Cybersecurity Archives

Why is it a good idea for Higher Education to outsource its Cybersecurity Framework Assessments and consider hiring a fractional vCISO

Posted on January 3, 2023March 14, 2023 by Brad Hudson

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Microsoft Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Posted on December 20, 2022March 14, 2023 by Brad Hudson

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote). Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues.

Known issues

ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
Hyper-V: After installing this update on Hyper-V hosts managed by SDN-configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by a security policy.”

Brad Hudson

VP of Cyber Security | vCISO
CISSP,CCSP,CCNP,MCSA,MCITP:EA,SA

Cybercrime Expected To Skyrocket in Coming Years

Posted on December 2, 2022March 14, 2023 by Lori DeMello

Early today Statista’ published the following post Chart: Cybercrime Expected To Skyrocket in Coming Years | Statista. According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercrime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. ”As more and more people turn online, whether, for work or their personal lives, there are more potential opportunities for cybercriminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber-attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing.”

Source: Statista Technology Market Outlook, National Cyber Security Organizations, FBI, IMF

One of the largest hurdles for cyber-security compliance is to develop and document a security program plan and measure that plan as it complies with a specific framework. Accomplishing this is our niche at Columbia Advisory Group. We have developed an approach where we document your current Security Program (what you have in place), assess your current state (define current maturity level), and then define a Plan (roadmap for the future). The best place to start is to perform vulnerability scanning and address weaknesses before they are exploited. We then evaluate current policies and procedures and recommend remediation and improvement. We can provide a Risk Register which is a tool utilized to track identified Information Technology Security risks and define potential solutions. We provide many services that help an organization achieve compliance with a variety of security frameworks (CSF, CMMC, NIST 800-52, TAC 202) or prepare for certification (SOC 2 Type 2, ISO 27001, PCI). We can also help an organization write many policies and procedures required for compliance.

About the Author:
Lori DeMello is Columbia Advisory’s Director of Risk and Compliance. Lori is an expert in areas of Risk Management, Compliance, Security, Regulatory Reviews, Security Assessments, Audit Preparation and Response, Security Services, Continuity of Operations Planning, Risk Assessments, Risk Management Planning, Disaster Recovery, and Change Management. Lead efforts in creating and maintaining critical process documentation for CAG internal and customers. She has 25 years of IT experience with Certifications in PMP, ITILv2 and ITiLv3.

Columbia Advisory Group Expands Availability of its Services via TIPS-USA Contract

Posted on August 29, 2022December 14, 2022 by Haley Rose

IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to increased IT needs and tightening budgets.

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, August 29, 2022/EINPresswire.com/ — Columbia Advisory Group (CAG), the leading IT managed services and cybersecurity provider to public and private sector organizations, today announced the availability of its industry-leading services on The Interlocal Purchasing System (TIPS-USA).

The TIPS Program evolved to help streamline the procurement process and expedite purchases. As a co-op, both awarded technology vendors and public sector members – which include K-12 and private schools, colleges, universities, cities, counties, non-profits, and other government entities – can accelerate business transactions by requirements up-front.

Leveraging the TIPS-USA contract, higher-education and other government buyers can realize significant cost savings by reducing the overall time and expense of a cumbersome bid process. Because TIPS provides access to high-performance vendors, agencies can also achieve quick and efficient delivery of goods and services, particularly when it comes to cybersecurity and other IT services. In addition, TIPS provides access to state-of-the-art purchasing procedures to provide competitive contracts, bulk purchasing, and other efficiencies. For these reasons, TIPS has become a preferred purchasing vehicle for state and local entities.

The Interlocal Purchasing System currently serves entities such as state and local governments and non-profit organizations, including but not limited to K-12 school districts, Charter Schools, Colleges and Universities (State and Private), Cities/Municipalities, Counties/Parishes, State Agencies, Emergency Services Districts and Non-profit organizations as defined by the Internal Revenue Service, as well as many other entities with legislated purchasing/bidding requirements. TIPS-USA membership is free.

