Tag: Press Release

Ransomware attacks are ever-increasing globally. Here’s how to evaluate your cyber security partners and be resilient, when preparing for the worst.

Colonial Pipeline, Kaseya, Solar Winds, Microsoft… the list goes on and on. In the past 12 months alone, more than one third of all organizations globally have faced some type of ransomware incident, according to a recent survey by research firm IDC.

The ransomware industry has evolved in sophistication. Malicious actors even subscribe to Ransomware as a Service (RaaS), whereby criminal organizations lease ransomware variants the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors, lacking these skills or time, to easily develop their own ransomware variants that can be up and running quickly and affordably. Such RaaS kits are easy to find on the dark web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000.

A threat actor doesn’t need every attack to be successful in order to become rich. RaaS is big business, with total ransomware revenues in 2020 of around $20 billion—up from $11.5 billion in 2019.

Clearly, ransomware incidents are not going away any time soon. In fact, they are accelerating. It is vital to create a digitally resilient institution that can absorb the impact yet not be crippled by the attack, in order to recover quickly without significantly impacting students, faculty, and research. Digital resilience represents the ability to continue to operate through an impairment and stay in business while minimizing institutional harm, reputational damage, and financial loss.

Resilient organizations:

• know their networks and data
• set targets, measurements, and goals for cybersecurity
• employ best practices in change management
• prioritize risks and intelligence for better decision-making
• respond rapidly to incidents while maintaining operational readiness, reducing the risk of data loss, and preventing additional harm

Given this “new normal,” what attributes should you consider when selecting a partner to help you minimize your risk and create a ransomware playbook to maintain resilience?

Not all cybersecurity services are created equal. Consider this checklist as one way to evaluate cybersecurity partners:

1. As the old adage says, “You cannot determine where you are going until you know where you are.”

Select a partner that is able to baseline and assess your current information security program. Typically, reputable cybersecurity services begin with a detailed policy assessment AND vulnerability assessment. What do we mean by that? A policy assessment analyzes your organization’s cybersecurity controls and its ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s objectives, rather than in the form of a checklist as you would for a cybersecurity audit.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and when needed.

Any cybersecurity service that doesn’t include both assessments will leave your institution exposed and more vulnerable to ransomware attacks. Vulnerability scans are like a photograph and show a snapshot in time, and that picture can change daily. Therefore, vulnerability scans should be provided continuously (e.g., daily, weekly or monthly).

2. Ask your cybersecurity partner…

…how they will assist in improving cyber hygiene in the form of patch management, to prevent ransomware attacks from having an access point into your network.

3. Hire a partner to help you create and routinely update your risk register in cooperation with your Board and Office of Risk Management.

Access control and governance issues must be scrutinized by all involved parties. Cybersecurity risk management is comparable to other forms of risk management and is therefore a Board-level issue. For example, did you know an institution can lose access to federal financial aid if it’s found to be out of compliance with national standards, such as National Institute of Standards and Technology (NIST) 800-171?

4. Find a partner who will assist your institution in creating your unique ransomware incident response playbook.

Think of this as your ransomware crisis plan. Off-the-shelf playbooks are fine for understanding concepts, but since your organization’s network architecture, data, and faculty requirements are unique, your institution needs a customized playbook handy should the need arise.

5. Ensure your vendor partner performs or arranges for an annual third-party penetration test.

This “pen test” includes scanning your network for weaknesses and, optionally, attempting to exploit any vulnerabilities that can enable attackers to gain entry. This is critical as new vulnerabilities are discovered every day, and what was thought to be secure may no longer be.

6. An effective partner will audit your security controls against relevant cybersecurity frameworks…

…like TAC § 202 or NIST 800-53 R5, in addition to your state-specific frameworks that may govern data security. This is a regulatory environment that is constantly changing, and your partner should proactively provide you with compliance requirements and discrepancies.

7. Partner with cyber staff who routinely communicate with governmental and law enforcement agencies…

…to provide relevant alerts and trends to your CIO for remediation.

8. Every capable vendor should also be auditing your organization randomly…

…to confirm its compliance with your cybersecurity plan.

“Organizations face a clear and present danger, but the more salient truth is that boards and C-Suite leaders face a clear and present certainty since they bear liability for the failure.” Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Ray Rothrock, 2018.

Via the E&I Columbia Advisory Group (CAG) contract, CAG is available to assist your institution with cybersecurity services, audits, planning, and to help with your ransomware incident response playbook.

