Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, June 13, 2022 / — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at or connect with us at

Civil Cyber-Fraud Initiative by the US Department Of Justice (DoJ): Everything You Need to Know!

The US Department of Justice (DoJ) has officially launched its new Civil Cyber-Fraud initiative. It enacted the legislation to strengthen cybersecurity standards among contractors undertaking government projects and receiving federal funds and other grant recipients such as universities. Such organizations and beneficiaries need to address cybersecurity risks and report breaches to comply with the latest legislation and regulatory guidelines

The new Cyber Fraud Initiative from the US Department of Justice brings together the department’s expertise in civil fraud enforcement, government contracting, and cybersecurity to counteract existing and growing cybersecurity risks to confidential material and safety infrastructure. The Department of Justice is working to improve the resilience of the country and its critical information infrastructure (CII) against increasingly sophisticated cybersecurity threats via new reforms was much needed to ensure the protection of trade secrets, Intellectual Property (IP), proprietary knowledge, trademarks, and copyrights, protecting the privacy of all stakeholders involved, and preventing sensitive and confidential information from falling into the hands of threat actors. This will ensure that taxpayers’ money is used diligently and will also help build public trust in the system in safeguarding their valuable information assets.

Cyber Fraud: Some Key Statistics

According to AtlasVPN, the damages to organizations by cybercrimes from 2019 to the current time have increased by 37.4% with each passing year. Further, the rate of cybercrimes will increase by over 40%.


Some of the vital cybercrime statistics in the US and around the globe shows how threatening and challenging cybercrime has become:

  • FBI’s IC3 reported complaints in 2020 contained over 241,342 phishing, 76,741 extortion, and over 45,000 personal data cyber breaches.
  • Malicious actors attack 1/5th of educational institutions and universities, with 65% of data breaches targeting higher-education centers.
  • 2022 will be the year for misinformation campaigns surrounding cybercrimes, which will become the new attack vector.
  • Cybercrimes are ever-increasing and are estimated to cost $10.5 trillion per annum to businesses by 2025.

The New Civil Cyber-Fraud Initiative By The US DoJ

The new Civil Cyber-Fraud Initiative will use the False Claims Act to investigate cybersecurity-related misconduct by government contractors and those receiving federal grants and funds. The Act also incorporates the “whistleblower” clause that permits individuals who volunteer evidence pertinent to an inquiry to benefit from any assets seized. The Department of Justice will utilize the FCA (False Claims Act) to hold primary liability for failure to satisfy cybersecurity criteria, including prosecutions for:

  • Offerings and services that aren’t up to par in terms of cybersecurity within the organization or for knowingly providing deficient cybersecurity products or services.
  • Cybersecurity-related information, cybersecurity protocols, and processes that are misrepresented or falsified.
  • Negligence by management or the organization in managing, tracking, and notifying cybersecurity incidents and data breaches.

While the DOJ’s approach is novel, the use of the False Claims Act to compel cybersecurity adherence is not. Still, due to the current Civil Cyber-Fraud Initiative, it has become more crucial than ever for institutions to be ready to deal with constitutional issues relevant to cyber intrusions. On a high level, the Civil Cyber-Fraud Initiative:

  • Holds the government contractors and grantees to their commitments to protect government information and infrastructure.
  • Ensures that government contractors recognize and develop strategies to comply with contract terms, statutes, and federal requirements.
  • Provides an opportunity for reimbursement of taxpayers’ and governments’ money if there is a compromise at the organization’s end.
  • Drives organizations receiving government grants and funds also work to build a strong cybersecurity posture.

