Edward Ko, CampusGuard: “a lack of compliance could mean nothing at all – until a data breach occurs”
While private businesses research and invest millions of dollars into the latest cybersecurity measures to avoid data breaches, organizations in other industry sectors still need to catch up.
Higher education, healthcare, and governmental institutions are just as (if not more) vulnerable to cyberthreats as other big companies. And if a cybercriminal succeeds at exploiting those vulnerabilities, it could lead to a data breach. Such attacks can cause an organization not only financial but also reputational damage.
That’s why various protection solutions, such as vulnerability scanners, compliance services, cybersecurity consulting, and many more, exist.
To learn more about such measures, Cybernews invited Edward Ko, the Director of Information Security Services at CampusGuard – a company that specializes in cybersecurity and compliance. We discussed the current state of cybersecurity in education, government, and healthcare institutions and what challenges they help these organizations solve.
With more than a decade in the business, what were your major milestones? How did the idea of CampusGuard come to life?
CampusGuard was founded in 2009 to work specifically with higher education, healthcare, state and local governments, and utilities/critical infrastructure organizations in the quest for cyber resilience. Throughout the past 12 years, we have grown to offer a wide range of service offerings to become the one-stop partner for all the cybersecurity, consulting, and support needs of our customers.
Prior to helping start CampusGuard in 2009, I worked in security operations at a large, public, land-grant university. During my time in security, we worked with a variety of name-brand consulting firms, but our experience was that none of them understood how higher education environments really operated — so much so that it seemed that we didn’t even speak the same language. Observations and recommendations from these consultants may have as well been communicated in hieroglyphics, and we had no Rosetta stone to interpret or apply their recommendations within our environments.
So after a long hard search for information security consultants who truly understood higher education environments, and finding none, the idea to become those consultants and provide meaningful help to these environments became our driving force. This led to the creation of CampusGuard.
Can you tell us a little bit about what you do? What challenges do you help navigate?
CampusGuard provides cybersecurity and compliance services to what we have defined as campus-based markets. These include higher education, healthcare, state, and local governments, and utilities/critical infrastructure. Every customer is assigned a dedicated Customer Relationship Manager (CRM) who oversees all of the service delivery, both through the initial assessment or project and throughout the entire lifecycle of the relationship with each customer. After the performance of the initial engagement, unlike many “consulting firms”, we remain engaged with each customer throughout the remediation phase, on a continuous basis. Having this CRM understand all of the customer’s needs, history and environment gives us an edge as we deliver our services.
With the majority of our staff coming from similar environments as our customers, we understand the challenges and struggles that our customers face on a daily basis. We know the types of solutions that work, and those that only look great on a piece of paper. By leveraging our understanding of the customers that we serve, we help bridge any knowledge gaps. We help categorize and prioritize the identified gaps by risk and likelihood and provide remediation tactics and services that are in line with how our customers operate.
What set of methods do you use to assess one’s state of cybersecurity?
For our Security Advisory practice, we largely use interviews and observations to assess the state of cybersecurity. Depending on the audience we’re talking to, we’ll adjust the style of questions to ensure that we’re getting the most complete and accurate answers. While cybersecurity has heavy implications on IT and related areas, the use of cyber is everywhere. With that in mind, we not only interview and observe the IT personnel but also the functional areas using the technologies and handling the data. And in these functional areas, we focus our conversations on the front-line staff — the ones that perform the day-to-day tasks, as they will be able to tell you what actually happens. They will demonstrate the procedures that they follow, and the ones they work creatively around to get the job done.
We’ll take the responses collected and map them back to a mutually agreed upon information security standard (e.g. NIST SP 800-171) and list any findings, potential remediation actions, and framework-specific references that are related to the cited finding.
Within our Offensive Security Services practice, we perform a wide range of Penetration Testing, Ethical Hacking, Red Teaming, Social Engineering, and Phishing exercises for our customers. In many cases, an engagement will include a combination of both Security Advisory Services and Offensive Security Services in order to assess the entire environment for a customer.
How did the pandemic change organizations’ perspectives on information security? Were there any new features added to your services as a result?
