Author Archives: Megan Carnes

Housing associations across the UK increasingly find themselves in the crosshairs of highly skilled cybercriminals. According to RSM UK, a whopping quarter of housing associations have suffered an attack in the last 12 months. This tidal wave of high-profile attacks has exposed – how vulnerable these organisations can be to data breaches, ransomware, and system disruptions. With many housing providers handling sensitive data on tens of thousands of UK tenants, the stakes could not be higher.

Not just compromised data

Clarion Housing Association – the country’s largest with over 125,000 homes – was struck by a major cyber-attack that crippled both its IT systems and phone lines. While the full extent of the breach remains unknown, Clarion warned tenants that their data may have been compromised. The incident follows similar attacks in recent years on housing providers like Bromford and Connexus (the latter needs to be clarified about the amount of tenant data stolen) and local councils that manage public housing.

The effects of these cyber incidents are severe and widespread. For tenants, they put their private information – such as financial records and contact details – at risk of being exposed or held for ransom by criminals. Housing services can halt, making reporting maintenance issues or making rent payments impossible. At best, this poses a significant inconvenience for tenants, landlords and organisations alike. Or, at worst, a threat to housing security for some of the UK’s most vulnerable people in society, such as the elderly, disabled and low-income population.

Not hours… but days or even weeks for recovery

Successful breaches lead to costly downtimes, lengthy reparation procedures, potential ransom payments, penalties from bodies such as the ICO for failure to protect citizens’ data, and highly long-lasting reputational damage. For example, the Bromford attack took days to recover, while a council in South West England is still working to fully restore its systems two years later, having shelled out hundreds of thousands of pounds. Many entities cannot afford these major financial blows and operational disruptions, especially during the current cost of living crisis.

So, why are housing associations such an attractive target for cybercriminals? And what can be done to better shield the sector against escalating threats?

The vulnerabilities of businesses holding sensitive data

A key factor making housing associations a lucrative target is their heavy digital footprint and the sheer volume of sensitive data they hold online. As organisations embrace the digital world to provide modern online services and store data effortlessly, they exponentially increase the potential attack vectors that cybercriminals can exploit. More smart home and office technology, online customer portals, and web-connected devices mean more endpoints to be secured. Moreover, criminals also perceive housing associations as having weaker cyber defences than other sectors. Budgetary constraints often prevent robust investments in cyber security measures and IT teams. The survey from RSM UK found a shocking 75% of housing associations felt underprepared to deal with ransomware attacks.

The data itself is also precious on the dark web. Housing records contain a treasure trove of personal information on tenants, including contact details, financial data, and home addresses, that can be used for follow-on phishing, fraud, and even physical home break-ins. Analysts estimate cybercrime costs the British economy £27 billion annually, providing ample incentive for criminals to target housing associations.

Deliver the reassurance that tenants crave

While facing this escalating risk, housing associations must take proactive steps to prioritise cyber security and safeguard their systems, data, operations and customers. This goes beyond achieving minimum compliance standards to adopt a comprehensive, vigilant security stance.

Crucial capabilities include steadfast threat monitoring and vulnerability scanning to identify and patch security gaps before cybercriminals can exploit them. 24/7 security operations centre (SOC) services can provide cost-effective, round-the-clock monitoring that most housing associations lack in-house and the reassurance tenants crave. Penetration testing is also vital, potentially using certified ethical hackers to probe for vulnerabilities from an attacker’s perspective. Combining this offensive approach with defensive meticulous cyber hygiene like software updates, multi-factor authentication, and data encryption makes it infinitely more complex for real-world criminals to carry out a breach successfully.

Regular security awareness training must also be provided to educate employees on evolving threat vectors like phishing, which remains the most common initial attack vector: human error and a lack of cyber awareness among staff open doors for cybercriminals to explore.

Another major weakness is third-party vendors and supply chains, which criminals often use as indirect attack routes to targets. Housing associations must implement strict vetting processes and security requirements for all suppliers and partners.

