every step of the journey from idea to delivery.”

As part of the overall transition at ITS, the state’s IT service provider, Jennifer Lorenz, will assume the executive deputy CIO role and work alongside Rai to provide the “strategic IT vision.” Lorenz served as acting CIO for the last six months while an extensive, nationwide search was conducted for the agency’s top role.

ITS is directly involved in a number of important state initiatives. They include the effort to digitize services; further enhance the state’s cyber posture; improve the overall customer experience; create a “One ID” system for residents to access services across all state agencies; build out statewide data and privacy programs; and fortify the IT workforce following the COVID-19 pandemic, Hochul’s office said.

PAR Government awarded almost $15 million Air Force contract modification

Manufacturing & Engineering, Regional News, Subscriber Only, Technology

ROME, N.Y. — PAR Government Systems Corp. recently won a nearly $14.9 million modification to a previously awarded U.S. Air Force contract for directional airborne networks for contested environments software. The cost-plus-fixed-fee completion contract modification brings the total cumulative face value of the contract to nearly $24.8 million, according to a Sept. 13 contract announcement

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

SEC proposes new cybersecurity reporting rules for public cos.

Subscriber Only, Technology

One of the main changes is a new proposed reporting requirement for cybersecurity incidents at publicly traded companies, says Christoper Salone, a consulting manager at FoxPointe Solutions at The Bonadio Group, which is based in Rochester and has offices across Upstate, including Syracuse. “They want it to be disclosed within four business days from when

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

“They want it to be disclosed within four business days from when an organization determines an incident to be material,” Salone says. A material incident is one determined to potentially impact a company’s finances, operations, or relationships with customers.

While some businesses have expressed frustration with the four-day window, the time frame aligns with existing rules in New York, such as one for financial institutions requiring them to report incidents to the state within four days.

“Four days is quick to determine the full nature of an incident and disclose it, but that four-day clock doesn’t start ticking until an organization determines an incident is material,” he adds.

The second major proposed change is requiring companies to outline, at a high level, their cybersecurity program, Salone says.

That includes addressing how the company addresses threats, how it assesses risk, and how it stays up to date on all of it, he says.

The goal of the proposed changes is to make cybersecurity information available and readable to investors.

While the new rules are not final, Salone says he has no reason to expect they won’t be finalized. Typically, rules are effective 90 days after they have been released to the public register. He anticipates these rules will go into effect in mid-December unless the SEC opts to change elements after reviewing public comment.

Companies should start preparing now to make sure they will be ready to comply with the new reporting rules. “I think the best thing an organization can do is have a written and documented incident-response plan,” Salone says.

Leaders should also clearly define what a material incident is for the company and provide examples in that plan, he adds. Businesses should also outline roles and responsibilities during a cyber incident. Ideally, these plans include the company’s IT, compliance, risk, and auditing departments along with any other entities that may have a hand in cyber response or reporting. This can include outside vendors or a company’s cyber insurance provider.

“Make sure you test those plans on an annual basis,” Salone says. He also suggests including an appendix with disclosure templates ready to go. All of that helps ensure a company is ready and able to report if it is required to do so.

The proposed rules also call for companies to outline management’s role in implementing cybersecurity policies and procedures; disclose the board of directors’ cybersecurity expertise and its oversight of cybersecurity risk; and provide updates about previously reported material cybersecurity incidents.

The changes update guidance issued in 2011 and previously updated in 2018.

SUNY Poly professor’s research focuses on improving security

Health Care, Regional News, Subscriber Only, Technology

MARCY, N.Y. — A SUNY Polytechnic Institute professor is leading a research project to boost cybersecurity after being awarded the largest single-investigator contract award in SUNY Poly’s Marcy campus history. Hisham A. Kholidy, an associate professor and chair of the Network and Computer Security (Cybersecurity) Department, was awarded a nearly $1.1 million contract from the

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Hisham A. Kholidy, an associate professor and chair of the Network and Computer Security (Cybersecurity) Department, was awarded a nearly $1.1 million contract from the Air Force Research Laboratory (AFRL). The three-year project seeks to help address the need for an advanced security system that can identify, assess, and protect against attacks across the 5G open architecture in a timely and accurate way without human intervention.

“This project, led by Dr. Kholidy, is a strong example of how SUNY Poly’s growing reputation as New York state’s premier public polytechnic is backed by our wide-ranging academic and research pursuits, including as a leader in cybersecurity research and applications nationwide,” SUNY Poly Officer-in-Charge Andrew Russell contended in an Aug. 7 news release.