Now, with the addition of the CAG the TIPS-USA contract, members can realize digital transformation with a best-in-class IT services firm designed for public sector frameworks. CAG is trusted by multiple higher-education, government institutions, state agencies and school districts to manage their IT environments via cybersecurity services, digital optimization, and IT innovation.

“Our public sector clients appreciate the ability to secure our services via vetted contracts like that of TIPS-USA,” explains David McLaughlin, President and CEO of Columbia Advisory Group. “TIPS-USA will help our clients to move swiftly when they discover a need within their organization for our IT expertise. In today’s business age, IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to twin dynamics of increased IT needs and tightening budgets.”

For more than 10 years, CAG has helped leading public agencies to improve their cybersecurity postures and to improve their IT environment through managed service. CAG provides access to specialized practice teams, including cybersecurity, application support, IT governance, IT due diligence, project management, IT infrastructure and comprehensive audio-visual services.

To learn more about purchasing from CAG on the TIPS-USA contract, contact CAG.
About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity and A/V Services. CAG improves business outcomes with IT insights and expert technology support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

Posted on June 14, 2022December 14, 2022 by Haley Rose

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, June 13, 2022 /EINPresswire.com/ — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at Abacode.com or connect with us at insight@abacode.com

Log4J: Neutralizing the latest global cybersecurity threat

Posted on February 15, 2022December 14, 2022 by Brad Hudson

Every day we see news about cybersecurity attacks, exploits, and hacks to the point that we are relatively immune to what feels like sensationalized news about the latest and most devastating threat no matter how legitimately concerned we should be.
And on December 6th when we were getting ready to go to the office holiday party and a weekend of shopping, the world was read-in on a significant security vulnerability known as LogJ4.

What is Log4J?

Log4J is a widely used open-source Java code library from the Apache Software Foundation used by many servers across the world to record a log of activity and send it to a centralized server. It is integrated into thousands of software applications, services, and systems, and websites from Fortune 100 firms down to small providers.

What is the new vulnerability?

It was discovered that some common versions of Log4J are vulnerable to being forced to execute code via specially crafted URLs (web address) that pass through the logs. This address passes through the system and is used to download and execute code that can provide remote access to the machine or perform other malicious tasks. Having information pass through the logs can be done from a chat, submitting an online form, sending an email that is processed by a system that uses Log4J to log emails, or any other means in which data enters the logs, effectively allowing someone with nefarious intentions to see sensitive user data, install malware and spyware, or even take over machines for nefarious purposes.

How widespread is this?

As noted on Wired.com, Twitter users have experimented with changing their display names to trigger the vulnerability, users in the game Minecraft triggered it through the in-game chat, and an iPhone user changed their device name to trigger the vulnerability (and did notify Apple). Cloud service providers, such as Cloudflare, rolled up temporary fixes for their customers while heavily used systems from companies such as VMWare, Oracle, Adobe, RedHat, and others have worked to update to the latest release of Log4j released by Apache that addresses the remote code execution vulnerability and downgrading the risk to moderate.

What do I need to do?

Your institution’s IT departments and security teams should be assessing their catalog of systems and software that use Apache with Java libraries to determine which systems may be vulnerable. Initial focus should be on public-facing systems, most likely to be ERP and SIS systems used by the institution. They should also be working with those vendors on obtaining patches and scheduling updates to the systems as soon as practical.

In addition, it is important to make sure that faculty, staff and students are aware of the exploit and how it can impact their personal BYOD (Bring Your Own Device) devices such as iPhones and share best practices such as using 2-Factor Authentication and keeping their devices up to date with the latest security patches.

If your IT department and security teams are unsure of a system’s potential vulnerability, they should check with the vendor to validate those systems have the latest security patches. If your institution does not have a security team, check with your managed security services provider. If you do not have a managed security service provider, reach out to Columbia Advisory Group as part of E&I contract CNR01469 to engage our team of experts to ensure your institution adheres to appropriate NIST standards and can manage, detect and respond to Log4j and other threats.