Industries to be Impacted by The New Civil Cyber-Fraud Initiative

The Department of Justice’s Civil Cyber-Fraud Initiative may impact almost all private, public, or government organizations receiving government funds or grants, but let’s look at its impact on some of the critical sectors in detail:

  • Health Care and Life Sciences: The Cyber Fraud Initiative would target federal employees and federally funded beneficiaries. Therefore, medical and life sciences organizations that partner with or receive support from the legislative branch may be susceptible to FCA inspection.
  • Educational Institutions: Failure to comply with the Cyber-Fraud Initiative may have far-reaching ramifications for universities and higher education institutions receiving government funds and grants but who lack adequate cybersecurity safeguards. In consideration of federal requirements, every university or college that retains critical or privileged information must carefully evaluate the forms and the efficacy of its security controls and procedures.
  • Banking and Financial Industry: Banking and financial organizations are a significant target for malicious actors because of the scale and sensitivity of data that they store. Following the Cyber Fraud Initiative, all monetary regulators will need sufficient documentation and reporting structures, cybersecurity policies, and incident response strategies since any violation of rules would hold them accountable and liable.
  • Defense Industry: The initiative brings in the DOJ’s expertise and experience in various government procurement and civil fraud enforcement to combat emerging cybersecurity threats and risks. This helps protect confidential and sensitive information and critical information systems. For instance, if a defense contractor misuses trade secrets stored digitally in the form of government intellectual property n, the contractor could become liable, especially if the contractor fails to report the breach.

Risks of Non-Compliance

Non-Compliance with the new Civil Cyber Fraud Initiative opens organizations and individuals to various risks, such as:

  • Increased Liability Risks: The Department of Justice announced that it intends to hold organizations and individuals liable for various actions, including intentionally offering inadequate cybersecurity services, deliberately mischaracterizing their cybersecurity practices or procedures, and knowingly failing to report data breaches and infringements. Contractors may be held liable for failure to cooperate with cyber breach reporting terms in government contracts within the Cyber Fraud Initiative.
  • Penalties on Enterprises and Individuals: NIST 800-171 applies to any organization or agency that deals with Controlled Unclassified Information (CUI). Those who do not adhere to statutory cybersecurity requirements could be prosecuted using the FCA clause in the Cyber Fraud Initiative and face a penalty. Furthermore, besides enterprises, DoJ can hold civilians legally responsible for cybersecurity-related fraud.
  • Increased Litigation Risks: The Department of Justice notably emphasizes relying on whistleblowers to help the government restore order in its announcement. After determining their cybersecurity basis, organizations should consider implementing an internal review with counsel to compare their declarations to the federal government. The FCA cyber-risk exposes the organization to litigation if any disparities with the legal framework are identified.

Recommendations: Here is What Organizations Can Do!

Organizations can protect themselves better and ensure compliance with the Department of Justice’s new law with the help of:

  • Internal Audits and Assessments: Organizations should continue to identify their key information assets and evaluate their readiness for a cyber breach, and internal audits and assessments play a critical role in it. Based on the internal assessment, organizations can prioritize actions and processes to protect their information assets before, during, and after a security incident or data breach.
  • Continuous Monitoring and Reviews: Organizations must implement changes to continuously monitor changes within the technology environment, vulnerability management, and activities to anticipate various infringements with federal regulatory frameworks, processes, and policies. They may use whistleblowers to help with the process.
  • Documentation: Clearly written standards, plans, and policies are essential for ensuring the organization’s compliance with the cybersecurity requirements as per the government. Robust documentation will also help resolve internal issues and potential leaks eliminating questions regarding the standard operating procedures (SOPs) to be followed to effectively identify and address a security incident.
  • Internal Discussions: The Management should ensure that all policy conformity discussions with the government are correctly recorded and readily available. They must also collaborate with individuals who identify issues to analyze risk exposures.

Final Words

The Department of Justice’s Cyber Fraud Initiative seeking compliance with the False Claims Act is the government’s official legal remedy for for cybersecurity negligence and fraud. The strategy raises the bar for adherence initiatives for federal contractors or federal grant beneficiaries, such as universities. The latter are far more at risk concerning adopting essential cybersecurity precautions and deciding whether or not to disclose a violation because of the False Claims Act.

