Close this search box.

When Should Higher Education CFOs consider using a Managed IT Service?

The role of technology in higher education has grown tremendously in recent years, with IT infrastructure playing a crucial part in the daily operations of universities. For higher education CFOs, maintaining a robust IT department can be challenging, and outsourcing to Managed IT Services can sometimes offer a more cost-effective and efficient alternative. According to Educause,  MSPs can provide institutions with greater flexibility, scalability, and cost savings, as well as support for compliance and regulatory requirements. Similarly, Gartner suggests that MSPs can help higher education institutions stay current with emerging technologies and improve the efficiency and effectiveness of their IT operations. Here are some key examples of when higher education CFOs should consider using a Managed IT Services provider:

Limited Internal IT Resources
Higher education institutions often have limited internal IT resources, making providing comprehensive IT support and services difficult. According to Educause, MSPs can help fill the gap by providing additional resources to support the institution’s IT needs.

Lack of In-House Expertise
CFOs may find that their in-house IT teams lack expertise in certain areas, such as cybersecurity or cloud computing. Gartner suggests that MSPs can fill this knowledge gap by providing specialized expertise.

Need to Focus on Core Competencies
According to Educause, higher education institutions must focus on their core competencies, like providing education, research, and community services. Outsourcing IT management to a managed services provider allows the institution to focus on its core competencies while leaving IT management to experts.

Cost Savings
According to Gartner, MSPs can often help higher education institutions reduce costs associated with IT management by providing economies of scale and more efficient IT operations.

Compliance and Regulatory Requirements
Higher education institutions are subject to various regulatory and compliance requirements, such as HIPAA and FERPA. MSPs can help ensure institutions follow these requirements by providing regular security audits, threat management, and incident response services.

As higher education institutions grow and evolve, their IT needs may also change. According to Gartner, MSPs can help institutions scale their IT operations as needed, ensuring they always have the resources necessary to support their IT needs.

New or Emerging Technologies
As Gartner points out, the field of IT is constantly evolving, and new technologies are always emerging. A managed IT services provider can help CFOs understand new technologies’ potential benefits and costs and assist with implementing and managing these new solutions.

According to Educause and Gartner, higher education CFOs should consider using MSPs when facing limited internal IT resources, lack of expertise in certain areas, need to focus on core competencies, need for cost savings, compliance requirements, scalability, and new or emerging technologies. MSPs can bring the necessary expertise, resources, and scalability for the IT department to thrive and support the institution’s growth.

Practical Advice and Recommendations

Before outsourcing IT operations, higher education CFOs should consider the following recommendations:

  1. Define the scope of services: Clearly outline the specific IT functions and services to be outsourced, and ensure that the Managed IT Service provider can meet these needs.

  2. Evaluate potential providers: Thoroughly assess them by reviewing their experience, technical expertise, and client testimonials.

  3. Establish performance metrics: Set clear performance metrics and service level agreements (SLAs) to ensure the Managed IT Service provider is held accountable for delivering the expected quality of service.

  4. Plan for a smooth transition: Develop a transition plan to minimize disruption to university operations during outsourcing.

Outsourcing IT functions to Managed IT Services can offer significant benefits for higher education institutions, including cost savings, access to expert technical resources, and improved security and compliance. However, it is crucial for CFOs to carefully assess their university’s specific needs and circumstances before deciding to outsource. By following the practical advice and recommendations outlined in this post, higher education CFOs can make informed decisions about outsourcing their IT operations to Managed IT Services.


Educause. Outsourcing IT Services in Higher Education: Benefits and Challenges. Retrieved from

Gartner. 5 Best Practices for IT Outsourcing Success in Higher Education. Retrieved from

Haley Rose

Chief Marketing Officer

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at

How Higher Education Registrars Benefit from 3rd Party Ellucian Banner and Degree Works

Higher education Registrar Offices play a crucial role in maintaining and updating student records, which include academic, personal, and financial information. With the advancement of technology, most colleges and universities use Ellucian Banner and Degree Works software to manage and store these records. However, managing these systems can be challenging, especially with the increasing complexity of the software. This is where the benefits of having access to a consultant who performs both functional and technical work on Ellucian Banner and Degree Works come into play.