With 5G expected to play an important role in global economic growth and technological development, the Department of Defense (DoD) has identified 5G security as a critical area, Kholidy notes. The proposed research investigates ways to protect 5G open networks, meet resilience requirements, and minimize damage from attacks.

“The DoD has a vital interest in advancing 5G-to-NextG wireless technologies and concept demonstrations,” AFRL Senior Scientist Andrew Karam said. “These efforts represent our continuing investments via public- and private-sector collaboration on research and development for critical 5G technology enablers necessary to realize high performance, security, and resilient network operations for the warfighter.”

The project will support a post-doctoral student and two research assistants assisted by Kholidy. The project will also educate and involve students with interdisciplinary skills, including underrepresented minority students through integrating projects covering information science, communication, cybersecurity, and autonomic computing, as well as developing a new cybersecurity course and a simulated 5G security testbed network.

Key contributions of this project include: improving the current 5G security testbed that was developed in collaboration with AFRL engineers to support the 5G open architecture network. This network is to become the first-of-its-kind “open 5G-federated testbed” supporting 5G multi-vendor and commercial service providers. This will help them develop innovative cybersecurity solutions and datasets with respect to this emerging global architecture, SUNY Poly said. Such solutions and datasets will open the door for researchers to improve this new architecture. The project will also develop an intelligent vulnerability assessment approach to assess the security level of the new architecture. In addition, it will seek to develop a smart-network slice provisioning framework to help orchestrate and manage 5G slices among multi-vendor and commercial-service providers. The 5G network slices are defined as network configuration that allows multiple networks to be created on top of a common 5G physical infrastructure.

SUNY Poly students are already actively involved in AFRL activities established by Kholidy. Through this project, he will have the option of dedicating lecture time on the testbeds by logging in remotely and showing practical scenarios to his students, per the release. This project will allow him to take these activities to the next level by developing interdisciplinary projects, in which graduate and undergraduate students will be paired together, the university said. Graduate students would be able to assist undergraduates in obtaining a realistic understanding of graduate education and research methodologies.

Outreach activities targeting local schools that offer cybersecurity programs are also part of the project’s plans, as is expanding existing SUNY Poly outreach programs to enhance cybersecurity awareness among high-school students in Oneida County, the release stated.

Along with degrees in technology including cybersecurity, SUNY Poly also offers undergraduate and graduate degrees in professional studies including business and communication, and arts and sciences such as mathematics, game design, and humanities.

VIEWPOINT: “Smishing” fraud is on the rise

Business Mentors, Subscriber Only, Technology

Financial institutions across the country have noticed a troubling trend — a dramatic increase in text-message fraud attempts. “Smishing,” defined as phishing attempts via SMS text messaging, is increasingly the vehicle of choice for cybercriminals. Most frequently, this type of fraud is carried out through impersonation attempts, with the intention of gathering an individual’s personal

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

This is known as credential harvesting, which is exactly what it sounds like. Bad actors are stealing and collecting the credentials needed to access financial accounts. And cybercriminals are getting much better at masking their efforts.

The scale of the problem is highlighted in the 2023 Data Breach Investigations Report, issued by phone carrier Verizon. It found that 74 percent of all breaches involved a human element, and that the three primary means of attacking an organization are through “stolen credentials, phishing and exploitation of vulnerabilities.” The threat this poses to businesses is multi-fold.

1. Reused passwords — If a criminal manages to access an employee’s personal banking records, there’s a chance that the employee has reused passwords. All a cybercriminal needs to do is look on LinkedIn to determine where the employee works, and then test the passwords they’ve stolen to see if they can get into business accounts.

2. Compromised accounts — For employees with mobile links to corporate systems, either through company-issued phones or apps on their personal phones, the risk is even more direct. With the right credentials, a criminal can access accounts and change logins, locking legitimate employees out, stealing funds, and more.

3. Distracted, upset workers — Even if criminals are not able to access corporate accounts via your workers, distracted, upset employees who have had their funds stolen will need time away from work to repair their accounts.

The increasing use of artificial intelligence (AI) is making fraud detection even harder. Over the years, people have become far savvier at spotting phishing attempts. Emails with jumbled syntax, spelling, and grammatical errors sent up red flags that meant even if an email looked official, it clearly was not.

Now, free, easy access to AI tools that have the capability of constructing persuasive, grammatically correct content has all but eliminated the warning of a misspelled email or text as an indicator of criminal activity.