Expect increased FCA litigation against organizations that fail to mitigate the risk of cyber breaches. Attentive cybersecurity compliance procedures will ensure protect sensitive data an minimize the risk of significant fines under the FCA.


  1. Krotoski, M., Baruch, D., & Fan, S. (2021, December 08). Are you prepared for DOJ’s Civil Cyber-Fraud Initiative? Morgan Lewis.
  2. Department of Justice. (2021, October 6). Deputy Attorney General Lisa O. Monaco announces new Civil Cyber-Fraud Initiative.
  3. Gersh, D., Moundas, C., O’Connor, A., Darch, J. & Hardy, G. (2021, November 24). DOJ Civil Cyber-Fraud Initiative may impact health care and life sciences companies. Mondaq.
  4. Shaheen, M., Bartle, S., & Trujillo, G. (2022, January 19). Cybersecurity compliance requirements may surprise higher ed. University Business.
  5. Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations. Gaithersburg, MD: National Institute of Standards and Technology.
  6. The false claims act. (2019, June 17). Retrieved February 20, 2022, from website:

How To Harness the Power of your Student Data Analytics

IT management for schools and universities requires specialized knowledge and experience. Some IT departments face challenges that they can’t overcome alone. Integrating new enrollment and tuition payments systems is one such challenge that can prove daunting, but not impossible.

Columbia Advisory Group offers technical consulting services to organizations like schools and universitieshospitals, and a variety of retail locations. These services include integrating data feeds into usable, unified formats. Organizations can then use this information to help them achieve specific goals like improving recruitment, enrollment and retention.

How Powerful are Student Analytics?

Schools can use student data analytics to support decisions regarding enrollment, course schedules, outreach, tuition projections, room usage, and many other topics. We can also help improve university IT services and the school’s cybersecurity policies and implementations.

Texas A&M University tasked Columbia Advisory Group’s ERP specialist team with creating a recruiting and candidate tracking system. Additionally, they asked the team to generate a data clearinghouse to facilitate enrollment and tuition payments across the ten participating colleges and universities within the Texas A&M University System so that students had a seamless system allowing them to take courses from multiple institutions.

The specialist team faced several challenges. Each campus had separate groups of student information systems, including various versions of Banner. The separate systems meant that tuition and administrative data was isolated on each campus. The team had to analyze each data system and the recruiting needs of each campus to develop an effective system.

The CAG team created data feeds from each campus that aggregated into one database. Students were then able to use one interface to take courses from any institution. Real-time data feeds meant that information was immediately available to each member institution to help them make business decisions.

This new system allowed payments to be made to a central location and then sent to the respective institution. Students were given a single system log-in to view their courses and grades. Having a single access point achieved the important goal of creating a simplified student experience. Without the new system, admission levels might have dropped if prospective students faced a complex enrollment and payment procedure.

Data Simplification is What We Do

Columbia Advisory Group helped make it possible for the Texas A&M University System to increase enrollment for member universities. The system CAG helped design is flexible and can be scaled to match enrollment growth. Columbia Advisory Group can develop new functions for the system when needed.

Columbia Advisory Group can help innovate IT services in education industry settings. Their 100+ years of combined experience can improve the business performance of any institution. They can harness the power from student data analytics to deliver solutions that many other teams can’t.

Ransomware Incident Response Planning

Ransomware attacks are ever-increasing globally. Here’s how to evaluate your cyber security partners and be resilient, when preparing for the worst.

Colonial Pipeline, Kaseya, Solar Winds, Microsoft… the list goes on and on. In the past 12 months alone, more than one third of all organizations globally have faced some type of ransomware incident, according to a recent survey by research firm IDC.

The ransomware industry has evolved in sophistication. Malicious actors even subscribe to Ransomware as a Service (RaaS), whereby criminal organizations lease ransomware variants the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors, lacking these skills or time, to easily develop their own ransomware variants that can be up and running quickly and affordably. Such RaaS kits are easy to find on the dark web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000.

