Experts discuss current, future cybersecurity concerns with students at panel
Understanding people is as important as understanding technology when it comes to cybersecurity
Experts discuss current, future cybersecurity concerns with students at panel
When Jamie Tolles and Mike DeZenzo were Farmer School of Business students, there was no cybersecurity program in which to get a degree. But both alumni have taken the knowledge they learned at Miami to the front lines of the ongoing fight to keep important data and systems safe.
“Before ransomware really took off, we were investigating state-sponsored activity, stealing intellectual property, stealing information in advance of business deals, government deals,” Tolles said. “Then ransomware came along eight or so years ago, and that really started to take off with more financially motivated threat actors. It used to be more credit cards, Social Security numbers, but now they're encrypting and locking up entire businesses and holding them hostage.”
“Insider threats are a big space that I play in. There are disgruntled employees and companies. Maybe they didn't get the job they wanted, and they will end up sabotaging a network or taking data to their next job. So, a big part of my job today is having analytics to catch those folks in the network who might be up to nefarious things,” DeZenzo said. “You have nation states, you have the hacktivists who have more ideological reasons, but the big one is financial crimes. That's probably 80% of the attacks we're seeing is folks who are financially motivated.”
Tolles is Vice President for Incident Response at IDX, a leading cyber response and consumer protection company. DeZenzo is a director in Data Protection at BMO Financial Group. The pair were the speakers at the 2025 Cybersecurity Panel at the Farmer School, where they discussed their current roles and what they see as future threats.
“We tend to see fewer attacks in the more regulated groups, because they are typically invested more in cybersecurity. So, the larger banks are investing a lot of resources, human effort, everything, to help protect and level up their security,” Tolles said. “But I've seen a lot of law firms, professional services companies, doctors, offices, schools, industries, manufacturing targeted for ransomware. They've been really successful targeting those companies. They're really trying to get paid.”
“We're seeing a big thing around third party suppliers. They select some IT service provider to run their computers and their cloud, but maybe they don't have a great cybersecurity program. What ends up happening is the service provider might get compromised, the attackers hit the supplier, and then they pivot over to the main company’s environment,” DeZenzo explained.
The pair noted that changes in technology have made systems more secure, but hackers are finding new ways to get what they’re after. “In the past, you had on-premise architectures, meaning you're actually running big, giant computers and server rooms. Now, you have to protect all these different disparate cloud environments and your on-premise environments,” DeZenzo said.
“You should have multi-factor authentication, but it's not a be-all, end-all solution. It's not a panacea,” Tolles noted. “Threat actors now have gotten really good at stealing the token after a cookie in your browser gets installed when you've logged in to one of their fake phishing sites.”
The executives also talked about the power that AI can bring to cybersecurity, both good and bad.
“Phishing messages are getting a lot better. They can use spell check. They can make it very more natural English flowing in terms of the message itself, they can also send that in even more ways. They're figuring out ways to send text messages,” Tolles said. “Threat actors are shrinking the amount of time it takes for them to actually exploit that and figure out who's vulnerable.”
DeZenzo told students that he sees three components to thinking about AI:
- How are attackers using AI?
- How are you using AI for security?
- How are you securing AI?
“We're seeing lots of CEOs getting impostered on social media, or voice clones on phone calls to basically say, ‘Hey, I need $25 million ransomed or wired to this account,’” he said. “It's also making research a lot easier. So maybe if the attackers know something about the environment, they can do quick research to figure out what to do.”
“It's so easy to do a voice clone now and contact people,” Tolles noted. “So, you should have some kind of safe word with your family members, or some kind of thing that you can reference that somebody else wouldn't know. So, if you really are in trouble, they can validate who they are talking to.”
Both noted that while cybersecurity sounds very technical and computer-based, that knowledge isn’t necessarily the most important aspect to learn.
“I'd say a lot of the things that Mike and I do now, it's not really that technical. It's a lot more people management understanding, how to relay ideas to management boards, things like that,” Tolles said. “I would say that at Miami, we learned a really good foundation on several different disciplines, and that actually helped us carry us forward in our careers.”