Summary

The Log4J vulnerability has been patched by Apache with the introduction of Log4j 2.17.1, yet the threat is being actively exploited across the globe and still poses one of the largest security threats to date. The National Institute of Standards and Technology (NIST) that maintains a database of vulnerabilities has listed this at its highest severity classification. Due to the widespread use of the open-source Log4J application by vendors from small software applications to large enterprise systems and cloud services, there is a high-likelihood most organizations will have some risk to mitigate.

While the risk associated with Log4J has concrete solutions, the next cyber exploit will present a danger to your university’s operations.

CMMC: What It Is and Why It Is Important

Posted on October 28, 2021December 14, 2022 by John D'Annunzio

The Cybersecurity Maturity Model Certification (CMMC) is a security framework implemented by the US Department of Defense (DoD) to improve protection of the defense industrial base. Like other security frameworks, the CMMC has a collection of controls for processes and practices with the goal of achieving a certain level of cybersecurity maturity. The main purpose of the CMMC is to provide assurance to the DoD that a company holding federal contracts has the appropriate measures in place to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and to account for how that information flows. It’s also a powerful framework that can apply to anyone looking to boost their security posture.

If the University uses Federal funds for research with the Department of Defense, you may want to consider CMMC certification. CAG can help with a pre-assessment to ensure the University passes the certification.

CMMC is a scalable framework, so dependent upon the sensitivity of data involved, a federal contract will require specific CMMC controls be in place. Currently, the CMMC has five levels. The higher the level, the more controls required. And because they are cumulative, CMMC Level 3 would demand implementing everything in the preceding two as well.

CMMC Level 1: Basic cyberhygiene—focused on safeguarding Federal Contract Information (FCI)
CMMC Level 2: Intermediate cyberhygiene—serve as a transition step in cybersecurity maturity
CMMC Level 3: Good cyberhygiene—protect Controlled Unclassified Information (CUI)
CMMC Level 4: Proactive—protect CUI and reduce risk of advanced persistent threats (APTs)
CMMC Level 5: Advanced/progressive—protect CUI and reduce risk of APTs

How Is CMMC different from other security frameworks?

The biggest difference is that it does away with self-attestation. With standards like NIST 800-171, you could self-attest you were following the appropriate controls and standards and win a federal contract. CMMC changes this by requiring that anyone seeking a federal contract with the DoD must receive certification from an approved CMMC third-party assessment organization (C3PAO).

You can easily perform self-assessments by leveraging resources made available by the Office of the Under Secretary of Defense for Acquisition & Sustainment. However, you will still need to engage a C3PAO to receive CMMC certification of the appropriate level to win a federal contract. During the audit by a C3PAO, they should be able to help identify any gaps that will prevent receiving certification. If you or your research entities are subject to CMMC, engaging with a C3PAO is going to be inescapable. The earlier you start, the more flexibility you will have in implementing any recommendations.

There is currently a grace period to allow CMMC to become fully implemented, but in the future federal DoD contracts will not be awarded without the appropriate certification.

Why is CMMC important to universities?

For Universities, CMMC is no different than any other set of standards or frameworks—it contains an established baseline of best practices, and controls and processes that must be implemented. In fact, most of the controls in CMMC are mapped directly to NIST 800-171. So, if you have already been building your cyber program around NIST 800-53 and NIST 800-171, you should look at CMMC as an opportunity to help you stand apart.

For Universities that have not traditionally implemented NIST or other security frameworks because it wasn’t a requirement for your stakeholders, this is an opportunity to own risk and reap the rewards. If you decided to implement the controls within CMMC Level 3—even if you don’t receive certification—you will have a more mature cybersecurity posture, a larger portfolio of services you can offer within your research, and improved scalability.

If you have made it this far and think CMMC doesn’t apply to you since you don’t support these types of projects, you may be interested to know that CMMC has the potential to work down the hierarchy from federal to state and local governments. When NIST 800-53 was originally released in 2005 as recommended security controls for federal information systems, it was intended for federal information systems. In August 2017, federal was removed to indicate that it may be applied to any organization. Many state governments, local municipalities, insurance providers, and public and private entities of all types have required NIST 800-53 controls and processes be followed for years.

One day, CMMC, or an evolution of it, may be just as prevalent as NIST 800-53. With the heightened public awareness concerning the risk cybersecurity threats pose, it’s likely we may eventually see self-attestation as a relic of the past.