Predefined and practised working protocols

Housing associations must have comprehensive incident response and disaster recovery plans ahead of time. When attacks inevitably occur, having predefined protocols regarding containment, recovery, and communication is critical to minimising damages and restoring operations as quickly as possible. Too many housing associations have learned the hard way through devastating cyberattacks in recent years. However, by treating cybersecurity as an essential business imperative rather than an afterthought, these organisations can avoid escalating threats and better secure their systems, data, staff, and tenants. With dwindling budgets available during the current cost crunch, providers need partners that deeply understand their challenges and can strategically align services to their priorities.

No organisation is immune to cyber threats in today’s hyper-connected world. But, through concrete investments and strategic partnerships, housing associations can dramatically improve their cyber resilience and focus on their core missions of providing safe, reliable homes and services to all who need them.

At Thrive, we specialise in delivering tailored cybersecurity solutions designed for housing associations’ unique challenges.

The need for action is clear.

Don’t allow your housing association to become another cybercrime statistic. Contact Thrive today so we can work alongside you to comprehensively safeguard your systems, data, team, and tenant community with cutting-edge cybersecurity services. Using our CIS-aligned frameworks we allow you to provide your services with inbuilt peace of mind.

Welcome back to another installment of our “Thrive Spotlight” blog series.

Our featured employee is Eric Thompson, VP of Cloud Infrastructure.  As VP of Cloud Infrastructure, he is responsible for our datacenter operations, backup solutions, and disaster recovery for our clients.  He has had many roles since he started with Thrive as a Tier 1 onsite engineer.

Eric lives in the Boston, Massachusetts area and works out of our Woburn office.  Outside of work, he enjoys spending time with his family skiing, camping, biking, or other outdoor activities.  Like most engineers, he enjoys tinkering with different tech for his house.

Hi Eric!  Can you tell us about your background and how you came to Thrive?

I initially interviewed with Thrive in college and then later interviewed in the original Concord office.  The MSP space seemed like a great way to get exposure to all different technologies and businesses.

Where did you go to school or get training?

I graduated from Bryant College in 2004.  Since attending, the school is now named Bryant University.

What do you most enjoy about working for Thrive?

Thrive is a fast-paced environment and no two days are ever the same.  Technology is everchanging so that keeps any challenges fresh and engaging.  I also enjoy the people I work with at Thrive, they enjoy what they do which makes Thrive a great place to work.

Are there any recent exciting projects at Thrive you can tell us about?

Currently, I am working on modernizing our Cloud offering with VMware NSX-T and VMware Cloud Director.

Are you interested in learning more about Thrive? Click here!

Don’t forget to follow us on Twitter and LinkedIn for the latest news, and continue checking our blog for more in our “Thrive Employee Spotlight” series. Until next time…

Thrive helps businesses across industries find the right infrastructure and cybersecurity solutions to modernize their systems and stay secure. Its solutions are affordable, powerful, and customizable to fit any business environment. The team also partners with clients to ensure all their needs are met. We spoke with Rob Stephenson, CEO of Thrive, about the platform and its unique benefits.

Thrive is continuously monitoring changes in the regulatory environment to ensure we are prepared to help our clients achieve and maintain compliance. The U.S. Securities and Exchange Commission (SEC) adopted updates to Regulation S-P (Reg S-P) on May 15, 2024, and set the effective compliance deadlines at 18 and 24 months depending on organization size (see Table 3 under Section II.F of the final rule for size definitions). Regulation S-P specifies how covered institutions are required to protect consumer financial and personal information under the Safeguards Rule, and how covered entities should securely dispose of covered information under the Disposal Rule (collectively “Rule(s)” herein). This post provides a synopsis of the key rule elements and corresponding practices and technologies that can enable compliance. The changes are “designed to modernize and enhance the protection of consumer financial information” via three primary updates including:  

• Requiring Incident Response Plan (IRP) policies and procedures. 
• Mandating “timely” notification to affected individuals after a sensitive information breach.  
• Expanding the scope of information and entities covered under the Rule.¹

Many covered entities have already begun adjusting their information security and compliance strategies over the past few years in light of elevated regulatory activity from the SEC which includes multiple proposals specifically focused on addressing information technology and cybersecurity risks. While there aren’t any surprises in the Regulation S-P updates, organizations subject to the rule should now evaluate their current practices to ensure alignment from a policy, technical capability, and operational perspective.  

