Guarding Against the Next Cyberattack

Last week, a breach of St. Paul’s internal systems prompted Gov. Tim Walz to call in the National Guard’s cyber protection team. The cyberattack precipitated a full network shutdown and disrupted city services. The city is still grappling with the damage: The St. Paul City Council last Friday voted unanimously to extend Mayor Melvin Carter’s state of emergency, which he declared last Tuesday, for 90 days. On Monday, North St. Paul reported its own cyberattack, too.

Such incidents are becoming more common and more costly. And that’s where Faisal Kaleem is trying to step in.

At Metropolitan State University, the computer science and cybersecurity professor leads a statewide cybersecurity initiative that has locked these problems in its crosshairs. Kaleem established the school’s MN Cyber Institute in 2018. It includes the Cyber Range, a lab Kaleem compares to a flight simulator, where students on a “blue team” try to thwart an infiltrating “red team.”

“They are doing exactly the same thing” as the National Guard, he says. “They are basically going through tons and tons of ‘lock files’ and performing the forensics analysis to really find out what happened and who was behind it.”

In other words, they’re training to monitor and fight the sort of systems-toppling bandits that have cost St. Paul a yet-untold amount of money.

Earlier this year, Metro State became one of just 23 schools distinguished by the National Security Council as a National Center of Academic Excellence in Cyber Operations. That means it leads the Upper Midwest in the country’s cybersecurity efforts at a crucial time.

Cyberattacks have sharply increased over the previous year. That’s according to Verizon’s 2025 Data Breach Investigations Report, which analyzed more than 22,000 security incidents. The result is “a concerning threat landscape for businesses globally.”

The “threat landscape” resembles a mashup of vulnerabilities—so many openings for human error amid organizations’ far-extended security systems, beset by AI-assisted cybercriminals.

And the impacts have deepened. In the United States, the average cost of a data breach surged to an all-time high of $10.2 million last year (between March 2024 and February 2025). That’s a 9% rise over the previous year, according to IBM’s Cost of a Data Breach Report.

On the business side, a subsidiary of the Eden Prairie-based UnitedHealth Group experienced a major breach last year, compromising the data of an estimated 190 million people—more than half the U.S. population. Another massive attack, in July, targeted the Golden Valley-based Allianz Life. And a cyberattack on United Natural Foods left grocery shelves spotty nationwide back in June.

“With the advent of AI, this basically is getting completely out of control,” Kaleem notes.

Here, he describes some of the biggest factors putting businesses and other organizations at risk—while providing resources for small businesses, too:

Cyber Hygiene

It’s cliché for a reason: “Using a weak password is the strongest vulnerability I can say,” Kaleem says. He’s referring to passwords that are commonly known or simple enough to break within seconds. Multi-factor authentication, while annoying for users, “should be mandatory for everybody.”

Another vulnerability concerns infrastructure. A business may neglect to update its cybersecurity system or administer a patch in time. Relatedly, there’s “alert fatigue.” It can be easy to miss or neglect the warning signals. “You get burnout in cybersecurity teams.”

The Verizon report backs this up: The leading “initial attack vectors” continue to be credential abuse (as in, the unauthorized use of login credentials) and exploited vulnerabilities, at 22% and 20% of cases, respectively.

Breaching data through exploited vulnerabilities—that method has grown by 34% over the past year.

“I always tell my students one thing,” Kaleem says: “When it comes to cyber security, an attacker just needs to find one vulnerability”—one unpatched device or oblivious employee—“to enter into the system.”

Growing Complexity

Take a step back, and the cyber landscape looks more and more convoluted.

“The increasing complexity of supply chains, coupled with a lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organizations,” the World Economic Forum stated in this year’s Global Cybersecurity Outlook report, which surveyed 409 business and cyber executives from 57 countries toward the end of last year.