A threat actor doesn’t need every attack to be successful in order to become rich. RaaS is big business, with total ransomware revenues in 2020 of around $20 billion—up from $11.5 billion in 2019.

Clearly, ransomware incidents are not going away any time soon. In fact, they are accelerating. It is vital to create a digitally resilient institution that can absorb the impact yet not be crippled by the attack, in order to recover quickly without significantly impacting students, faculty, and research. Digital resilience represents the ability to continue to operate through an impairment and stay in business while minimizing institutional harm, reputational damage, and financial loss.

Resilient organizations:

  • know their networks and data
  • set targets, measurements, and goals for cybersecurity
  • employ best practices in change management
  • prioritize risks and intelligence for better decision-making
  • respond rapidly to incidents while maintaining operational readiness, reducing the risk of data loss, and preventing additional harm

Given this “new normal,” what attributes should you consider when selecting a partner to help you minimize your risk and create a ransomware playbook to maintain resilience?

Not all cybersecurity services are created equal. Consider this checklist as one way to evaluate cybersecurity partners:

1. As the old adage says, “You cannot determine where you are going until you know where you are.”

Select a partner that is able to baseline and assess your current information security program. Typically, reputable cybersecurity services begin with a detailed policy assessment AND vulnerability assessment. What do we mean by that? A policy assessment analyzes your organization’s cybersecurity controls and its ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s objectives, rather than in the form of a checklist as you would for a cybersecurity audit.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and when needed.

Any cybersecurity service that doesn’t include both assessments will leave your institution exposed and more vulnerable to ransomware attacks. Vulnerability scans are like a photograph and show a snapshot in time, and that picture can change daily. Therefore, vulnerability scans should be provided continuously (e.g., daily, weekly or monthly).

2. Ask your cybersecurity partner…

…how they will assist in improving cyber hygiene in the form of patch management, to prevent ransomware attacks from having an access point into your network.

3. Hire a partner to help you create and routinely update your risk register in cooperation with your Board and Office of Risk Management.

Access control and governance issues must be scrutinized by all involved parties. Cybersecurity risk management is comparable to other forms of risk management and is therefore a Board-level issue. For example, did you know an institution can lose access to federal financial aid if it’s found to be out of compliance with national standards, such as National Institute of Standards and Technology (NIST) 800-171?

4. Find a partner who will assist your institution in creating your unique ransomware incident response playbook.

Think of this as your ransomware crisis plan. Off-the-shelf playbooks are fine for understanding concepts, but since your organization’s network architecture, data, and faculty requirements are unique, your institution needs a customized playbook handy should the need arise.

5. Ensure your vendor partner performs or arranges for an annual third-party penetration test.

This “pen test” includes scanning your network for weaknesses and, optionally, attempting to exploit any vulnerabilities that can enable attackers to gain entry. This is critical as new vulnerabilities are discovered every day, and what was thought to be secure may no longer be.

6. An effective partner will audit your security controls against relevant cybersecurity frameworks…

…like TAC § 202 or NIST 800-53 R5, in addition to your state-specific frameworks that may govern data security. This is a regulatory environment that is constantly changing, and your partner should proactively provide you with compliance requirements and discrepancies.

7. Partner with cyber staff who routinely communicate with governmental and law enforcement agencies…

…to provide relevant alerts and trends to your CIO for remediation.

8. Every capable vendor should also be auditing your organization randomly…

…to confirm its compliance with your cybersecurity plan.

“Organizations face a clear and present danger, but the more salient truth is that boards and C-Suite leaders face a clear and present certainty since they bear liability for the failure.” Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Ray Rothrock, 2018.

Via the E&I Columbia Advisory Group (CAG) contract, CAG is available to assist your institution with cybersecurity services, audits, planning, and to help with your ransomware incident response playbook.