Increased Efficiency

A consultant who is knowledgeable in both the functional and technical aspects of Ellucian Banner and Degree Works can provide Registrar Offices with the support they need to increase their efficiency. They can help streamline processes, automate tasks, and provide guidance on best practices, saving time and reducing errors.

Improved Data Management and Governance

Registrar Offices have access to a vast amount of sensitive and confidential student data. A consultant can assist with data management ensuring that data is stored and processed securely and accurately. They can also assist with data migration and integration, making it easier for Registrar Offices to transfer data from one system to another.   This can expand to include the larger process of data governance to help ensure the quality and reliability of the data.

Enhanced User Experience

Ellucian Banner and Degree Works are complex systems; navigating them can be challenging. A consultant can help Registrar Offices to understand the software better, providing training and support to ensure that users can perform their tasks effectively and efficiently.

Improved Integration

Ellucian Banner and Degree Works integrate with other systems, such as enrollment and financial aid systems. A consultant who is knowledgeable in both functional and technical aspects of the software can assist Registrar Offices with the integration of these systems, ensuring that data is exchanged and processed correctly.

Cost Savings

Hiring a consultant who performs both functional and technical work can save Registrar Offices money in the long run. They can assist with troubleshooting and resolving technical issues, reducing downtime and the need for additional support. They can also provide training and support to ensure that users are able to perform their tasks effectively, reducing the need for external support.

In conclusion, Higher Education Registrar Offices that have access to a consultant who performs both functional and technical work on Ellucian Banner and Degree Works can benefit from increased efficiency, improved data management, enhanced user experience, improved integration, and cost savings. These benefits make it easier for Registrar Offices to manage student records and provide a better experience for students, staff, and faculty.


About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at

Dana Salinas

Banner Team Lead

Why Purchasing with E&I Cooperative Services is a good idea for Higher Education

Purchasing via E&I Cooperative Services (E&I) benefits for higher education institutions for a number of reasons:

  • Cost savings: E&I is the only non-profit procurement cooperative exclusively focused on education. E&I helps its member institutions save money on their purchases by negotiating discounted prices and streamlined procurement processes with best-in-class providers by purchasing via E&I’s contracts, higher education institutions can take advantage of these cost savings, which can help them stretch their budgets and allocate more resources to other priorities, such as student success.
  • Streamlined procurement: Higher education institutions that partner with E&I can benefit from the organization’s competitively awarded procurement processes, which can help them save time and reduce administrative burden on busy procurement departments, acting as an extension of that department. By leveraging these services, higher education institutions can focus on their core mission of educating students rather than managing an additional procurement process.
  • Access to a wide range of products and services: E&I has a wide range of products and services available to its member institutions, including everything from office supplies and furniture to IT and facilities management. By partnering with E&I, higher education institutions can access these products and services at discounted prices, helping them save money and improve their operations.
  • Expertise and support: Higher education institutions that partner with E&I benefit from the organization’s expertise and support in procurement, supply chain management, and sustainability. Training and support for procurement professionals, guidance on sustainability initiatives, strategic spend assessments, and access to best practices and case studies.
  • Networking and collaboration: Higher education institutions that partner with E&I can benefit from the opportunity to network and collaborate with other institutions and organizations that are also focused on cost savings and efficiency. E&I members share best practices, learn from others’ experiences, and work together to solve common challenges.

Overall, partnering with E&I can provide higher education institutions with expedited access to supplier contracts that save money and streamline procurement processes. By leveraging the organization’s expertise and resources, higher education institutions can improve their operations and allocate more resources to their core mission of educating students.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Haley Rose

Haley Rose

Chief Marketing Officer

Columbia Advisory Group Expands Availability of its Services via TIPS-USA Contract

IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to increased IT needs and tightening budgets.