The year 2020 brought us all incredible challenges as we coped with the impact of COVID-19, and cybersecurity is no exception. 2020 created the “perfect storm” for cybersecurity when you consider how each of these trends has created enormous opportunity for cybercriminals:

We are all online more, even inexperienced users.

As students, staff, parents, and grandparents navigate networks, devices, passwords, and classroom experiences, there are many opportunities for security gaps. How are networks being accessed? How secure is the student’s computer? Who is using the computer at home? What network are they working on? Do each of these people know how to spot and react to a phishing attempt so that they don’t divulge sensitive information about themselves or their online work? Cybercriminals know that phishing works, and they prey on inexperienced or inattentive users.

Our networks have new vulnerabilities.

Working, schooling, and researching from home means accessing campus networks from home on a variety of user-owned devices, and the workarounds can leave institutions vulnerable to hacking.

The allure of student data is irresistible to cybercriminals.

Hackers have always sought student data because it provides a lifetime of opportunities to use, manipulate, sell, and otherwise profit from identity details. In this exposed environment, the prospects are increasing exponentially, and cybercriminals are taking advantage. Schools and colleges are more than twice as likely as the average organization to be hit by a business email compromise attack.

University research data is like catnip for hackers.

That cutting-edge research your institution is doing is stored online somewhere, and hackers know how valuable it is. Expect them to try to crack your cyber vault. If your research includes COVID-19 studies, you’re at the top of the target list.

People overreact to messages that reference COVID-19.

Phishing attempts, spoofing, and malicious download links trick many users with phrases like “New COVID-19 Protocols – click here to download” or “Update your account with COVID-19 acknowledgement.” Hackers and cybercriminals know we have heightened attention to such requests, and they prey upon our fears and desire to cooperate.

IT departments are busier than ever and budgets are tight.

With so many new users to support, hybrid classrooms to set up, devices to deploy and maintain, and new issues to resolve, it’s likely your IT staff is stretched thin, while your institution may have frozen or reduced IT budgets to cope with tuition revenue reductions.

So, what can your institution do to combat these threats?

1. Prioritize IT helpdesk support to help users navigate their online world and set up safety protocols for themselves. If your IT team is stretched thin, consider an outsourced helpdesk that is white-labeled to appear as a seamless part of your IT team. At CAG, one of our support desks handles 515 tickets a week for a regional university, allowing IT staff to focus on other urgent, critical, or strategic projects.
2. Conduct a cybersecurity vulnerability assessment so that you know exactly where your gaps are.
3. Update your institution’s cyber risk register and prioritize accordingly.
4. Consider the cost of a breach, and then consider the cost of hiring cybersecurity support. (Each breach can cost an institution tens of thousands to millions of dollars, in addition to reputational damage.)
5. Educate your community on cyber hygiene. This is a never-ending battle. CAG’s virtual CISOs can assist with strategies to help your campus communities.

If your institution needs assistance with your cybersecurity strategy, assessment, remediation, or a virtual CISO, please contact us here.

Learn more about E&I’s Columbia Advisory Group contract and get started today.

The Dallas Business Journal recently published the rankings for COVID-related instructional readiness for Texas colleges and universities as ranked by the non-profit Educate to Career. This year, these national rankings indicate how robust the software and systems for distance learning are at each higher-education institution. Two of the Tier 1-ranked Texas institutions, Texas A&M University – Commerce and Texas Woman’s University, are Columbia Advisory Group IT service customers.

Six North Texas universities scored in the highest tier and two in the lowest tier on a ranking of how adaptable they are to life and learning during the COVID-19 crisis.

Educate to Career, a California-based education nonprofit, ranked four-year schools into tiers based on factors including in-classroom instruction, quality and experience with online learning and other factors.

To be in Tier 1, the highest group, schools had to be able to deliver their full curricula online and in-classroom and have a minimum of three years of experience in delivering online curricula. Educate to Career also weighed each school’s tuition and fees.

The North Texas schools in Tier 1 were University of North Texas in Denton, Texas Woman’s University in Denton, the University of Texas at Arlington, Dallas Baptist University, Texas Wesleyan University in Fort Worth, and Texas A&M University-Commerce.

Other Tier 1 requirements include a physical campus for in-classroom instruction should health authorities allow colleges to open in September, robust software and systems to support distance learning programs, faculty experience in teaching online and reasonable tuitions and fees on a relative basis, according to the rankings.

Tier 2 universities have the systems required to deliver curriculum online and in-classroom. However, college faculty have less experience in delivering online curriculum than Tier 1 colleges.