The Cybersecurity “Perfect Storm” of 2020

The year 2020 brought us all incredible challenges as we coped with the impact of COVID-19, and cybersecurity is no exception. 2020 created the “perfect storm” for cybersecurity when you consider how each of these trends has created enormous opportunity for cybercriminals:

We are all online more, even inexperienced users.

As students, staff, parents, and grandparents navigate networks, devices, passwords, and classroom experiences, there are many opportunities for security gaps. How are networks being accessed? How secure is the student’s computer? Who is using the computer at home? What network are they working on? Do each of these people know how to spot and react to a phishing attempt so that they don’t divulge sensitive information about themselves or their online work? Cybercriminals know that phishing works, and they prey on inexperienced or inattentive users.

Our networks have new vulnerabilities.

Working, schooling, and researching from home means accessing campus networks from home on a variety of user-owned devices, and the workarounds can leave institutions vulnerable to hacking.

The allure of student data is irresistible to cybercriminals.

Hackers have always sought student data because it provides a lifetime of opportunities to use, manipulate, sell, and otherwise profit from identity details. In this exposed environment, the prospects are increasing exponentially, and cybercriminals are taking advantage. Schools and colleges are more than twice as likely as the average organization to be hit by a business email compromise attack.

University research data is like catnip for hackers.

That cutting-edge research your institution is doing is stored online somewhere, and hackers know how valuable it is. Expect them to try to crack your cyber vault. If your research includes COVID-19 studies, you’re at the top of the target list.

People overreact to messages that reference COVID-19.

Phishing attempts, spoofing, and malicious download links trick many users with phrases like “New COVID-19 Protocols – click here to download” or “Update your account with COVID-19 acknowledgement.” Hackers and cybercriminals know we have heightened attention to such requests, and they prey upon our fears and desire to cooperate.

IT departments are busier than ever and budgets are tight.

With so many new users to support, hybrid classrooms to set up, devices to deploy and maintain, and new issues to resolve, it’s likely your IT staff is stretched thin, while your institution may have frozen or reduced IT budgets to cope with tuition revenue reductions.

So, what can your institution do to combat these threats?

  1. Prioritize IT helpdesk support to help users navigate their online world and set up safety protocols for themselves. If your IT team is stretched thin, consider an outsourced helpdesk that is white-labeled to appear as a seamless part of your IT team. At CAG, one of our support desks handles 515 tickets a week for a regional university, allowing IT staff to focus on other urgent, critical, or strategic projects.
  2. Conduct a cybersecurity vulnerability assessment so that you know exactly where your gaps are.
  3. Update your institution’s cyber risk register and prioritize accordingly.
  4. Consider the cost of a breach, and then consider the cost of hiring cybersecurity support. (Each breach can cost an institution tens of thousands to millions of dollars, in addition to reputational damage.)
  5. Educate your community on cyber hygiene. This is a never-ending battle. CAG’s virtual CISOs can assist with strategies to help your campus communities.

If your institution needs assistance with your cybersecurity strategy, assessment, remediation, or a virtual CISO, please contact us here.

Learn more about E&I’s Columbia Advisory Group contract and get started today.

CAG clients rank in top tier for COVID-readiness

The Dallas Business Journal recently published the rankings for COVID-related instructional readiness for Texas colleges and universities as ranked by the non-profit Educate to Career. This year, these national rankings indicate how robust the software and systems for distance learning are at each higher-education institution. Two of the Tier 1-ranked Texas institutions, Texas A&M University – Commerce and Texas Woman’s University, are Columbia Advisory Group IT service customers.

Six North Texas universities scored in the highest tier and two in the lowest tier on a ranking of how adaptable they are to life and learning during the COVID-19 crisis.

Educate to Career, a California-based education nonprofit, ranked four-year schools into tiers based on factors including in-classroom instruction, quality and experience with online learning and other factors.