Incident Response Plan (IRP) Requirements 

The adopted changes require implementation of an “incident response program for unauthorized access to or use of customer information, including customer notification procedures” that are reasonably designed to “detect, respond to, and recover from” unauthorized access and use of consumer financial information.² A comprehensive incident response program is rooted in an accurately scoped policy, enabled by appropriate technology implementation(s), and maintained by complementary operational processes.  

Policy

An IRP is a written document formally approved by management that outlines the types of cyber threats the business is likely to face and what controls are in place for detecting, responding, and recovering from these events. A risk-based approach is important when designing an IRP and organizations should first perform activities such as data classification and business impact analysis to ensure the policy is appropriately scoped.  

With respect to Reg S-P specifically, covered entities should identify what type(s) of covered information they collect, where this data is stored, and what data protection and access controls are in place. The updated rules explicitly require a scope that enables assessment of “the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of information that may have been accessed or used without authorization”.² Of course, the IRP should include the entire business entity, but understanding where the critical data and information assets reside is an important precursor to designing an appropriate layered defense model and establishing compliance with the updated regulation.  

Technical Implementation  

Technical controls supporting the IRP should include detective, preventative, and security measures applied and configured specifically to the organization’s environment. There is no “one size fits all” approach which is why having an accurately defined policy is fundamental to appropriately selecting and deploying technical safeguards. Common deployments include (but aren’t limited to):  

• Data Security: encryption (at rest and in transit), access controls, network segmentation, data governance monitoring, and data loss prevention (DLP) mechanisms such as blocking removable media and monitoring outbound communications for unprotected sensitive data. Organizations should also ensure secure data disposal and destruction mechanisms are in place to ensure discarded media does not result in unauthorized access exposure.   

• Asset Security: Next-generation asset-based solutions such as Endpoint Detection and Response (EDR) software provide live monitoring on user assets across the environment and proactively detecting, preventing, and alerting on malicious threat vectors. Additionally, hard drive encryption is natively built into many modern operating systems, while agent-based applications can ensure devices remain up to date (e.g., RMM) and restrict the types of connections or applications permitted on managed devices (e.g., URL filtering, restricting local administrative rights, hardening configurations to disable unused ports/protocols).  
• Network Security: Networks (including the office(s), data centers, and/or cloud/SaaS environments) must be protected via appropriate threat detection and capabilities. Solutions include Managed Detection and Response (MDR), Extended Detection and Response (XDR), conditional access, Identity and Access Management (IAM), enterprise firewalls, and zero trust architecture (ZTA). Log aggregation and secure storage is also important to enable forensic examination and accurate reporting if a material incident occurs.  
• Availability / Recovery: Incidents still can (and will) happen even with best-of-breed security solutions in place and it’s important that the business can efficiently recover when they do. Solutions that enable system availability include backups, geographically diverse disaster recovery (DR) environments, and high availability cloud configurations.  

Operational Considerations  

Having the right skilled resources in place to design and implement appropriate controls and write policy is where compliance with Reg S-P begins, but ongoing monitoring and response is where the value is continually delivered. Organizations should ensure that resources receiving and monitoring the output of technical detective and preventative systems – whether in house or outsourced – are suitably trained to interpret the data and take corresponding actions when anomalous or malicious activity is detected. Many organizations choose to work with an outsourcing partner (e.g. MSSP) that provides 24×7 Security Operations Center (SOC) monitoring and incident response services.  

Breach Notification  

The updated regulation also mandates that the incident response programs include mechanisms to notify affected individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization”.² Prominently, the same clause also states that notification is not required if “after a reasonable investigation…the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience”.²  

Meeting this requirement requires careful analysis from multiple stakeholders, including legal, operations, and information technology; however, organizations must have foundational elements referenced above – specifically mechanisms/products such as data classification, data governance, data protections, and security monitoring/logging/reporting – in place to analyze in the first place. A gap or weakness in any of these areas may preclude an organization from justifying a reporting exemption or providing an accurate disclosure of events. If an organization cannot validate which system and data assets were impacted by a cyber incident, they may need to provide a breach notification to all (current and former) customers.  

