Angela Hill offers a unique perspective in providing cybersecurity and general I.T. services to clients. Hill went to work with the U.S. Navy after 9/11 as a military intelligence analyst and a federal contractor for organizations including the Central Intelligence Agency, Defense Intelligence Agency and the National Geospatial-Intelligence Agency. As a civilian, she served as CEO of family-owned Jadex Strategic Group in Spring Lake, which she exited in July. Hill now works for Makwa Global LLC, where she helped build out a cybersecurity and I.T. division for the federal contractor and tribal enterprise of the Mille Lacs Band of Ojibwe. She has also established Navajar LLC, where she currently offers one-on-one consulting for a variety of I.T. needs. Hill spoke with MiBiz about what her experiences taught her about foreign actors and how they might be a threat to businesses of all sizes and industries.
How does your military intelligence experience give you a competitive advantage in the I.T. space?
I worked in human intelligence. Foreign services have vast amounts of money. They have people on the ground. You might have heard about some of the recent Russian spies they’ve identified in D.C., where someone in the Navy was giving them details on sensitive systems and things like that. That’s the forgotten piece in cybersecurity: A lot is that human element, and that’s the perspective I bring to the table. I can really look at an organization, who their clients are, what services they’re providing for the government, and say this is why a foreign service could collect on you.
What are some of the initial steps to shut down foreign actors and other cybersecurity threats?
The first thing we need to do is educate these very small mom-and-pop businesses on why their information is important and how they play a bigger piece in the puzzle of intelligence gathering. That’s really what’s happening from a nation-state perspective. … These intelligence services, generally, they’re collecting information on everything from logistics to our roadway, infrastructure, technical details. Whatever is out there publicly through what we call open-source intelligence methods, they’re going to collect that information and use their human tactics to collect additional information.
Is the threat — at least from foreign actors — confined only to businesses that work directly with the government?
I think it applies to all U.S. businesses. You don’t have to work for the government; it’s who you know. I did a presentation once a few years ago when I first started my business. I basically asked the room if they’ve worked in any of the 16 sectors that are considered critical infrastructure in the United States and everyone raised their hands. They’re not all doing work for the government, but almost everyone was in one of those buckets. I was like, ‘Guess what: You’re a target.’
Regardless of industry, how should small and medium-sized businesses approach cybersecurity?
I think organizations today are in fight-or-flight mode. When (a breach) happens, then they’ll think about it, but they’re not really doing anything proactively. The issue is: You’re going to be targeted at some point, whether it’s a phishing attack or something else. The thing about these foreign services or these spy organizations is they don’t want you to know. You may never know you’re being targeted. They’re not trying to disrupt your day-to-day (operations), they’re just trying to collect information.
What will push more businesses to take proactive cybersecurity measures?
There is a lot of cybersecurity awareness out there and professionals in the field, but honestly, the C-suite needs to start educating themselves a little bit more on the threats while understanding the value of their relationships and the information they create or obtain.
What’s an appropriate first step in bolstering a company’s cybersecurity posture?
I think the first step is providing education — security awareness training — whether you’re working with your own I.T. professionals and your staff and asking them to help you create the curriculum or using your (managed service provider) that already offers those services. When you’re working for the government, it’s a requirement. For just normal businesses, it’s not. It’s probably not something they’re thinking about at all until they’ve had some sort of phishing attempt or social engineering attempt on the organization.
Why is training so important?
Humans are the weakest link. You always hear that in cybersecurity. The error is almost always the human error. If anything, their I.T. department is doing the right thing but most of the breaches have come from some sort of human error, whether they gave information away or clicked on a link. It typically starts with that, which is why we always stress security awareness training.
What’s your assessment of what appears to be a male-dominated I.T. industry?
I 100-percent would say it’s a male-dominated industry. But, there are a lot of amazing women in the I.T. and cybersecurity space, too. I’ve actually joined a couple of different I.T. groups where I am surrounded by other women professionals. … You do feel like the odd man out and there can be events tailored more toward that male workforce. I’m also a minority, so I don’t see many minorities in this space, especially in West Michigan. … The statistic is around only 7 percent of African Americans or Latin Americans typically make up the technology space. We need more education in those communities, helping them understand the value and enrolling their kids to these types of science, technology and math courses if they have an interest.