To be in Tier 1, the highest group, schools had to be able to deliver their full curricula online and in-classroom and have a minimum of three years of experience in delivering online curricula. Educate to Career also weighed each school’s tuition and fees.

The North Texas schools in Tier 1 were University of North Texas in Denton, Texas Woman’s University in Denton, the University of Texas at Arlington, Dallas Baptist University, Texas Wesleyan University in Fort Worth, and Texas A&M University-Commerce.

Other Tier 1 requirements include a physical campus for in-classroom instruction should health authorities allow colleges to open in September, robust software and systems to support distance learning programs, faculty experience in teaching online and reasonable tuitions and fees on a relative basis, according to the rankings.

Tier 2 universities have the systems required to deliver curriculum online and in-classroom. However, college faculty have less experience in delivering online curriculum than Tier 1 colleges.

In North Texas, Southern Methodist University and the University of Texas at Dallas (in Richardson) ranked in the second tier, according to Educate to Career.

No North Texas universities ranked in Tier 3, which is described as universities and colleges that “strongly emphasize in-classroom education over online teaching, and may not offer full curriculum online.”

Two North Texas schools ranked in Tier 4, described as colleges and universities that have “limited systems and experience in delivering online curriculum.”

Those were Texas Christian University and the University of Dallas in Irving.

Spokespeople for those two universities did not immediately respond to an email requesting comment about the rankings.

Improving Student Services and Recruitment Through Enhanced ERP

Improving Student Services and Recruitment through Enhanced ERP, SIS and CRM Integration

As higher education institutions strive to maximize actionable insights and student services across existing data pools, the need for complex data integrations continues to grow. When multiple campuses collaborate with curriculum and enrollment processes, the need for systems integration becomes even more critical.

As an IT provider to educational institutions across the country, our Enterprise Resource Planning (ERP) and Student Information System (SIS) teams are seeing increased interest in strategic enrollment partnerships, especially within college and university systems and community college districts. These partnerships require data clearinghouses to allow shared entities to recruit, enroll, receive tuition payments, advise students, and view student grades and course schedules at a central location for access by multiple higher education institutions, and despite variations in the software used at each member institution.

An excellent recent example is the RELLIS campus of the Texas A&M University System. The campus was created to feature high-tech, high-impact research facilities for technology development, testing and commercialization. The campus also features a collaborative education complex which offers multiple academic degrees from many universities within the A&M System as well as from Blinn College campuses, and offers opportunities for workforce skills training to the surrounding communities. CAG’s ERP specialist team was engaged to create a recruiting and candidate tracking system along with a complex data clearinghouse to facilitate enrollment and tuition payments across 10 colleges and universities.

“CAG’s team of IT experts are accustomed to the aggressive timelines and rigorous and evolving demands that an innovative project of this type will naturally entail. Their higher-ed focused IT services team will enable us to move quickly to provide integrated service to both our students and our member campuses,” said Mark Stone, Chief Information Officer for the Texas A&M University System.

In cooperation with leaders from each campus, the CAG team created data feeds from each institution that aggregate in Salesforce to allow students to take courses from any of their universities. The Salesforce CRM front-end allows RELLIS recruiting and marketing staff to drive student enrollment while back-end data feeds are unique to each institution due to disparate Student Information Systems at each university. This allows advisors to manage data from these universities and enter advisory notes that are pushed back to the system of record for each student. To achieve student authentication, CAG also integrated “single sign-on” for the institutions.

It was important to the Texas A&M University System to improve student service by simplifying the tuition payment process. The data solution CAG created allows payments to be made to the central location at RELLIS, and agreed revenue splits are subsequently sent to each institution. The clearinghouse gives students a single system login to view their course schedules and grades, thereby creating a seamless student experience.