DALLAS, TEXAS, UNITED STATES, August 29, 2022/ — Columbia Advisory Group (CAG), the leading IT managed services and cybersecurity provider to public and private sector organizations, today announced the availability of its industry-leading services on The Interlocal Purchasing System (TIPS-USA).

The TIPS Program evolved to help streamline the procurement process and expedite purchases. As a co-op, both awarded technology vendors and public sector members – which include K-12 and private schools, colleges, universities, cities, counties, non-profits, and other government entities – can accelerate business transactions by requirements up-front.

Leveraging the TIPS-USA contract, higher-education and other government buyers can realize significant cost savings by reducing the overall time and expense of a cumbersome bid process. Because TIPS provides access to high-performance vendors, agencies can also achieve quick and efficient delivery of goods and services, particularly when it comes to cybersecurity and other IT services. In addition, TIPS provides access to state-of-the-art purchasing procedures to provide competitive contracts, bulk purchasing, and other efficiencies. For these reasons, TIPS has become a preferred purchasing vehicle for state and local entities.

The Interlocal Purchasing System currently serves entities such as state and local governments and non-profit organizations, including but not limited to K-12 school districts, Charter Schools, Colleges and Universities (State and Private), Cities/Municipalities, Counties/Parishes, State Agencies, Emergency Services Districts and Non-profit organizations as defined by the Internal Revenue Service, as well as many other entities with legislated purchasing/bidding requirements. TIPS-USA membership is free.

Now, with the addition of the CAG the TIPS-USA contract, members can realize digital transformation with a best-in-class IT services firm designed for public sector frameworks. CAG is trusted by multiple higher-education, government institutions, state agencies and school districts to manage their IT environments via cybersecurity services, digital optimization, and IT innovation.

“Our public sector clients appreciate the ability to secure our services via vetted contracts like that of TIPS-USA,” explains David McLaughlin, President and CEO of Columbia Advisory Group. “TIPS-USA will help our clients to move swiftly when they discover a need within their organization for our IT expertise. In today’s business age, IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to twin dynamics of increased IT needs and tightening budgets.”

For more than 10 years, CAG has helped leading public agencies to improve their cybersecurity postures and to improve their IT environment through managed service. CAG provides access to specialized practice teams, including cybersecurity, application support, IT governance, IT due diligence, project management, IT infrastructure and comprehensive audio-visual services.

To learn more about purchasing from CAG on the TIPS-USA contract, contact CAG.
About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity and A/V Services. CAG improves business outcomes with IT insights and expert technology support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit

Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

DALLAS, TEXAS, UNITED STATES, June 13, 2022 / — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at or connect with us at

Civil Cyber-Fraud Initiative by the US Department Of Justice (DoJ): Everything You Need to Know!

The US Department of Justice (DoJ) has officially launched its new Civil Cyber-Fraud initiative. It enacted the legislation to strengthen cybersecurity standards among contractors undertaking government projects and receiving federal funds and other grant recipients such as universities. Such organizations and beneficiaries need to address cybersecurity risks and report breaches to comply with the latest legislation and regulatory guidelines

The new Cyber Fraud Initiative from the US Department of Justice brings together the department’s expertise in civil fraud enforcement, government contracting, and cybersecurity to counteract existing and growing cybersecurity risks to confidential material and safety infrastructure. The Department of Justice is working to improve the resilience of the country and its critical information infrastructure (CII) against increasingly sophisticated cybersecurity threats via new reforms was much needed to ensure the protection of trade secrets, Intellectual Property (IP), proprietary knowledge, trademarks, and copyrights, protecting the privacy of all stakeholders involved, and preventing sensitive and confidential information from falling into the hands of threat actors. This will ensure that taxpayers’ money is used diligently and will also help build public trust in the system in safeguarding their valuable information assets.