CAG Performs Policy Assessments and Controls alignments according to the following standards

Gramm–Leach–Bliley Act (GLBA)
NIST 800-171
NIST 800-53
PCI Compliance
HIPAA
FERPA
TAC 202 or other state standards

If you would like to learn more about how CAG can advance your organization’s cyber security maturity, please contact info@columbiaadvisory.com.

ABOUT CAG:

CAG is a highly experienced IT consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit columbiaadvisory.com

Ransomware Incident Response Planning

Posted on September 28, 2021March 29, 2023 by Haley Rose

Ransomware attacks are ever-increasing globally. Here’s how to evaluate your cyber security partners and be resilient, when preparing for the worst.

Colonial Pipeline, Kaseya, Solar Winds, Microsoft… the list goes on and on. In the past 12 months alone, more than one third of all organizations globally have faced some type of ransomware incident, according to a recent survey by research firm IDC.

The ransomware industry has evolved in sophistication. Malicious actors even subscribe to Ransomware as a Service (RaaS), whereby criminal organizations lease ransomware variants the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors, lacking these skills or time, to easily develop their own ransomware variants that can be up and running quickly and affordably. Such RaaS kits are easy to find on the dark web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000.

A threat actor doesn’t need every attack to be successful in order to become rich. RaaS is big business, with total ransomware revenues in 2020 of around $20 billion—up from $11.5 billion in 2019.

Clearly, ransomware incidents are not going away any time soon. In fact, they are accelerating. It is vital to create a digitally resilient institution that can absorb the impact yet not be crippled by the attack, in order to recover quickly without significantly impacting students, faculty, and research. Digital resilience represents the ability to continue to operate through an impairment and stay in business while minimizing institutional harm, reputational damage, and financial loss.

Resilient organizations:

know their networks and data
set targets, measurements, and goals for cybersecurity
employ best practices in change management
prioritize risks and intelligence for better decision-making
respond rapidly to incidents while maintaining operational readiness, reducing the risk of data loss, and preventing additional harm

Given this “new normal,” what attributes should you consider when selecting a partner to help you minimize your risk and create a ransomware playbook to maintain resilience?

Not all cybersecurity services are created equal. Consider this checklist as one way to evaluate cybersecurity partners:

1. As the old adage says, “You cannot determine where you are going until you know where you are.”

Select a partner that is able to baseline and assess your current information security program. Typically, reputable cybersecurity services begin with a detailed policy assessment AND vulnerability assessment. What do we mean by that? A policy assessment analyzes your organization’s cybersecurity controls and its ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s objectives, rather than in the form of a checklist as you would for a cybersecurity audit.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and when needed.

Any cybersecurity service that doesn’t include both assessments will leave your institution exposed and more vulnerable to ransomware attacks. Vulnerability scans are like a photograph and show a snapshot in time, and that picture can change daily. Therefore, vulnerability scans should be provided continuously (e.g., daily, weekly or monthly).

2. Ask your cybersecurity partner…

…how they will assist in improving cyber hygiene in the form of patch management, to prevent ransomware attacks from having an access point into your network.

3. Hire a partner to help you create and routinely update your risk register in cooperation with your Board and Office of Risk Management.

Access control and governance issues must be scrutinized by all involved parties. Cybersecurity risk management is comparable to other forms of risk management and is therefore a Board-level issue. For example, did you know an institution can lose access to federal financial aid if it’s found to be out of compliance with national standards, such as National Institute of Standards and Technology (NIST) 800-171?

4. Find a partner who will assist your institution in creating your unique ransomware incident response playbook.

Think of this as your ransomware crisis plan. Off-the-shelf playbooks are fine for understanding concepts, but since your organization’s network architecture, data, and faculty requirements are unique, your institution needs a customized playbook handy should the need arise.

5. Ensure your vendor partner performs or arranges for an annual third-party penetration test.

This “pen test” includes scanning your network for weaknesses and, optionally, attempting to exploit any vulnerabilities that can enable attackers to gain entry. This is critical as new vulnerabilities are discovered every day, and what was thought to be secure may no longer be.