For more information or a consultation on your data integration projects, please contact

Spearphishing Defense Tips for Students

Cyber Criminals Conducting Successful Spearphishing Campaigns Against Students at Multiple College and Universities

Tips to share with students

By David Maxwell, Chief Information Security Officer & Director of the Information Security Practice at Columbia Advisory Group

The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. The Department of Education identified a similar spearphishing campaign targeting multiple Universities. In this attack, the cybercriminals sent spearphishing emails requesting students’ login credentials for the University. The email invited them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, cybercriminals changed the students’ direct deposit destinations to bank accounts.

Protecting Yourself

For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack. Here are the most common ones:

  • It is becoming much easier for cybercriminals today to find or purchase personal information so expect more personalized scams.
  • The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account. The attacker wants to rush you into making a mistake without thinking.
  • You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of Financial Aid or a letter from the IRS saying you are being prosecuted.
  • The email requests highly sensitive information, such as your credit card number or password.
  • The email says it comes from an official organization or uses a personal email address like, or
  • The link looks odd or not official. One tip is to hover your mouse cursor over the link until a pop-up shows you where that link really takes you. If the link in the email doesn’t match the pop-up destination, don’t click it. On mobile devices, holding down your finger on a link gets the same pop-up.
  • You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.

If you believe an email or message is a phishing attack, simply delete it or send it as an attachment to Ultimately, common sense is your best defense.

Do you need help managing cybersecurity at your educational institution? Contact one of our experts about cybersecurity assessments and fractional ISO services. 

Supplier Spotlight: Columbia Advisory Group

In conversation with Steve Erwin: Trends and Challenges for IT security in education
Our own Steve Erwin, Senior Vice President & Chief Technology Officer talks about present day trends and challenges for IT security in Education with E&I Cooperative Services. Click here for detailed interview.

Read More:

New Texas A&M University System RELLIS Campus IT Services Awarded To Columbia Advisory Group


Columbia Advisory Group (CAG) was selected as the nimble IT support service partner needed for the newly formed RELLIS Campus. TAMUS selected CAG after reviewing responses to a thorough Request for Proposal.

COLLEGE STATION, TexasJan. 8, 2019 /PRNewswire/ — Located eight miles from Texas A&M University College Station campus, the newly formed RELLIS Campus sits on 2,000 acres and offers classes to students pursuing degrees at campuses across Texas. As a pioneer in this shared-campus model, TAMUS needed to find a nimble IT support service partner to integrate student recruitment, enrollment, tuition payment, course scheduling, reporting, administrative and other IT needs across multiple parent campuses and data systems. After reviewing responses to a thorough Request for Proposal, TAMU System selected Columbia Advisory Group (CAG) as a partner in this new campus venture.

“CAG’s team of IT experts are accustomed to the aggressive timelines and rigorous and evolving demands that an innovative project of this type will naturally entail. Their higher-ed focused IT services team will enable us to move quickly to provide integrated service to both our students and our member campuses,” said Mark Stone, Chief Information Officer for Texas A&M University System.   

The contract also includes future integration of learning management systems (LMS) and single sign-on (SSO) capabilities.  The campus will feature high-tech, high-impact research facilities for technology development, testing and commercialization and a collaborative education complex to offer multiple academic degrees from many universities within the A&M System and Blinn College, as well as offer opportunities for workforce skills training to the surrounding communities. David McLaughlin, CEO of CAG, says, “Since the RELLIS campus is a completely new entity for TAMU System, this project required innovative thinking and a deep knowledge of higher ed processes and technology. Our team is ready to adapt quickly as the campus grows and needs evolve.”

About Columbia Advisory Group

Columbia Advisory Group (CAG) is a highly experienced Information Technology (IT) consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. 

About the A&M System

The Texas A&M University System is one of the largest systems of higher education in the nation, with a budget of $4.2 billion. Through a statewide network of 11 universities and seven state agencies, the Texas A&M System educates more than 150,000 students and makes more than 22 million additional educational contacts through service and outreach programs each year. System-wide, research and development expenditures exceeded $946 million in FY 2015 and helped drive the state’s economy.