Cyber Fraud: Some Key Statistics

According to AtlasVPN, the damages to organizations by cybercrimes from 2019 to the current time have increased by 37.4% with each passing year. Further, the rate of cybercrimes will increase by over 40%.


Some of the vital cybercrime statistics in the US and around the globe shows how threatening and challenging cybercrime has become:

  • FBI’s IC3 reported complaints in 2020 contained over 241,342 phishing, 76,741 extortion, and over 45,000 personal data cyber breaches.
  • Malicious actors attack 1/5th of educational institutions and universities, with 65% of data breaches targeting higher-education centers.
  • 2022 will be the year for misinformation campaigns surrounding cybercrimes, which will become the new attack vector.
  • Cybercrimes are ever-increasing and are estimated to cost $10.5 trillion per annum to businesses by 2025.

The New Civil Cyber-Fraud Initiative By The US DoJ

The new Civil Cyber-Fraud Initiative will use the False Claims Act to investigate cybersecurity-related misconduct by government contractors and those receiving federal grants and funds. The Act also incorporates the “whistleblower” clause that permits individuals who volunteer evidence pertinent to an inquiry to benefit from any assets seized. The Department of Justice will utilize the FCA (False Claims Act) to hold primary liability for failure to satisfy cybersecurity criteria, including prosecutions for:

  • Offerings and services that aren’t up to par in terms of cybersecurity within the organization or for knowingly providing deficient cybersecurity products or services.
  • Cybersecurity-related information, cybersecurity protocols, and processes that are misrepresented or falsified.
  • Negligence by management or the organization in managing, tracking, and notifying cybersecurity incidents and data breaches.

While the DOJ’s approach is novel, the use of the False Claims Act to compel cybersecurity adherence is not. Still, due to the current Civil Cyber-Fraud Initiative, it has become more crucial than ever for institutions to be ready to deal with constitutional issues relevant to cyber intrusions. On a high level, the Civil Cyber-Fraud Initiative:

  • Holds the government contractors and grantees to their commitments to protect government information and infrastructure.
  • Ensures that government contractors recognize and develop strategies to comply with contract terms, statutes, and federal requirements.
  • Provides an opportunity for reimbursement of taxpayers’ and governments’ money if there is a compromise at the organization’s end.
  • Drives organizations receiving government grants and funds also work to build a strong cybersecurity posture.

Industries to be Impacted by The New Civil Cyber-Fraud Initiative

The Department of Justice’s Civil Cyber-Fraud Initiative may impact almost all private, public, or government organizations receiving government funds or grants, but let’s look at its impact on some of the critical sectors in detail:

  • Health Care and Life Sciences: The Cyber Fraud Initiative would target federal employees and federally funded beneficiaries. Therefore, medical and life sciences organizations that partner with or receive support from the legislative branch may be susceptible to FCA inspection.
  • Educational Institutions: Failure to comply with the Cyber-Fraud Initiative may have far-reaching ramifications for universities and higher education institutions receiving government funds and grants but who lack adequate cybersecurity safeguards. In consideration of federal requirements, every university or college that retains critical or privileged information must carefully evaluate the forms and the efficacy of its security controls and procedures.
  • Banking and Financial Industry: Banking and financial organizations are a significant target for malicious actors because of the scale and sensitivity of data that they store. Following the Cyber Fraud Initiative, all monetary regulators will need sufficient documentation and reporting structures, cybersecurity policies, and incident response strategies since any violation of rules would hold them accountable and liable.
  • Defense Industry: The initiative brings in the DOJ’s expertise and experience in various government procurement and civil fraud enforcement to combat emerging cybersecurity threats and risks. This helps protect confidential and sensitive information and critical information systems. For instance, if a defense contractor misuses trade secrets stored digitally in the form of government intellectual property n, the contractor could become liable, especially if the contractor fails to report the breach.