6. An effective partner will audit your security controls against relevant cybersecurity frameworks…

…like TAC § 202 or NIST 800-53 R5, in addition to your state-specific frameworks that may govern data security. This is a regulatory environment that is constantly changing, and your partner should proactively provide you with compliance requirements and discrepancies.

7. Partner with cyber staff who routinely communicate with governmental and law enforcement agencies…

…to provide relevant alerts and trends to your CIO for remediation.

8. Every capable vendor should also be auditing your organization randomly…

…to confirm its compliance with your cybersecurity plan.

“Organizations face a clear and present danger, but the more salient truth is that boards and C-Suite leaders face a clear and present certainty since they bear liability for the failure.” Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Ray Rothrock, 2018.

Via the E&I Columbia Advisory Group (CAG) contract, CAG is available to assist your institution with cybersecurity services, audits, planning, and to help with your ransomware incident response playbook.

The Cybersecurity “Perfect Storm” of 2020

Posted on January 11, 2021March 29, 2023 by Haley Rose

The year 2020 brought us all incredible challenges as we coped with the impact of COVID-19, and cybersecurity is no exception. 2020 created the “perfect storm” for cybersecurity when you consider how each of these trends has created enormous opportunity for cybercriminals:

We are all online more, even inexperienced users.

As students, staff, parents, and grandparents navigate networks, devices, passwords, and classroom experiences, there are many opportunities for security gaps. How are networks being accessed? How secure is the student’s computer? Who is using the computer at home? What network are they working on? Do each of these people know how to spot and react to a phishing attempt so that they don’t divulge sensitive information about themselves or their online work? Cybercriminals know that phishing works, and they prey on inexperienced or inattentive users.

Our networks have new vulnerabilities.

Working, schooling, and researching from home means accessing campus networks from home on a variety of user-owned devices, and the workarounds can leave institutions vulnerable to hacking.

The allure of student data is irresistible to cybercriminals.

Hackers have always sought student data because it provides a lifetime of opportunities to use, manipulate, sell, and otherwise profit from identity details. In this exposed environment, the prospects are increasing exponentially, and cybercriminals are taking advantage. Schools and colleges are more than twice as likely as the average organization to be hit by a business email compromise attack.

University research data is like catnip for hackers.

That cutting-edge research your institution is doing is stored online somewhere, and hackers know how valuable it is. Expect them to try to crack your cyber vault. If your research includes COVID-19 studies, you’re at the top of the target list.

People overreact to messages that reference COVID-19.

Phishing attempts, spoofing, and malicious download links trick many users with phrases like “New COVID-19 Protocols – click here to download” or “Update your account with COVID-19 acknowledgement.” Hackers and cybercriminals know we have heightened attention to such requests, and they prey upon our fears and desire to cooperate.

IT departments are busier than ever and budgets are tight.

With so many new users to support, hybrid classrooms to set up, devices to deploy and maintain, and new issues to resolve, it’s likely your IT staff is stretched thin, while your institution may have frozen or reduced IT budgets to cope with tuition revenue reductions.

So, what can your institution do to combat these threats?

Prioritize IT helpdesk support to help users navigate their online world and set up safety protocols for themselves. If your IT team is stretched thin, consider an outsourced helpdesk that is white-labeled to appear as a seamless part of your IT team. At CAG, one of our support desks handles 515 tickets a week for a regional university, allowing IT staff to focus on other urgent, critical, or strategic projects.
Conduct a cybersecurity vulnerability assessment so that you know exactly where your gaps are.
Update your institution’s cyber risk register and prioritize accordingly.
Consider the cost of a breach, and then consider the cost of hiring cybersecurity support. (Each breach can cost an institution tens of thousands to millions of dollars, in addition to reputational damage.)
Educate your community on cyber hygiene. This is a never-ending battle. CAG’s virtual CISOs can assist with strategies to help your campus communities.

If your institution needs assistance with your cybersecurity strategy, assessment, remediation, or a virtual CISO, please contact us here.

Learn more about E&I’s Columbia Advisory Group contract and get started today.