Security has always been close to the top of tech firms' areas of focus. But a wave of headline-grabbing incidents in recent years, from Russian hacking in the 2016 U.S. presidential election to phishing and ransomware attacks on financial institutions, has put the issue in the spotlight across all industries.
"We're definitely seeing a heightened attention to cybersecurity issues in many parts of our business," said Charlie Kawasaki, Chief Technical Officer at Tigard-based PacStar.
Partnering with major IT and communications product manufacturers like AT&T, HP and Cisco, PacStar develops technology for wireless tactical communication networks, enabling U.S. military personnel to communicate in hostile environments around the world.
But there's an increased awareness among clients and vendors that the IT infrastructure firms like PacStar provide are itself a target for attack by sophisticated hostile actors, Kawasaki said. And the time has passed when enterprise clients would simply pass off their network security needs to managed services providers without questioning how they plan to protect company data.
"It's more than just ensuring that military networks are secure. It includes ensuring that PacStar networks are secure, the networks we use to conduct our business. There's a heightened concern about supply chains and protecting them from attacks through our suppliers," Kawasaki said. "Everybody is seeing a tremendous uptick in concern over these issues. Partners are requiring assurances from other partners about their security practices."
These issues extend far beyond the military and big banks. PacStar and other regional tech firms are seeing companies of all sizes struggle to fend off phishing, malware and other attacks. And some of those companies happen to be on the front lines in developing software and workplace solutions to these problems.
Auth0, based in Seattle, and with a large Portland presence, authenticates more than 2.5 billion logins each month, and has prevented more than 1.3 million malicious logins to its clients' networks since the Identity-as-a-Service provider's 2013 launch.
"There is a constant evolution with how people authenticate," said Joan Pepin, Chief Information Security Officer and Vice President of Operations at Auth0.
Auth0 protects its thousands of business customers by developing a wide swath of custom authentication and authorization platforms for web, mobile and desktop applications. Its technology lets users validate or restrict logins to their sites using a range of criteria like user location, IP address, rules-based behaviour and multi-factor authentication. Its software also performs continuous vulnerability assessments to help companies identify and fix security flaws.
"We're doing that work, but we're running around a lot on the back end, implementing things like zero trust," Pepin said.
"Zero trust" is a paradigm shift in IT, building on the older idea of a segregation of duties among computer programs and servers. While segregation structures a company's servers so none is so vital that it could take down an entire system if compromised, zero trust assumes a system is already potentially compromised, and subjects any user to extremely strict
identity verification requirements, even if he or she works for the company.
"It's about how you still conduct business assuming any bit of a network could be compromised at any given time, as opposed to assuming everything is operating perfectly," Pepin said. "The next phase is how can we operate securely even if we've been partially breached?"
It's a key question, as more and more personal data like hospital records and bank transactions move online. And businesses' embrace of the zero trust model speaks to their concerns about how best to handle the increasingly sensitive data moving through their systems.
More than 92 percent of respondents to a survey of corporate executives last year listed information security as a key concern for their company. Just 8 percent of the more than 1,400 corporate executives worldwide surveyed by business advisory firm Ernst & Young said they their security functions fully meet their company's needs.
Nearly two-thirds of the respondents said they expected to increase their cybersecurity budgets by 5 percent or more this year. Fifteen percent said they planned to increase spending by more than 25 percent, compared to just 4 percent who said they planned to cut back. And nearly 40 percent of respondents acknowledged they would be unlikely to detect a major data breach if the hacker used a sophisticated method.
But companies' greatest threats may come from their own employees.
Phishing attacks have been a persistent threat in recent years, as hackers have managed to install malware in networks systems by getting an employee to open a seemingly harmless email or downloading an attachment.