Risks of Non-Compliance

Non-Compliance with the new Civil Cyber Fraud Initiative opens organizations and individuals to various risks, such as:

  • Increased Liability Risks: The Department of Justice announced that it intends to hold organizations and individuals liable for various actions, including intentionally offering inadequate cybersecurity services, deliberately mischaracterizing their cybersecurity practices or procedures, and knowingly failing to report data breaches and infringements. Contractors may be held liable for failure to cooperate with cyber breach reporting terms in government contracts within the Cyber Fraud Initiative.
  • Penalties on Enterprises and Individuals: NIST 800-171 applies to any organization or agency that deals with Controlled Unclassified Information (CUI). Those who do not adhere to statutory cybersecurity requirements could be prosecuted using the FCA clause in the Cyber Fraud Initiative and face a penalty. Furthermore, besides enterprises, DoJ can hold civilians legally responsible for cybersecurity-related fraud.
  • Increased Litigation Risks: The Department of Justice notably emphasizes relying on whistleblowers to help the government restore order in its announcement. After determining their cybersecurity basis, organizations should consider implementing an internal review with counsel to compare their declarations to the federal government. The FCA cyber-risk exposes the organization to litigation if any disparities with the legal framework are identified.

Recommendations: Here is What Organizations Can Do!

Organizations can protect themselves better and ensure compliance with the Department of Justice’s new law with the help of:

  • Internal Audits and Assessments: Organizations should continue to identify their key information assets and evaluate their readiness for a cyber breach, and internal audits and assessments play a critical role in it. Based on the internal assessment, organizations can prioritize actions and processes to protect their information assets before, during, and after a security incident or data breach.
  • Continuous Monitoring and Reviews: Organizations must implement changes to continuously monitor changes within the technology environment, vulnerability management, and activities to anticipate various infringements with federal regulatory frameworks, processes, and policies. They may use whistleblowers to help with the process.
  • Documentation: Clearly written standards, plans, and policies are essential for ensuring the organization’s compliance with the cybersecurity requirements as per the government. Robust documentation will also help resolve internal issues and potential leaks eliminating questions regarding the standard operating procedures (SOPs) to be followed to effectively identify and address a security incident.
  • Internal Discussions: The Management should ensure that all policy conformity discussions with the government are correctly recorded and readily available. They must also collaborate with individuals who identify issues to analyze risk exposures.

Final Words

The Department of Justice’s Cyber Fraud Initiative seeking compliance with the False Claims Act is the government’s official legal remedy for for cybersecurity negligence and fraud. The strategy raises the bar for adherence initiatives for federal contractors or federal grant beneficiaries, such as universities. The latter are far more at risk concerning adopting essential cybersecurity precautions and deciding whether or not to disclose a violation because of the False Claims Act.

Expect increased FCA litigation against organizations that fail to mitigate the risk of cyber breaches. Attentive cybersecurity compliance procedures will ensure protect sensitive data an minimize the risk of significant fines under the FCA.


  1. Krotoski, M., Baruch, D., & Fan, S. (2021, December 08). Are you prepared for DOJ’s Civil Cyber-Fraud Initiative? Morgan Lewis.
  2. Department of Justice. (2021, October 6). Deputy Attorney General Lisa O. Monaco announces new Civil Cyber-Fraud Initiative.
  3. Gersh, D., Moundas, C., O’Connor, A., Darch, J. & Hardy, G. (2021, November 24). DOJ Civil Cyber-Fraud Initiative may impact health care and life sciences companies. Mondaq.
  4. Shaheen, M., Bartle, S., & Trujillo, G. (2022, January 19). Cybersecurity compliance requirements may surprise higher ed. University Business.
  5. Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations. Gaithersburg, MD: National Institute of Standards and Technology.
  6. The false claims act. (2019, June 17). Retrieved February 20, 2022, from website:

How To Harness the Power of your Student Data Analytics

IT management for schools and universities requires specialized knowledge and experience. Some IT departments face challenges that they can’t overcome alone. Integrating new enrollment and tuition payments systems is one such challenge that can prove daunting, but not impossible.

