In Hollywood, cybersecurity attacks seem to be spotted and battled in mere minutes. But Jim Fowler, chief technology officer at Nationwide and a 1994 Farmer School alum, told students that the reality is not nearly so speedy.

“The median time to detect within the industry today is about 204 days. So think about that. You've been attacked,” he said. “Think about the amount of information they can collect, the amount of damage they can do.”

And dealing with an attack isn’t quick either, Fowler said. “Once the detection is over, then you move into the time to contain. It takes on median 73 days. So 50 percent of companies can contain the attack within 73 days. Two months to really get your arms around a bad actor who's in your systems that's actually trying to disrupt you,” he said.  “And then time to remediate, to actually get them out of your environment -- median range is from 82 to 200 days.”

Fowler and Mike Jones, VP of Cybersecurity Shared Services at Nationwide, took part in the FSB Information Systems and Analytics 2024 Cybersecurity Forum at the Farmer School of Business to discuss cybersecurity in the age of artificial intelligence.

Jones said that AI is both a potential burden and a potential boon for companies battling would-be hackers. “We're going to have people that are attacking us with AI bots. We need to have the same in response. All of that response work now has to be built into engines that are making decisions automatically, not requiring a human to be in the loop to be able to protect us,” he said.

“If you think about the AI side of it and layering on automation, a lot of that mundane work is going to be done from an AI perspective,” Jones said. “When you think about alarm anomaly detection and being able to use AI capability to put your arms around an issue without a typical cybersecurity engineer seeing eyes on glass, that is going to be critical. And we're already seeing tools in the environment, actual solutions that a lot of vendors are putting forth that actually do just that.”

Fowler and Jones talked about some of the better-known cybersecurity attacks, such as the 2013 Target data breech and the 2024 United Healthcare ransomware struggle. But Fowler noted that AI isn’t just an issue in broad cyber attacks.

“One of the biggest things we're seeing right now is fraudulent claims that are coming in with deep fake-created insurance claims. I'm going to buy an insurance policy this week and in two weeks, my car is going to miraculously be in an accident and I'm going to send you the photographs, because we don't necessarily send somebody out to your house, and they're manufacturing what the claim would look like. We're seeing that with home claims coming in on the retirement side. We're seeing people calling in portraying you trying to get money out of your account.” he said.

“We actually run a piece of software that not only listens to your voice, but it actually looks at where you're calling from, the quality of your call, and what we would expect it to be based on who you are, all to decide whether or not we're going to believe that you are who you say you are,” Fowler said.

Fowler and Jones asked the students what they would do in a particular situation: Imagine that you are the CEO of a publicly-traded Fortune 500 company based in the United States. Your annual revenue is about $10 billion. You've been growing at a 10 percent clip and you've been infiltrated. A bad actor has infiltrated your network, its obtained access to all of your transactional systems. They've downloaded all of your customer systems, they've encrypted your systems, and they've asked you to pay a $20 million ransom.

About 73% of students said they would not pay, but Fowler said the real world sees things differently these days. “I can tell you for most of the large events that you've seen in the past two years, most everybody pays. The downside for a $20 million payment, when you are a $10 billion a year business, you are probably losing more in a week’s of time of outage,” he said. “And what you also need to understand about the actor on the other side is that they want to serve you, because they know that if they extort you, the next people won't pay.”

Fowler explained that in a world that has a $105 trillion gross domestic product, the groups that run ransomware attacks is nearly $8 trillion itself. “These places have call centers. If you pay the ransom, they'll actually put you on the phone with their folks that will actually help you unencrypt your systems. They will guarantee you post-access tech support to be able to get them to come in. And if you don't get all your data back, they'll help you figure out how to get the rest of it back,” he said.

Fowler and Jones talked about the job roles that Nationwide hires for in information technology, how to prepare for future careers in upper management, and some recommendations for students:

• Become an expert in something
• Take on the needed jobs that no one else wants to do
• Be willing to take risks

“I'm excited to see the level of interest you have in the topic, and I look forward to seeing some of you in IT at Nationwide,” Fowler said.