In North Texas, Southern Methodist University and the University of Texas at Dallas (in Richardson) ranked in the second tier, according to Educate to Career.

No North Texas universities ranked in Tier 3, which is described as universities and colleges that “strongly emphasize in-classroom education over online teaching, and may not offer full curriculum online.”

Two North Texas schools ranked in Tier 4, described as colleges and universities that have “limited systems and experience in delivering online curriculum.”

Those were Texas Christian University and the University of Dallas in Irving.

Spokespeople for those two universities did not immediately respond to an email requesting comment about the rankings.

Improving Student Services and Recruitment through Enhanced ERP, SIS and CRM Integration

As higher education institutions strive to maximize actionable insights and student services across existing data pools, the need for complex data integrations continues to grow. When multiple campuses collaborate with curriculum and enrollment processes, the need for systems integration becomes even more critical.

As an IT provider to educational institutions across the country, our Enterprise Resource Planning (ERP) and Student Information System (SIS) teams are seeing increased interest in strategic enrollment partnerships, especially within college and university systems and community college districts. These partnerships require data clearinghouses to allow shared entities to recruit, enroll, receive tuition payments, advise students, and view student grades and course schedules at a central location for access by multiple higher education institutions, and despite variations in the software used at each member institution.

An excellent recent example is the RELLIS campus of the Texas A&M University System. The campus was created to feature high-tech, high-impact research facilities for technology development, testing and commercialization. The campus also features a collaborative education complex which offers multiple academic degrees from many universities within the A&M System as well as from Blinn College campuses, and offers opportunities for workforce skills training to the surrounding communities. CAG’s ERP specialist team was engaged to create a recruiting and candidate tracking system along with a complex data clearinghouse to facilitate enrollment and tuition payments across 10 colleges and universities.

“CAG’s team of IT experts are accustomed to the aggressive timelines and rigorous and evolving demands that an innovative project of this type will naturally entail. Their higher-ed focused IT services team will enable us to move quickly to provide integrated service to both our students and our member campuses,” said Mark Stone, Chief Information Officer for the Texas A&M University System.

In cooperation with leaders from each campus, the CAG team created data feeds from each institution that aggregate in Salesforce to allow students to take courses from any of their universities. The Salesforce CRM front-end allows RELLIS recruiting and marketing staff to drive student enrollment while back-end data feeds are unique to each institution due to disparate Student Information Systems at each university. This allows advisors to manage data from these universities and enter advisory notes that are pushed back to the system of record for each student. To achieve student authentication, CAG also integrated “single sign-on” for the institutions.

It was important to the Texas A&M University System to improve student service by simplifying the tuition payment process. The data solution CAG created allows payments to be made to the central location at RELLIS, and agreed revenue splits are subsequently sent to each institution. The clearinghouse gives students a single system login to view their course schedules and grades, thereby creating a seamless student experience.

For more information or a consultation on your data integration projects, please contact info@columbiaadvisory.com.

Cyber Criminals Conducting Successful Spearphishing Campaigns Against Students at Multiple College and Universities

Tips to share with students

By David Maxwell, Chief Information Security Officer & Director of the Information Security Practice at Columbia Advisory Group

The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. The Department of Education identified a similar spearphishing campaign targeting multiple Universities. In this attack, the cybercriminals sent spearphishing emails requesting students’ login credentials for the University. The email invited them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, cybercriminals changed the students’ direct deposit destinations to bank accounts.

Protecting Yourself

For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack. Here are the most common ones:

• It is becoming much easier for cybercriminals today to find or purchase personal information so expect more personalized scams.
• The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account. The attacker wants to rush you into making a mistake without thinking.
• You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of Financial Aid or a letter from the IRS saying you are being prosecuted.
• The email requests highly sensitive information, such as your credit card number or password.
• The email says it comes from an official organization or uses a personal email address like @gmail.com, @yahoo.com or @hotmail.com.
• The link looks odd or not official. One tip is to hover your mouse cursor over the link until a pop-up shows you where that link really takes you. If the link in the email doesn’t match the pop-up destination, don’t click it. On mobile devices, holding down your finger on a link gets the same pop-up.
• You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.

If you believe an email or message is a phishing attack, simply delete it or send it as an attachment to Email@Domain.edu. Ultimately, common sense is your best defense.

Do you need help managing cybersecurity at your educational institution? Contact one of our experts about cybersecurity assessments and fractional ISO services. 