Columbia Advisory Group offers technical consulting services to organizations like schools and universitieshospitals, and a variety of retail locations. These services include integrating data feeds into usable, unified formats. Organizations can then use this information to help them achieve specific goals like improving recruitment, enrollment and retention.

How Powerful are Student Analytics?

Schools can use student data analytics to support decisions regarding enrollment, course schedules, outreach, tuition projections, room usage, and many other topics. We can also help improve university IT services and the school’s cybersecurity policies and implementations.

Texas A&M University tasked Columbia Advisory Group’s ERP specialist team with creating a recruiting and candidate tracking system. Additionally, they asked the team to generate a data clearinghouse to facilitate enrollment and tuition payments across the ten participating colleges and universities within the Texas A&M University System so that students had a seamless system allowing them to take courses from multiple institutions.

The specialist team faced several challenges. Each campus had separate groups of student information systems, including various versions of Banner. The separate systems meant that tuition and administrative data was isolated on each campus. The team had to analyze each data system and the recruiting needs of each campus to develop an effective system.

The CAG team created data feeds from each campus that aggregated into one database. Students were then able to use one interface to take courses from any institution. Real-time data feeds meant that information was immediately available to each member institution to help them make business decisions.

This new system allowed payments to be made to a central location and then sent to the respective institution. Students were given a single system log-in to view their courses and grades. Having a single access point achieved the important goal of creating a simplified student experience. Without the new system, admission levels might have dropped if prospective students faced a complex enrollment and payment procedure.

Data Simplification is What We Do

Columbia Advisory Group helped make it possible for the Texas A&M University System to increase enrollment for member universities. The system CAG helped design is flexible and can be scaled to match enrollment growth. Columbia Advisory Group can develop new functions for the system when needed.

Columbia Advisory Group can help innovate IT services in education industry settings. Their 100+ years of combined experience can improve the business performance of any institution. They can harness the power from student data analytics to deliver solutions that many other teams can’t.

Ransomware Incident Response Planning

Ransomware attacks are ever-increasing globally. Here’s how to evaluate your cyber security partners and be resilient, when preparing for the worst.

Colonial Pipeline, Kaseya, Solar Winds, Microsoft… the list goes on and on. In the past 12 months alone, more than one third of all organizations globally have faced some type of ransomware incident, according to a recent survey by research firm IDC.

The ransomware industry has evolved in sophistication. Malicious actors even subscribe to Ransomware as a Service (RaaS), whereby criminal organizations lease ransomware variants the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors, lacking these skills or time, to easily develop their own ransomware variants that can be up and running quickly and affordably. Such RaaS kits are easy to find on the dark web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000.

A threat actor doesn’t need every attack to be successful in order to become rich. RaaS is big business, with total ransomware revenues in 2020 of around $20 billion—up from $11.5 billion in 2019.

Clearly, ransomware incidents are not going away any time soon. In fact, they are accelerating. It is vital to create a digitally resilient institution that can absorb the impact yet not be crippled by the attack, in order to recover quickly without significantly impacting students, faculty, and research. Digital resilience represents the ability to continue to operate through an impairment and stay in business while minimizing institutional harm, reputational damage, and financial loss.

Resilient organizations:

  • know their networks and data
  • set targets, measurements, and goals for cybersecurity
  • employ best practices in change management
  • prioritize risks and intelligence for better decision-making
  • respond rapidly to incidents while maintaining operational readiness, reducing the risk of data loss, and preventing additional harm

Given this “new normal,” what attributes should you consider when selecting a partner to help you minimize your risk and create a ransomware playbook to maintain resilience?

