One year after its creation, the nonprofit National Cybersecurity Center (NCC) has successfully mitigated cyberattacks faced by a number of SMBs, nonprofits, and state and local governments.

The NCC was created by Colorado Governor John Hickenlooper in 2016 to bridge the gap between cybersecurity tactics used in the public and private sector, providing education, training, and response services. It has mitigated about 90% of the attacks that have been reported to it, said Ed Rios, CEO of the NCC.

“About three-quarters of them are simply from user error and mistakes made by employees,” Rios said. “They’ll click on the wrong URL, they’ll open a page that they shouldn’t open, they’ll reply to something they shouldn’t reply to, and allow the malware in, unintentionally.”

Clearly, education and training must be a priority, Rios added, and should be ongoing as threats continue to evolve. In one case, a nonprofit contacted the NCC because about 560 W2 forms were stolen and placed for sale on the dark web. The center was able to determine how the records were taken: Through an email scam. It also offered training for the nonprofit on how to recognize and avoid these attacks in the future.

SEE: How to set up two-factor authentication for your favorite platforms and services (free PDF)

The center is comprised of three pillars:

1. Rapid Response Center (RRC): This center provides information sharing and breach resolution. It is currently accessible during business hours, though it will eventually be available 24/7, Rios said. “We provide initial assessment of potential breach or hack, and provide options for mitigation if it is determined to indeed be a breach,” Rios said. “Then we offer a set of solution-providers that are nonprofit and for-profit organizations that participate with us.” The RRC can be reached by dialing 877-90-CYBER.

2. Cyber Research, Education, and Training Center: This center is affiliated with several K-12 schools, universities, training organizations, and companies, and offers education and training programs to develop a high-level, robust cyber workforce.

3. Cyber Institute: This is a think tank focused solely on cyber issues. It includes C-suite and board-level training to help executives better understand cybersecurity and its consequences for businesses. “It’s not just the basics of Cyber 101, but issues associated with cyber law, cyber insurance, cyber budgeting, cyber communications, and those type of activities that are a bit higher level on the executive scale and require consideration for a small or medium business or a state or locally-elected official,” Rios said. The think tank also supports the development of state and national cybersecurity policies, strategies, and legislation.

Members of the C-suite are increasing their knowledge of cyber in recent years, Rios said. “In my communications with them, about 50% of them can discuss it and 50% really don’t know enough to even have a discussion,” he added. “It’s moving from the server room to the boardroom, clearly.” This is driven by statistics that show a single breach can cost about $9 million in resolution and mediation, Rios said, which can be devastating to a small or medium business.

SEE: Learn Website Hacking and Penetration Testing From Scratch (TechRepublic Academy)

However, since many board directors do not have a technical background, communication challenges abound between the board and the CIO or CISO, Rios said. “Boards should include the CISO or CIO, or should be conversant enough to translate,” he added.

The cybersecurity workforce shortage remains a key issue for many organizations and governments that the NCC aims to address, Rios said. Colorado alone has 10,000 job vacancies in the cybersecurity field. “It’s essential that we look at this from a different perspective,” Rios said. “Traditionally, we looked at it from a formal education standpoint, that you need a four-year degree in computer science or software engineering, whereas some of those skills can be taught by certificate at a very tactical level.”

Since cyber still isn’t well understood, companies often require certain educational or technical background that isn’t actually necessary to do the job. “We need to fix that,” Rios said.