The world has seen a significant uptick in cyber-related incidents throughout this pandemic. And, many of them are being reported in the mainstream now, which has increased awareness of the threats and the need to be more vigilant and committed to good cybersecurity practices. More discussions are taking place now in the C-suite and at the board level of our customers and the higher-level exposure to the risks is better understood. This has led to more and larger engagements as more organizations begin to prioritize cybersecurity as a significant risk to their operations and their reputation.
From a tactical perspective, initially, the big concern was how to secure such a large and diverse footprint, but as we’ve all now worked with work-from-home and hybrid arrangements for almost 2 years, the “new normal” has become business as usual. Laptops, VPNs, BYOD, and IoT devices have taken a much more front-and-center position. They are now the entry points into our customer’s environment.
Pre-pandemic, we reserved performing remote security assessments to our smallest customers but in our socially-distanced environment today, we’ve shifted to performing the bulk of our engagements remotely, using a variety of teleconferencing platforms to help maintain the face-to-face nature of our engagements. This will continue to evolve over time and we continue to evaluate the best ways to deliver our services in an efficient and most effective manner.
What issues can an organization run into if it doesn’t have appropriate compliance certifications in place?
Depending on the sector, not having the appropriate compliance certifications could mean monetary fines, loss of ability to perform functions (e.g. process credit cards, obtain research grants, etc.), and loss of customer confidence. Also, depending on the reporting agency, a lack of compliance could mean nothing at all - until a data breach occurs.
But, don’t take the above statements at face value. In information security circles, we like to say that “compliance does not equal security and security does not equal compliance.” With that in mind, compliance should not be the sole measuring stick. Organizations should strive to have a great information security foundation built on sound principles and best practices. This foundation should lead to an easier path to compliance with whatever framework that you are being measured against. In all cases, while compliance may be the thing that is measured, the real goal is keeping data safe and not having a data breach. This is what all organizations should be striving for.
What vulnerabilities do you run into most often in campus-based organizations?
Unlike other market verticals, in campus-based organizations, we see very good employee retention rates. While this is great for continuity, it leads to one of the biggest gaps for any program, a lack of documented policies and procedures. Because long-time employees know the process backward and forward, the documentation of that process is largely never done. Also, while we’re talking about long-term use, we see equipment at or past their end-of-life (i.e. end-of-support) still being used (either as a cost-saving strategy or because there is no modern replacement available for that niche service).
Beyond policies, procedures, and equipment, there are a significant number of additional vulnerabilities that we uncover quite frequently. Some of the most common that can be easily rectified are poor password management, lack of deployment of Multi-Factor Authentication, lack of continuous education such as Information Security Awareness, Phishing, and overall viewing cybersecurity in a bubble instead of as Business as Usual.
Why do you think certain industry sectors struggle to keep their cybersecurity up to date?
The speed at which the bad actors adapt and change tactics make staying up to date more than a full-time job. Keeping up with cyber-criminals always feels like you’re playing catch-up. With resources (e.g. monetary, human, technological) being scarce, it’s easy to see how quickly you can fall behind. But, as previously indicated, the increased awareness of the cyber threats that exist, and the costs associated with a breach at the C-suite and board level are now contributing to a much broader dialogue within our customers to proactively review, establish and maintain good cyber hygiene across their enterprises.
Talking about average individuals, what cybersecurity measures do you think everyone should have installed?
Host-based firewalls and antivirus/antimalware protections as a bare minimum. But beyond what needs to be installed, there’s a component that I think is more adaptive and better than any piece of software when it comes to enhancing information security - training. And not just “check-the-box” training. Real, quality, foundational information security training that is easily digestible and taken by every user.
Share with us, what’s next for CampusGuard?
CampusGuard will continue our mission to be the premier provider of cybersecurity and compliance services for our chosen markets. By bringing solid technical and business domain knowledge to our customers, we will continue to deliver tremendous value in every engagement. We continue to invest heavily in developing our CampusGuard Central® customer portal, our customer training library of products, and the training and development of our CampusGuardian team members. Although we will continue to grow and adapt to an ever-changing threat landscape in the world around us, we will not vary from who we are: A customer-focused, high-quality services organization.