Not all cybersecurity services are created equal. Consider this checklist as one way to evaluate cybersecurity partners:

1. As the old adage says, “You cannot determine where you are going until you know where you are.”

Select a partner that is able to baseline and assess your current information security program. Typically, reputable cybersecurity services begin with a detailed policy assessment AND vulnerability assessment. What do we mean by that? A policy assessment analyzes your organization’s cybersecurity controls and its ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s objectives, rather than in the form of a checklist as you would for a cybersecurity audit.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and when needed.

Any cybersecurity service that doesn’t include both assessments will leave your institution exposed and more vulnerable to ransomware attacks. Vulnerability scans are like a photograph and show a snapshot in time, and that picture can change daily. Therefore, vulnerability scans should be provided continuously (e.g., daily, weekly or monthly).

2. Ask your cybersecurity partner…

…how they will assist in improving cyber hygiene in the form of patch management, to prevent ransomware attacks from having an access point into your network.

3. Hire a partner to help you create and routinely update your risk register in cooperation with your Board and Office of Risk Management.

Access control and governance issues must be scrutinized by all involved parties. Cybersecurity risk management is comparable to other forms of risk management and is therefore a Board-level issue. For example, did you know an institution can lose access to federal financial aid if it’s found to be out of compliance with national standards, such as National Institute of Standards and Technology (NIST) 800-171?

4. Find a partner who will assist your institution in creating your unique ransomware incident response playbook.

Think of this as your ransomware crisis plan. Off-the-shelf playbooks are fine for understanding concepts, but since your organization’s network architecture, data, and faculty requirements are unique, your institution needs a customized playbook handy should the need arise.

5. Ensure your vendor partner performs or arranges for an annual third-party penetration test.

This “pen test” includes scanning your network for weaknesses and, optionally, attempting to exploit any vulnerabilities that can enable attackers to gain entry. This is critical as new vulnerabilities are discovered every day, and what was thought to be secure may no longer be.

6. An effective partner will audit your security controls against relevant cybersecurity frameworks…

…like TAC § 202 or NIST 800-53 R5, in addition to your state-specific frameworks that may govern data security. This is a regulatory environment that is constantly changing, and your partner should proactively provide you with compliance requirements and discrepancies.

7. Partner with cyber staff who routinely communicate with governmental and law enforcement agencies…

…to provide relevant alerts and trends to your CIO for remediation.

8. Every capable vendor should also be auditing your organization randomly…

…to confirm its compliance with your cybersecurity plan.

“Organizations face a clear and present danger, but the more salient truth is that boards and C-Suite leaders face a clear and present certainty since they bear liability for the failure.” Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Ray Rothrock, 2018.

Via the E&I Columbia Advisory Group (CAG) contract, CAG is available to assist your institution with cybersecurity services, audits, planning, and to help with your ransomware incident response playbook.

The Cybersecurity “Perfect Storm” of 2020

The year 2020 brought us all incredible challenges as we coped with the impact of COVID-19, and cybersecurity is no exception. 2020 created the “perfect storm” for cybersecurity when you consider how each of these trends has created enormous opportunity for cybercriminals:

We are all online more, even inexperienced users.

As students, staff, parents, and grandparents navigate networks, devices, passwords, and classroom experiences, there are many opportunities for security gaps. How are networks being accessed? How secure is the student’s computer? Who is using the computer at home? What network are they working on? Do each of these people know how to spot and react to a phishing attempt so that they don’t divulge sensitive information about themselves or their online work? Cybercriminals know that phishing works, and they prey on inexperienced or inattentive users.

Our networks have new vulnerabilities.

Working, schooling, and researching from home means accessing campus networks from home on a variety of user-owned devices, and the workarounds can leave institutions vulnerable to hacking.

The allure of student data is irresistible to cybercriminals.

Hackers have always sought student data because it provides a lifetime of opportunities to use, manipulate, sell, and otherwise profit from identity details. In this exposed environment, the prospects are increasing exponentially, and cybercriminals are taking advantage. Schools and colleges are more than twice as likely as the average organization to be hit by a business email compromise attack.

University research data is like catnip for hackers.

