Colorado State University (CSU) is a public research university in Fort Collins, Colorado. It offers over 200 academic programs across eight colleges, including Natural Sciences, Engineering, Business, and Liberal Arts. The university is well known for its focus on sustainability, innovation, and hands-on learning experiences.
Steve Lovaas is the Chief Information Security Officer for the Colorado State University System, serving as the primary cybersecurity office at Colorado State University for nearly 20 years. Steve has a PhD ABD in Public Communication & Technology, a CISSP, and an MS in Information Security Assurance from Norwich University.
UpGuard’s Vice President of Product, Greg Pollock, connected with Steve Lovass to host the webinar included above and discuss how CSU uses UpGuard to mitigate cybersecurity risk and increase its cyber resilience.
How UpGuard Helps Colorado State University
The higher education sector controls vast amounts of student data, making the sector and institutions like Colorado State University prime targets for cybercrime. According to a 2023 report published by Sophos, 79% of surveyed institutions were affected by a ransomware act in the previous year, up from 64% in the 2022 survey.
“Nothing worth doing is without risk” - Steve Lovas
UpGuard helps Colorado State University combat the inherent risks and prominent cybersecurity threats across the higher education landscape. Using UpGuard, CSU and Steve Lovas have solved critical cybersecurity challenges related to their expansive attack surface, extensive vulnerabilities, and reliance on third-party vendors and service providers.
“We engage the frontiers of science and research and intentionally explore some risky areas. The freedom for our faculty to teach and research outside boundaries is a part of who we are. There’s always been an appetite to push those boundaries.” - Steve Lovas
Challenge 1: Large Attack Surfaces
To provide services to students, faculty, and researchers, Colorado State University and other higher education institutions manage 100s to 1000s of domains and IPs.
“One of the biggest challenges in higher ed, particularly for larger institutions is highly distributed IPs and domains. At my university, the IT function grew out of existing practices in a variety of departments and they all had their freestanding technology domains until we merged them together. We end up with a lot of public-facing domains and IPs that we don’t run centrally. Multiply the typical organizational footprint by the number of distributed IP units you have, and you will have the recipe for a pretty large attack surface to keep track of.”
Solution: Attack Surface Reduction
UpGuard helped Colorado State University develop an asset inventory and identify unmaintained sites, end-of-life software, and other opportunities to reduce its attack surface.
“We have churn in personnel and technology, and it's not always easy to keep up with all the changes in a timely fashion, especially if someone who manages a site leaves. UpGuard gives us an automated way to look at the attack surface, flagging these unmaintained pages and end-of-life software and giving me a chance to pursue reduction with a departmental IT manager.”
“3% of university domains are unmaintained and good candidates for attack surface reduction” - Greg Pollock
Challenge 2: Existing and New Vulnerabilities
Since Colorado State University and other institutions maintain large attack surfaces, there is always an increasing number of vulnerabilities to manage.
“It’s pretty critical to have some sort of idea of what is running on your network, not only from the hardware perspective but also in terms of software, so when a zero-day does arise, you know whether or not to burn time on it. There’s a lot of traffic on these lists, and vulnerabilities keep coming.”
Solution: Identifying High Risk Assets
UpGuard empowers Colorado State University to efficiently track points of intervention across its attack surface, domains, and IP inventory. This improved visibility streamlines the mitigation process, allowing Steve and the CSU team to prioritize high-risk assets and eliminate time-consuming manual processes.
“It’s going to be a question of triaging, and there will be things you'll have to ignore based on resources. Knowing where to focus your energy and resources is essential.” - Greg Pollock
Challenge 3: Third-Party Risk
Third-party risk management (TPRM) is a growing issue across the higher education sector, not only in terms of security risks but also in terms of audits, compliance, and board mandates.
“We have to take control of the risk of connecting with other organizations, particularly when automated interactions reach into your network, third parties host sensitive information, or they could expose your organization to a social engineering attack or other third-party cyber risk.
“It’s an incredibly tall order to do full risk management on all of our vendors, including the Microsofts and Amazons of the world. UpGuard gives us a way to reign in the scope of what we are doing and makes the most important visibility easy to get.” - Steve Lovas
Cyber risk management is a significant need for higher education institutions, primarily as ransomware groups and other threat actors target the sector with data leaks and cyberattacks.
“The concept of risk surface reduction is also an excellent perspective for third parties. This perspective focuses on the amount and kind of data you let vendors have and how long you let them keep it. So, from that perspective, the work our privacy folks are doing to comply with GDPR or increasing US State Privacy Laws can help us figure out a way to limit the amount of data vendors have to what they explicitly need.”
Solution: Vendor Assessment Sharing
UpGuard provides Colorado State University and other higher education users access to an industry-leading library of vendor security questionnaires, including the Higher Education Community Vendor Assessment Tool (HECVAT).
“Vendors, especially those who want to work with the higher education sector, have seen the writing on the wall and have decided that security questionnaires are necessary to show institutions they are happy to comply with security procedures.”
UpGuard streamlines the security questionnaire process by eliminating manual work and using automation to gain deeper insights into a vendor’s security posture. Users can access questionnaire templates based on industry regulations and security risks or build their own questionnaires from scratch. These features allow security teams to scale their questionnaire process by as much as 10x.
“Third-party risk management has become crucial for student learning at home and the online education market. They’re outside the moat, so to speak. No longer protected by the castle walls. You need to figure out how you're going to manage the risks associated with individuals interacting with applications and vendors.” - Steve Lovas
If you’re a higher education institution looking to learn more about how UpGuard can help you implement a robust TPRM program, check out this informative article detailing strategies and processes specific to the education sector: Vendor Risk Management for Universities: Leveraging Tech Solutions
CISO, Colorado State University