Breach Notification Timeline

The updated regulation will also require a “clear and conspicuous notice to affected individuals” by means “designed to ensure that the individual can reasonably be expected to receive actual notice in writing”.² Importantly, there is now a 30-day shot clock on providing the notification with exceptions only if the U.S. Attorney General has determined that providing such a notice would “pose a substantial risk to national security or public safety”.² There are also specific notice standards (Section II.A.3a in the Final Rule) that organizations should be aware of with regard to determining if a notice is required and methods for complying with the notification mandate under various circumstances. Sections II.A.3b&c also provide additional clarity with respect to defining “sensitive customer information” and “substantial harm or inconvenience” respectively that should be reviewed when developing mechanisms for analyzing if a notification is required under the organization’s IRP.  

Scope Adjustments 

The final Rule also includes adjustments that broaden both the scope of entities covered under required activities and the scope of data assets.  

Service Providers

Of course, service providers are not brought under the SEC’s regulatory jurisdiction via the updated Rules (with respect to those that are not already covered entities). However, the Reg S-P update does incorporate requirements with respect to the covered organization’s IRP development to include:  

a. appropriate measures for ensuring service providers are protecting covered information,  

b. and for covered organizations to establish mechanisms for receiving notifications from service providers if the service provider experiences a breach impacting covered information.  

The maximum allowable timeframe for service providers to provide notification is defined as 72-hours in the updated final text. Covered organizations should work with service providers to determine appropriate mechanisms designed to ensure receipt of such notifications within the compliance time limit. This mandate again highlights the critical importance of conducting thorough data classification and related analysis which enable organizations to easily map which third parties are in scope when it comes to covered information. Additionally, receipt of a service provider notification should automatically trigger the covered organization’s IRP including analysis of whether client notification is required.  

Definitions of Covered Information and Covered Entities

The updated regulation broadens the scope of protected information to include a new term of “customer information” (replacing the term “customer records and information”) which is defined as “any record containing nonpublic personal information as defined in Section 248.3I3 about a customer of a financial institution, whether in paper, electronic, or other form”.² These records apply to any “information that a covered institution maintains or otherwise possesses for a business purpose” – businesses subject to the regulation should ensure the scope of their data classification exercises is appropriately adjusted to include all such information that may fit into this category. The broadened scope now applies to information the organization may have obtained about customers and non-customers that the organization may have been provided through the course of other business relationships. This change is intended to provide additional consistency with the Gramm-Leach-Bliley Act (GLBA) which imposes similar and overlapping requirements in some situations. Importantly, the SEC notes that these obligations of protection extend throughout the lifecycle of the information and include secure disposal, further underscoring the importance of a well-defined secure destruction and disposal process.  

In addition to the information scope changes, the update extends applicability of Regulation S-P to include transfer agents since they maintain detailed covered information related to securities holders.  

A Note on Recordkeeping  

Reg S-P updates also incorporate new recordkeeping requirements pertaining to “written records documenting compliance with the requirements of the safeguards rule and of the disposal rule”.² The timeframes vary for different entity types, and covered organizations should review Table 1 under Section II.C of the final rule for information relevant to their entity designation.  

How Can Thrive Help?  

Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com. 

Disclaimer: Nothing herein shall constitute legal advice, compliance directives, or otherwise. Covered entities should consult an attorney and/or other compliance professional regarding their organizations’ compliance obligations, including, without limitation, the regulations described herein.  

Source Information:  

1 –  https://www.sec.gov/files/34-100155-fact-sheet.pdf 

2 –  https://www.sec.gov/files/rules/final/2024/34-100155.pdf 

While the performance in 2024 has been moderately positive year-to-date, the hedge fund industry faces the challenge of safeguarding these gains against a multitude of domestic and international factors that remain at play for both your Prime Broker (PB) and IT provider. Both are aligned with your success in risk mitigation and their mutual cooperation couldn’t be more important. As the only global IT provider from the HF industry, Thrive recognizes the cooperative roles each entity plays in ensuring the safety of a well-performing fund for the benefit of your investors. 

Alignment for Better Business Outcomes

At the core of any risk strategy lies the identification and assessment of risks. For your PB, real-time consideration of portfolio risks and periodic reviews of operational risks is essential. Since leverage has plateaued since 2008 (affecting fee generation), managing risk is pivotal for a healthy PB relationship. Balancing the quality of your portfolio to allow for an optimized margin balance will be something everyone wants and will be based on a number of factors you can evaluate such as correlation risk, historic sharpe ratio, derivative pricing confidence, collateral quality, counterparty credit worthiness among others.  This falls largely on the COO or CFO, and their operations team to ensure the most beneficial and accurate treatment is being extended to the firm.  Meanwhile, consider that your IT provider is similarly aligned with your fund’s success, of course farther removed from your portfolio details, while being intimate with the tools, connectivity, and counterparties that you depend on. 

Qualification of a Managed Security Services Provider (MSSP) 

In today’s landscape, IT providers must resemble cybersecurity businesses (MSSPs) to succeed. Most platforms default to convenient configurations rather than secure ones, prompting the SEC to mandate inventorying these data points from an IT risk perspective. While your engagement policies may appear as checkboxes to auditors, real-time anomaly reporting against these policies is fundamental for responsible competition and scaling in the multi-cloud environment. Over the years, top IT providers like Thrive (through its acquisition of Edge Technology) and premier PBs have collaborated to set reasonable standards that protect market interests. Prior to the pandemic, we led a campaign together with a global prime broker to enforce encrypted communication via TLS across common client mail systems, as this was a standard practice we encouraged with most clients.  Together that raised an important awareness and potentially thwarted some amount of phishing while people learned to become better trained.  

However, the recurrent nature of the cybersecurity topic now verges dangerously close to echoing a broken record, even as its significance remains paramount. We observe a shift from ransom-focused malware to outright wipe-ware, emphasizing the need for robust security measures as motivations go from ransom to outright harmful intent by coordinated state-actors. At Thrive, we advocate for a mesh of security services that provide real-time event generation and response, extending network and domain policies beyond office boundaries to multi-cloud services using Secure Web Gateways. Today’s rate of easy adoption of many young emerging technologies is both promising and eerily similar to showing the same weaknesses of the earlier industry.  Wrapping a mesh of security around these younger offerings enables the same balancing act can be achieved and a competitive fund can leverage newer technologies with more confidence. While technology lacks a UL listing, a balanced practitioner’s approach can maintain top performance for you and your investors. 

Feel free to reach out if you would like to learn more about technology outsourcing for financial services. Our team of subject matter experts are ready to help you meet your desired business outcomes.

Welcome back to another installment of our “Thrive Spotlight” blog series.

Our featured employee is Maria Carina Wenceslao, Human Resources Manager – Philippines.  Maria Carina’s primary focus is to ensure employees have a positive and enriching experience throughout their time at Thrive and prioritize overall well-being within the organization.  She works on the onboarding process, enhancing benefits packages, and makes sure the employee experience aligns with Thrive’s values and objectives.

Maria Carina lives in Clark, Pampanga and works out of our Philippine office in Clark Global City, Clark Pampanga.  Two years ago, Maria Carina moved from Manila to Clark Pampanga and enjoys exploring the beauty of the city outside of work.  She also loves spending time with her family, especially her 7-year-old daughter who is a liver transplant warrior.

Hi Maria Carina! Can you tell us about your background and how you came to Thrive?

I have been working in the Human Resources space for 17 years, specializing in recruitment.  Identifying and securing top talent has always been a passion of mine.  In 2022, I was thrilled to learn about an open position at Thrive and become one of the first employees in the Philippines.  The opportunity to build a team from the ground up was exciting.  There is something uniquely rewarding about selecting and nurturing the best talent to establish a strong foundation for a new venture.

Where did you go to school or get training?

I attended Centro Escolar University in Manila, Philippines.  I have my Bachelor of Science degree in Psychology.

What do you most enjoy about working for Thrive?

I love the collaborative nature of our work environment.  I am particularly grateful for the accommodating and nurturing leadership within the company.  Their dedication to cultivating a supportive culture and prioritizing the well-bring and growth of employees is evident in every interaction with leaders.  This creates a sense of trust and empowerment that allows everyone to THRIVE professionally and personally.

I am immensely proud to be thriving at Thrive.  It is truly empowering to be a successful working mom, knowing that I am supported in both my career and personal life.

Are there any recent exciting projects at Thrive you can tell us about?

We have been rapidly growing and strengthening our team in the Philippines, making sure our global objectives and goals are inline.  I love seeing a collaborative effort of teams across different regions working together towards a common goal.

Are you interested in learning more about Thrive? Click here!

Don’t forget to follow us on Twitter and LinkedIn for the latest news, and continue checking our blog for more in our “Thrive Employee Spotlight” series. Until next time…

The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s (Department of Defense) information security requirements for DIB (Defense Industrial Base) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors (Organization Seeking Certification – OSC). The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.  

Under CMMC guidelines non-federal organizations will be required to follow the proper security standards for overseeing the following. 

• Federal Contracted Information (FCI)
• Controlled Unclassified Information (CUI)

If your organization is not awarded a Level 1 or Level 2 CMMC Certification prior to the awarding of a contract, that contract will be denied.

The current certification processes are directed by CMMC Revision 2.0. There are three distinct levels that make up the certification process. A level determination for a client will be set by a DOD Contracting Officer.

Level 1: Is Foundational (basic safeguarding) of Federal Contracted Information (FCI) which consists of six domains covering seventeen practices

Level 2: Is Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) which consists of fourteen domains covering 110 practices.

Level 3: Is Expert which covers Controlled Unclassified Information (CUI) with a focus around (DIB) partners managing highly classified information. This level includes the current Level 2 practices and domain, including an additional set of controls not yet specified. The DoD estimates that less than .1% of active DIB Partners (about 160 companies) will require Level 3 Certifications.

Please note: Current certification is based upon Revision 2.0. As new revisions of the certification are released, many of the practices, while not being removed, may be reworked and adjusted to define the proper levels of certification.

How are CMMC Audits Performed?

Under the current guidelines of Revision 2.0 of CMMC with assignment from a DoD, a Contracting Officer to the Organization Seeking Certification (OSC) will dictate your certification Level requirements.

Level 1: – Foundational (Basic Safeguarding) of Federal Contracted Information (FCI) will require the OSC to fulfill all six domains and seventeen practices to achieve a certification. Level 1 Certifications will require the OSC to submit a self-assessment to the Suppliers Performance Risk System (SPRS). Level 1 Certifications, upon awarding of a contract, are good for annual certifications and will require submission of the self-assessment yearly. The DoD can conduct a full audit on the OSC seeking Level 1 Certification if there are any discrepancy concerns within the self-assessment submission.

Level 2: – Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) will require the OSC to fulfill all fourteen domain and 110 controls to achieve a certification. Level 2 Certifications will require the OSC to reach out to the Cyber-AB Marketplace (HTTPS://cyberab.org) and contact a C3PAO (CMMC Third Party Assessment Organization) in order to conduct a physical audit of the organization in order to receive certification. Level 2 Certification, upon awarding of a contract, are good for three years before re-certification is required by a C3PAO.

Level 3: – Expert will be required to fulfill all requirements for Level 2: (14 domain and 110 controls) plus an additional set of practices not yet defined. Level 3 Certifications will require a physical audit. However, due to the security nature of the organization seeking certification, the audit will be directly conducted by the DOD DIBCAC (Department of Defense – Defense Industrial Base Cyber Assessment Center). Level 3 Certification, upon awarding of a contract, are good for three years before re-certification is required by a DOD DIBCAC.

How does an Organization Seeking Certification (OSC) look to prepare themselves?

As Organizations prepare for their certifications, below are some key operations to start thinking about.

• Proper organization and operational documents and policies aligning with physical, technical, and security operations.
• Governance and Risk Compliance Operations and Programs
• Technology and Security Operations:
  • Security Awareness and Anti-Malware Training Programs for end-users
  • Endpoint and infrastructure security operations
  • Mobile Device Management (MDM)
  • Email Filtering and Security Monitoring
  • Event Detection and Response (EDR)
  • Endpoint DNS Filtering
  • Vulnerability Operations
  • Two-Factor Authorization
• Penetration Testing
• Vulnerability Scanning
• FedRAMP Compliant Services

Time is running out because organizations will be required to achieve a proper CMMC Certification to be awarded a contract. Organizations should reach out to a Registered Practitioner (RP) or Registered Practitioner Organization (RPO), which are individuals, or organizations certified by the Cyber-AB, to help with readiness for Level 1 and Level 2 Certification needs. Organizations can find this certified individual or group through the Cyber-AB Marketplace.

Contact Thrive today to learn more about how we can help you achieve proper CMMC Certification. Thrive has Certified RPs ready to help with readiness and planning.

AI’s promise of time and money saved has captivated employees and business leaders alike. But the real question is… is it too good to be true? As enticing as these rewards may be, the risks of this new technology must also be seriously considered.

In today’s world, technological advancements are progressing at an unprecedented pace, creating vast opportunities for individuals and organizations. However, the rapid growth has also led to a significant demand for skilled professionals with the right competencies to meet this ever-increasing need. One area where this demand is particularly critical is cybersecurity, where the shortage of skilled professionals has become a significant concern. Even with technology outsourcing, having strong IT leaders is critical to managing and securing your business today and tomorrow.

CBT Technical Institute offers technical training and certification programs in various fields, such as information technology, cybersecurity, network administration, and more. The institute sought a partner to fill IT gaps, provide strategic solutions to bolster cybersecurity resilience, and optimize operations across its three campuses. This case study details how Thrive fortified CBT’s IT infrastructure and provided essential support, enabling seamless operations and proactive cybersecurity measures.

CBT Technical Institute faced a significant challenge when its IT supervisor departed for another company, leaving a critical void in managing its websites and servers. The workload became overwhelming with only a small team of three IT support specialists, as their focus was divided among various tasks. Realizing the need for additional support and contingency planning, CBT turned to Thrive to provide essential protection and strategic direction for its technology solutions. Thrive’s security services and ThriveCloud platform complement their internal team, ensuring comprehensive coverage and preparedness for potential disruptions.

Why Thrive Was Chosen

CBT Technical Institute chose Thrive because of its comprehensive suite of services and Thrive’s commitment to a genuine partnership. When evaluating potential partners, Thrive stood out for its adept management of services and software and robust security measures that alleviate the burden of maintaining CBT Technical Institute’s infrastructure and data security.

Thrive’s Robust Solution Offering and Collaborative Approach

Thrive’s comprehensive solution included Endpoint Detection and Response (EDR) for endpoint protection, server management, and Microsoft 365 email and Exchange management and monitoring. Facing expertise gaps, CBT Technical Institute turned to Thrive for comprehensive security services, leveraging ThriveCloud. Outsourcing these services marked the beginning of the partnership, with Thrive guiding CBT through onboarding and offering expertise and support. Through collaborative efforts, Thrive ensured a seamless transition, empowering CBT to navigate its technology confidently.

Impact and Results

Thrive’s intervention at CBT Technical Institute resulted in notable efficiencies and operational improvements. Migrating servers to the Cloud and deploying new infrastructure addressed challenges linked to outdated hardware, which enhanced server management and performance. Users experienced significant improvements in service responsiveness, while Thrive’s cost-effective solutions remained within CBT’s budgetary limits. With Thrive hosting its database, the institute’s data security and resilience were fortified, ensuring robust protection and rapid recovery from disruptions, underscoring CBT’s commitment to safeguarding sensitive educational information.

Exceeding Expectations

Thrive consistently exceeds expectations, with its team going above and beyond to meet CBT’s needs. From dedicated engineers like Nick, who assist outside regular hours, to responsive project managers, CBT praises Thrive for its unwavering dedication, collaborative approach, and exceptional support. “Thrive provides a virtual solution for any company that needs protection and lacks the resources to keep moving forward. If a company doesn’t have an IT department or support to assist users, maintain servers, and ensure security, Thrive is the one that can provide that,” said Roosevelt McCullough, Database Administrator for CBT Technical Institute.

“Unlike other cloud and third-party providers that offer temporary fixes, Thrive provides a long-term solution, enabling our company to evolve and access resources and support as needed.”  ~ Roosevelt McCullough, Database Administrator for CBT Technical Institute

About Thrive

Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com or follow us on LinkedIn.