That cutting-edge research your institution is doing is stored online somewhere, and hackers know how valuable it is. Expect them to try to crack your cyber vault. If your research includes COVID-19 studies, you’re at the top of the target list.

People overreact to messages that reference COVID-19.

Phishing attempts, spoofing, and malicious download links trick many users with phrases like “New COVID-19 Protocols – click here to download” or “Update your account with COVID-19 acknowledgement.” Hackers and cybercriminals know we have heightened attention to such requests, and they prey upon our fears and desire to cooperate.

IT departments are busier than ever and budgets are tight.

With so many new users to support, hybrid classrooms to set up, devices to deploy and maintain, and new issues to resolve, it’s likely your IT staff is stretched thin, while your institution may have frozen or reduced IT budgets to cope with tuition revenue reductions.

So, what can your institution do to combat these threats?

  1. Prioritize IT helpdesk support to help users navigate their online world and set up safety protocols for themselves. If your IT team is stretched thin, consider an outsourced helpdesk that is white-labeled to appear as a seamless part of your IT team. At CAG, one of our support desks handles 515 tickets a week for a regional university, allowing IT staff to focus on other urgent, critical, or strategic projects.
  2. Conduct a cybersecurity vulnerability assessment so that you know exactly where your gaps are.
  3. Update your institution’s cyber risk register and prioritize accordingly.
  4. Consider the cost of a breach, and then consider the cost of hiring cybersecurity support. (Each breach can cost an institution tens of thousands to millions of dollars, in addition to reputational damage.)
  5. Educate your community on cyber hygiene. This is a never-ending battle. CAG’s virtual CISOs can assist with strategies to help your campus communities.

If your institution needs assistance with your cybersecurity strategy, assessment, remediation, or a virtual CISO, please contact us here.

Learn more about E&I’s Columbia Advisory Group contract and get started today.

CAG clients rank in top tier for COVID-readiness

The Dallas Business Journal recently published the rankings for COVID-related instructional readiness for Texas colleges and universities as ranked by the non-profit Educate to Career. This year, these national rankings indicate how robust the software and systems for distance learning are at each higher-education institution. Two of the Tier 1-ranked Texas institutions, Texas A&M University – Commerce and Texas Woman’s University, are Columbia Advisory Group IT service customers.

Six North Texas universities scored in the highest tier and two in the lowest tier on a ranking of how adaptable they are to life and learning during the COVID-19 crisis.

Educate to Career, a California-based education nonprofit, ranked four-year schools into tiers based on factors including in-classroom instruction, quality and experience with online learning and other factors.

To be in Tier 1, the highest group, schools had to be able to deliver their full curricula online and in-classroom and have a minimum of three years of experience in delivering online curricula. Educate to Career also weighed each school’s tuition and fees.

The North Texas schools in Tier 1 were University of North Texas in Denton, Texas Woman’s University in Denton, the University of Texas at Arlington, Dallas Baptist University, Texas Wesleyan University in Fort Worth, and Texas A&M University-Commerce.

Other Tier 1 requirements include a physical campus for in-classroom instruction should health authorities allow colleges to open in September, robust software and systems to support distance learning programs, faculty experience in teaching online and reasonable tuitions and fees on a relative basis, according to the rankings.

Tier 2 universities have the systems required to deliver curriculum online and in-classroom. However, college faculty have less experience in delivering online curriculum than Tier 1 colleges.

In North Texas, Southern Methodist University and the University of Texas at Dallas (in Richardson) ranked in the second tier, according to Educate to Career.

No North Texas universities ranked in Tier 3, which is described as universities and colleges that “strongly emphasize in-classroom education over online teaching, and may not offer full curriculum online.”

Two North Texas schools ranked in Tier 4, described as colleges and universities that have “limited systems and experience in delivering online curriculum.”

Those were Texas Christian University and the University of Dallas in Irving.

Spokespeople for those two universities did not immediately respond to an email requesting comment about the rankings.