In conversation with Steve Erwin: Trends and Challenges for IT security in education
Our own Steve Erwin, Senior Vice President & Chief Technology Officer talks about present day trends and challenges for IT security in Education with E&I Cooperative Services. Click here for detailed interview.

Read More: https://www.eandi.org/resources/ei-blog/supplier-spotlight-columbia-advisory-group/

DALLAS, Oct. 16, 2018 /PRNewswire/ — Effective September 21, 2018, Columbia Advisory Group (CAG) was certified for delivery of IT services under International Organization for Standardization

ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations apply the standard to demonstrate their ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard in the ISO 9000 series and the only standard in the series to which organizations can certify.

“We are pleased to have achieved this certification to ISO 9001:2015 and believe it speaks to the culture of ‘Continuous Improvement’ here at CAG,” states CAG Quality, Risk and Compliance Director Lori DeMello. “We are focused on exceeding our customer’s expectations in all areas and this certification speaks to that ongoing commitment.”

CAG Chief Technology Officer Steve Erwin explains what the certification will do for CAG and its customers: “ISO standards and processes make it easier to share technological advances and good management practices as well as to disseminate innovation. The widespread adoption of International Standards means that we can develop and offer services meeting specifications that have broad international acceptance in their sectors, allowing us to supply customers in many markets around the world.”

About ISO 9001:2015

ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 160 countries. The current version of ISO 9001 was released in September 2015.

About Columbia Advisory Group

Columbia Advisory Group (CAG) is a highly experienced Information Technology (IT) consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com

COMMERCE, Texas, Jan. 9, 2018 /PRNewswire/ — On December 1st, the College of Business at Texas A&M University-Commerce recognized the Information Technology (IT) Managed Services firm Columbia Advisory Group (CAG) for sponsoring a new internship program. The program pairs graduate students from Computer Science and Business Analytics to solve real-world problems while working at CAG.

Chris Frost, Director of Student Information Systems for CAG at A&M-Commerce, explained that the program grew naturally from the Graduate Assistant program that he revamped for the school and created an opportunity for students to earn college credit and gain work experience on a new Document Management System rollout.

“This has been, and continues to be, one of the highlights of working with A&M-Commerce. The students brought their creativity and curiosity to the guided internship project at CAG. We achieved superior results on real-world projects while helping students gain an edge as they prepare to enter an ultra-competitive job market,” Frost explained. “Bringing together the knowledge of two leading University departments was a win-win-win for A&M-Commerce, their students and Columbia Advisory Group.”

Students who are pursuing a Master of Science degree in Computer Information Systems or a Master of Computational Science degree competed for the internship opportunity by submitting resumes and participating in interviews. “The practical skills honed by competing for a job are lessons in and of themselves, and the internship provided invaluable career insight,” noted Dr. Sang Suh, Computer Science Department Head.

Across campus, Dr. Chris Myers, Marketing and Business Analytics Department Head, said that the cross-disciplinary nature of the student internship team allowed them to “cross-pollinate ideas and strategies to solve problems more effectively, while enriching their academic experience. Employers increasingly seek practical experience and business acumen within technical teams, so these interns are well-prepared.”

As an IT consulting partner with various colleges and universities, Columbia Advisory Group has led on-campus projects for numerous higher-education campuses. As they pointed out during a recent on-campus recognition banquet, they’ve hired several students who participated in their programs after graduation from college. David McLaughlin, President and CEO of Columbia Advisory Group, said, “the chance to hire proven performers and Texas A&M Commerce grads to work for us is a unique opportunity we couldn’t pass up.”

About Columbia Advisory Group

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. An established and proven company with 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com

About Texas A&M University-Commerce

Founded in 1889, Texas A&M University-Commerce is a member of The Texas A&M UniversitySystem. Located in Northeast Texas, A&M-Commerce is home to more than 12,000 students, four academic colleges, a thriving graduate school, and more than 140-degree programs. As the region’s focal point of higher education, A&M-Commerce offers students facilities ranging from the world-class Keith D. McFarland Science Building and University Planetarium to the Sam Rayburn Student Center, to a fully equipped recreational facility and music hall. The university also has convenient locations in Corsicana, downtown Dallas, Midlothian, McKinney, Mesquite, and Rockwall.

About the A&M System

The Texas A&M University System is one of the largest systems of higher education in the nation, with a budget of $4.2 billion. Through a statewide network of 11 universities and seven state agencies, the Texas A&M System educates more than 150,000 students and makes more than 22 million additional educational contacts through service and outreach programs each year. System-wide, research and development expenditures exceeded $946 million in FY 2015 and helped drive the state’s economy.