“Complexity is the enemy of security,” Kaleem says. The bigger it is, the more difficult it is to inventory and monitor. “When you talk about large enterprises, like Optum or UnitedHealth Group—they have sprawling IT environments that could involve legacy systems, cloud applications, multiple vendors, global networks.”

Verizon’s report this year shows such cases are on the rise. Third-party involvement in breaches doubled to 30% over the previous year. In such cases, attackers access sensitive information through a third party—a supplier, a service provider, or a vendor, for example.

Understaffing

Then, there’s a workforce problem. Kaleem estimates there are half a million cybersecurity jobs open nationally. He recalls about 6,500 jobs open in Minnesota. In other words, there aren’t enough qualified cybersecurity professionals out there.

The World Economic Forum reports the global cyber skills gap has widened by 8% since last year, with estimates of a shortfall ranging from 2.8 million to 4.8 million cybersecurity professionals.

The AI Problem

AI abets cyber crime in obvious ways. ChatGPT can draft phishing emails without conspicuous grammatical errors. It can personalize messages based on information scraped from LinkedIn. Synthetically generated text in malicious emails has doubled over the past two years, per Verizon’s report. And last year saw a sharp increase in phishing and social engineering attacks, according to the World Economic Forum.

Meanwhile, with voice-cloning “deepfakes,” cybercriminals can misrepresent executives in new, creepy ways. In January, a UK-based energy subsidiary fell prey to such trickery, with deepfake audio mimicking the parent company’s CEO. “We are talking about a loss of 220,000 euros,” Kaleem says, “and it was all done by a phone call using AI-generated voice”—appropriating tone, even a slight German accent, he notes.

Businesses may want to use AI to facilitate cybersecurity. But there’s a concerning “paradox” at play here, per the World Economic Forum. Regarding new technologies, 66% of organizations said AI tools would affect cybersecurity the most in the next year. Only 37%, though, reported they had processes in place to assess the security of those tools.

Cost

Among barriers to a proper cybersecurity system, “financial is the biggest,” Kaleem says.

Kaleem wants to help fix that with a new security operations center at Metro State. Construction is done, he says, and the technology stack is being finalized. The goal is to extend the university’s MN Cyber Clinic, which last year began providing free cybersecurity service to small businesses, nonprofits, schools, and government organizations. At the new center, “students are going to be monitoring [clients’] networks—obviously, under some professional supervision.”

The center expects to offer low- to no-cost service. “It’s going to be a better option as compared to … some private security operation center, where they’re going to be charged tons of money.” Some schools, he says, don’t even have finances for anti-malware software.

He is pitching legislators for funding, following a cut to the National Security Agency grant that Metro State used to launch its clinic services, Kaleem says: “You are getting low-cost, no-cost, centralized monitoring for all these underserved clientele and, at the same time, you are preparing the next generation of startup professionals for the state of Minnesota and for the nation.”

Resources for Businesses

• cisa.gov – The Cybersecurity & Infrastructure Security Agency has “plenty of resources that small businesses can utilize just to perform basic hygiene,” Kaleem says.
• cisa.gov/shields-up – “Shields Up!” offers guidance specific to organizations (of any size) as well as corporate leaders and CEOs.
• cisa.gov/stopransomware – “Stop Ransomware” offers guidance for malware designed to encrypt files, which renders the files and their systems unusable unless a ransom is paid.
• ftc.gov/business-guidance/small-businesses/cybersecurity/basics – “The Federal Trade Commission has very nice advisors, and there’s cybersecurity stuff for small businesses.”
• staysafeonline.org – Resources from the National Cybersecurity Alliance
• Metro State’s MN Cyber Clinic, metrostate.edu/mncyber/clinic, email cyber.clinic@metrostate.edu – “The clinic is here, although our grant is done,” Kaleem says. “We are still running because we feel like this is something good for Minnesotans. So, if there is any small business or anyone who’s interested in having us perform a free cyber skill risk assessment, to highlight their cyber exposure, they can come to us.”