The National Security Agency (NSA) awarded Metro State University $1.45 million to kick-start a cybersecurity clinic that will help Minnesota institutions respond to cyberattacks.

Small businesses, nonprofits, schools and government organizations in the state will be able to visit the clinic for free cybersecurity consulting and resources from students at Metro State starting in mid-2024.

Cyber-crime is growing exponentially, and the cost of these attacks is predicted to reach $8 trillion in 2023, according to a Cybersecurity Ventures report.

Minnesota is far from immune: Large organizations like Target in 2013 and the Minnesota Department of Education this spring have faced major data breaches.

Minneapolis Public Schools was the victim of of a ransomware attack and refused to pay a $1 million ransom to recover sensitive files. The exposed data included personal information and even records on abuse and sexual assaults, all exposed online.

Simple security measures can help deter many common cyber crimes, from ransomware attacks to identity theft to phishing. Email hacking is also one of the most financially damaging cyberattacks a business can face, according to the FBI.

Small businesses are especially vulnerable to cyberattacks, according to Kyle Swanson, dean of Metro State's College of Sciences, who predicted most small businesses will have some sort of weakness and vulnerability to data breaches or attacks.

"Small businesses don't have the bandwidth to deal with this," Swanson said. "If it's a single entrepreneur, for example, they don't have a full-fledged cybersecurity staff to help them work through all of this stuff. In many situations, small businesses haven't thought through a lot of the underlying vulnerabilities that they have."

Cyberattacks cost organizations more than just data. They also lose money from paying ransoms and legal fees, handling repairs and providing credit monitoring to compromised customers or employees.

Minnesota businesses will be able to work with a team of three students for half a semester at the St. Paul clinic. Cybersecurity students will assess weaknesses in a business' software and computer usage and write a report and action plan for the organization.

The university's cybersecurity program is already growing, Swanson said. But the grant money will allow students — especially those who are socio-economically disadvantaged — to gain more hands-on experience with cybersecurity challenges in the business world.

"What we're trying to accomplish here, and what this grant seeks to do, is to provide students with the types of experiences during their college education that really will prepare them to walk into that first job and really be a strong contributor right off the bat," Swanson said.

The program will start small, with about nine to 12 students serving 10 businesses for free in the first year.

Eventually, Swanson hopes to keep the clinic running as a part of the cybersecurity curriculum after that first year trial, with 30 to 40 students working with 20 to 30 businesses in a school year. The NSA grant will keep the clinic open for two years at least, with funding potentially available for a third if the center performs well.

"The hope is that we'll be able to spin this up to a much higher level of activity relatively quickly," Swanson said.

The NSA selected Metro State's proposal for the clinic from an application pool of 400 universities. It is one of three universities — along with Louisiana State and Marymount — receiving NSA funds to launch cybersecurity clinics.

Students will consult and inform business owners about best practices for cybersecurity. Specific needs will depend on the type of business but will start with policies, staff training, how the organizations treat client data and backing-up computer information.

"We won't know until we actually start digging in," Swanson said. "But I think that most businesses are going to show vulnerability."