Budgetary and resource constraints play a huge role in cyberattacks on smaller organizations. Amidst a strained global economy, many under-resourced organizations like non-profits, local governments, and hospitals struggle to keep their heads above water - they simply don't have the funds to invest in cybersecurity.
To make matters worse, cybercriminals see these organizations as easy prey. Although they may not be able to shell out for extortionate ransom demands as big business can, at the end of the day, data is data and is always worth something on the dark web. In many cases, smaller organizations offer cybercriminals greater return on investment than their larger counterparts, as less time and fewer resources are required to launch a successful attack.
On a darker note, cybercriminals understand that under-resourced critical infrastructure organizations like hospitals are more likely to pay ransoms. With lives at stake, these organizations simply cannot afford to waste time. Paying the ransom is often the only option. In the most extreme cases, healthcare providers may even reach out to the central government to bankroll ransom payments, as happened with Change Healthcare earlier this year.
These issues underpin the importance of ensuring smaller organizations can protect themselves. Non-profits, small businesses, and local governments play a vital role in society and the economy, and they cannot be left to the wolves. The Cybersecurity and Infrastructure Security Agency (CISA) understands this fact, recently releasing a resource guide for university cybersecurity clinics.
What is a University Cybersecurity Clinic?
University cybersecurity clinics attempt to address the cybersecurity workforce shortage by training students from a range of backgrounds and academic expertise to bolster the defences of non-profits, small businesses, hospitals, and other under-resourced organizations. They also introduce cybersecurity to students who otherwise might not have considered a career in the industry, developing a talent pipeline for cyber civil defence.
What is in the CISA Resource Guide?
CISA offers a range of resources to university cybersecurity clinics, including grants, partnerships, and speakers, guidance, and technologies. But let's look a little deeper into those offerings.
Informational Briefings and Partnerships
University cybersecurity clinics can request CISA speakers and Cybersecurity Advisors to come and work with students, providing informational briefings about cybersecurity best practices, CISA's service offerings, as well as both unclassified and classified threat briefings.
CISA speakers can keynote international conferences, speak to small, intimate groups, and everything in between, with topics including:
- An overview of current threats
- An introduction to CISA and its programs
- Commentary on current events
- Deep dives on specific issues
- Overviews of government policies and programs
CISA's Cybersecurity Advisors are subject matter experts (SMEs) on a range of cybersecurity activities aimed at improving organizations' cyber resilience posture and economic security. Clinics can establish relationships with Advisors to help students better understand the role and the wider cybersecurity landscape.
Guidance
CISA offers a range of guidance resources that university cybersecurity clinics can use to inform their teaching. They include:
- Guidance for Small Organizations -
- Cybersecurity Performance Goals (CPGs) - These are baseline cybersecurity goals developed by CISA and the National Institute of Standards and Technology (NIST) to help small to medium-sized businesses establish basic cybersecurity protections.
- StopRansomware.gov - This website consolidates knowledge spread across the US federal government into one website to provide authoritative information, resources, and tools to help prevent and mitigate ransomware attacks.
- Incident Response Plans – This resource provides advice on what action to take before, during, and after a cybersecurity incident.
Tools and Services
CISA also provides university cybersecurity clinics with tools and services they can use to help smaller organizations protect themselves from cybercrime. They include:
- CISA Exercises – This resource allows clinics and their clients to run exercises examining an organization's cybersecurity and physical security plans and capabilities and improve their security posture.
- Vulnerability Scanning Notifications – These tools provide organizations with information about potential vulnerabilities so they can remediate any issues.
- Free Commercial Services and Tools Catalog – University cybersecurity clinics can use this resource to better understand common cybersecurity tools and services, while organizations can take advantage of them to improve their security posture.
- Cybersecurity Evaluation Tool (CSET) - This tool guides organizations in evaluating the security posture of operational and informational technology.
- MS-ISAC and EI-ISAC – The Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide members with direct access to a suite of services and informational products that can help entities defend against and educate themselves about cyber intrusions.
Grants
CISA manages the four-year, $1 billion State and Local Cybersecurity Grant Program, and although it's intended to help state, local, tribal, and territorial governments strengthen their cyber posture and become more resilient to cyber threats, some states may allow grant funds to be used by universities to strengthen their clinics or start new clinics.
It's encouraging that CISA has recognized the wealth of untapped potential in US universities and supported them accordingly. While it remains to be seen whether university cybersecurity clinics will improve smaller organizations' security postures, it's clear that CISA is, at the very least, committed to supporting under-resourced organizations in protecting themselves from cybercrime.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.