- File: Michael Tonn
Many people were surprised by the wide-ranging consequences of the ransomware attack that hit the University of Vermont Medical Center last year.
But not Justin Fimlaid, founder and CEO of the Colchester cybersecurity company NuHarbor Security.
"What we saw at UVM, we've seen elsewhere," Fimlaid said. The hack paralyzed scheduling for weeks and delayed some patients' care. It cost the hospital millions and caused a cascade of problems across the UVM Health Network that took months to resolve. "I wish it weren't the case," he added.
Fimlaid launched NuHarbor in 2014 after leaving his information security job at Keurig Green Mountain. He quickly found his new company's services to be in high demand.
Its success is due in part to an uncommon approach. While many companies offer to help businesses prevent cyberattacks, NuHarbor provides constant monitoring.
NuHarbor assesses a client's vulnerability by launching its own benign cyberattack against the company's software. It can then install protective measures and train workers to recognize phishing attacks such as the one that led to widespread problems at UVM Medical Center. NuHarbor also helps clients choose cybersecurity insurance policies.
"We're trying to change the industry," Fimlaid said. That means the customer doesn't have to worry about what has happened since the last time NuHarbor performed a systems analysis. "Instead of making it a once-a-year activity, let's change how we deliver it and do it continuously."
That approach landed NuHarbor on Entrepreneur magazine's list of most entrepreneurial companies in America in 2017 and 2018, an honor bestowed upon those who "are mastering the art and science of growing a business."
By late 2018, the company needed to move out of its Essex Junction offices to a larger space in Colchester. NuHarbor has 90 employees and is still expanding: Fimlaid expects to hire about 60 more people by the end of 2022.
Some clients hire NuHarbor to prevent breaches. Others are required to undergo security testing and training by their insurer or their own customers.
And some clients are the unfortunate ones that call after an attack. Fimlaid wouldn't identify NuHarbor's clients, citing confidentiality.
"Sometimes we can help, and sometimes we can't," Fimlaid said. "In all cases, it's hard to un-ring a bell." He added, "I can tell you real horror stories."
The UVM Medical Center ransomware attack in October 2020 was one highly publicized horror story.
To protect patient data, hospital IT staff had to take down the network's electronic health records system, Epic, as well as employee email and internet connections. IT experts then had to rebuild the infrastructure before reentering backed-up files and data. They also had to scan and clean 5,000 computers. The hack ultimately cost the health network upwards of $50 million.
NuHarbor wasn't called in to help the hospital, but the frequency of such high-profile attacks has helped the company to grow.
The global research firm Gartner predicts that companies worldwide will spend more than $150 billion this year on information security and risk management technology and services. The research company PitchBook reported over the summer that, by midyear, cybersecurity companies had raised $9.9 billion in venture capital worldwide, almost as much as they raised in all of 2020.
The pandemic-era rush to remote work and cloud-based storage — both of which can expose companies to additional risk — has further propelled the expansion of the industry, according to Gartner.
It's not clear how many cybersecurity companies are based in state. Jeff Couture, executive director of the Vermont Technology Alliance, said many of the state's IT companies provide some security services.
Several large cybersecurity companies are located in metro areas such as Washington, D.C., which is home to a deep pool of prospective employees with the right skills, said Scott Stevens, a dean of the Division of Information Technology & Science at Champlain College. But, he noted, it's becoming more common for cybersecurity firms to employ a remote workforce and operate outside major cities.
Champlain College places interns studying cybersecurity with NuHarbor. Stevens said the typical starting salary for a student who has completed an internship is $70,000.
"They're snatched up pretty quickly," he said. (See "Wanted: Cyber Sleuths").
NuHarbor employs 35 Champlain College alumni and nine from the University of Vermont. The company has small offices in Boston and Washington, D.C., but Fimlaid, who grew up on a farm in New Hampshire and lives in Stowe, said he's determined to keep the company's main office in Vermont. He is still the sole owner of the business.
Over the last few years, NuHarbor has received nearly $325,000 in training and hiring incentives from the state, according to the Agency of Commerce and Community Development.
Fimlaid doesn't expect to have any trouble finding workers to get his staff levels up to 140 or 150 by the end of next year. Some will be remote, but he wants most to work from Colchester.
"Keeping payroll in the state is the true economic value for the state," he said, "and we're committed to trying to do that."