It’s more important than ever for employers to talk to employees about cybersecurity and show them how they can protect themselves and the business. Here are some of the most-common signs of fraud to share with your employees to prepare them for smishing attempts:

• High sense of urgency — Criminals prey on our fear of having our money stolen and the impulse to address potential fraud fast. Common tactics are telling the fraud targets that they must click on a link or call a number within a short, fixed amount of time — like the next 15-20 minutes — in order to stop an allegedly fraudulent transfer from happening.

• Requests for your one-time PIN — Your financial institution will never ask for the one-time PIN to access your account. This is a sure-fire sign that you’re dealing with a criminal.

• Pestering you — Your financial institution will not badger you and repeatedly text you asking you to click a link, and they will not scold you or get angry if you ask to hang up and contact the fraud line. This should strike anyone as bizarre and unprofessional behavior and is a warning sign that you’re dealing with bad actors.

• Asking you for the answers to your challenge questions — Again, your financial institution has set up these questions to protect your account. They would never call or text you asking you to divulge these answers. It’s always the reverse: they ask you to answer these questions when you call them — not the other way around.

Attempts at fraud are increasingly sophisticated. Criminals have access to programs that can “spoof” a financial institution’s actual fraud-line phone number, so caller ID will appear to come from a legitimate source. Web domains can be set up quickly and look virtually identical to legitimate websites. Criminals are depending on the people they target to be upset at the possibility that they’ve been a victim of fraud, causing them to react rather than pausing and thinking.

If you or your employees are ever on the receiving end of a text message or phone call from someone saying they are from a financial institution’s fraud department, have your guard up. Remember that legitimate contacts will never ask you to divulge account-protection information, such as a one-time PIN, or the answers to your challenge questions, and they won’t pressure you to respond within a few minutes. Hang up and contact your financial institution by typing in its URL (do not click any links provided), or contact the firm through its official app on your smartphone.

Finally, mobile-phone carriers recognize the threat, and we can help them build an effective database by forwarding suspected spam messages by texting 7726 (SPAM). This will allow them to develop better tools to block spammers in the future.

Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.

OPINION: Albany Democrats Push Mail-In Ballots After Voters Rejected Them

Opinion, Subscriber Only

Gov. Kathy Hochul and her political allies have made great efforts to convince New Yorkers they are motivated by improving our democratic processes, but actions speak louder than words. The push to widely expand mail-in voting runs contrary to what voters expressed in a statewide referendum in 2021, yet New York State is prepared to

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The move, while portrayed as a way to “protect democracy” and increase voter participation, is motivated entirely by political considerations. Access to absentee ballots already exists. In-person voting is an important part of our democracy, and it represents the best way to combat voter fraud and other electoral foul play. We know this to be the case, and voters in New York made that clear by overwhelmingly rejecting mail-in ballot expansion when it came up just two years ago.

In our system of government, the voice of the people takes priority above all else. Our electoral process is built on the principle that what happens at the ballot box determines the course of action. On mail-in ballots, the results of the 2021 election were deliberately overturned, and New Yorkers should be very concerned.

Luckily, Democrats’ bold-faced rejection of our most fundamental democratic principles will likely be blocked in court. It is clear that in order to actually expand mail-in voting a constitutional amendment is needed; that is the reason it appeared on the ballot in the first place. Now, time, energy and resources are going to need to be wasted to restore election procedures that never should have been tampered with in the first place.

These changes represent a troubling pattern where New York’s election laws are being turned upside-down. In addition to the expansion of absentee voting, recent laws to move local elections to even-numbered years and dictate where constitutional challenges to election outcomes can occur have also been pushed onto an unwilling electorate. These measures will undoubtedly drown out local issues and favorably impact the governor and her allies, and one can only wonder if they would even be on the agenda if not for their political value.

The motivation behind these changes is obvious: preservation of New York’s one-party rule. Forcing through a law that was summarily rejected at the ballot box is bad enough. Claiming to be doing so in the name of democracy is a level of disingenuous political rhetoric we haven’t seen in quite some time.

William (Will) A. Barclay, 54, Republican, is the New York Assembly minority leader and represents the 120th New York Assembly District, which encompasses all of Oswego County, as well as parts of Jefferson and Cayuga counties.

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Project Homecoming Job & Career Fair 2025

Annual Nonprofit Conference 2026

2026 CenterState CEO Economic Forecast Breakfast

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates