The National Institute of Standards and Technology (NIST) recently hosted a webinar on university-based cybersecurity clinics and their role in strengthening small businesses’ cybersecurity resilience while training the future workforce. The event featured two Consortium members, Louisiana State University (LSU) Cybersecurity Clinic and University of Nevada, Las Vegas (UNLV) Cyber Clinic, highlighting not only how cybersecurity clinics operate but also the experiences of the small businesses and students who participate in them. While this webinar focused on clinics working with small businesses, cybersecurity clinics serve a wide range of clients, including nonprofits, municipalities, rural school districts, and other under-resourced organizations. 

The full video for this webinar can be found on NIST’s website here.

Why Cybersecurity Clinics Matter

Cybersecurity clinics help address two key challenges:

1. Providing cybersecurity support to under-resourced organizations that have limited access to cybersecurity services and expertise.
2. Training students through real-world client work, preparing them for careers in cybersecurity with on-demand skills and practical experience, while reinforcing commitment to public service.

Rodney Petersen, Director of NICE (National Initiative for Cybersecurity Education), emphasized how clinics bridge the cybersecurity skills gap while expanding access to security services for small businesses that often cannot afford them.

Clinic Spotlights: LSU and UNLV

LSU Cybersecurity Clinic: Leveraging Community Partnerships to Reach Local Businesses

Dr. Aisha Ali-Gombe, Director of the LSU Cybersecurity Clinic, shared how LSU’s model provides students with structured, hands-on experience while offering small businesses three core services:

• Training & Seminars – Broad educational sessions on cybersecurity best practices.
• One-on-One Counseling – Advisory sessions tailored to each business’s needs.
• Comprehensive Cybersecurity Assessments – Detailed evaluations of security posture, led by students under faculty supervision.

By partnering with the Louisiana Small Business Development Center (LSBDC), LSU ensures its clinic reaches businesses that need cybersecurity support but lack the resources to hire professionals. Many business owners are unaware of how vulnerable they are, an issue LSU’s clinic helps address.

One of LSU’s clients, Gary Anderson of Cardinal Capital, LLC, shared how his company was unsure of its cybersecurity risks until engaging with the LSU Cybersecurity Clinic. Anderson described how working with LSU students helped his company identify key security gaps, strengthen internal security policies, and implement real-world solutions that made a tangible impact. Anderson also provided a glowing recommendation for LSU’s clinic and its students, mentioning their professionalism, competence, and ability to deliver on their promises.

UNLV Cyber Clinic: A Student-Led Business Model

Mehdi Abid, Cyber Program Coordinator at UNLV, described their clinic’s student-driven approach, where students recruit their own clients, manage services, and conduct assessments. The clinic operates like a small cybersecurity consulting firm, giving students hands-on experience in client relations, project management, and technical security work.

UNLV emphasizes that cybersecurity isn’t just technical—it requires strong communication and problem-solving skills. Students learn to:

• Engage small business clients and tailor security solutions to their needs.
• Develop leadership and teamwork skills while managing client projects.
• Apply classroom knowledge in a real-world setting to better prepare for cybersecurity careers.

UNLV student Keith Daniel Tan spoke about his experience working with small businesses through the clinic, highlighting how real client interactions strengthened his cybersecurity skills. He emphasized that while technical knowledge is critical, learning to communicate cybersecurity risks effectively was one of the most valuable takeaways. His experience working directly with business owners provided him with a stronger professional skill set and helped solidify his career goals in cybersecurity consulting.

Key Takeaways

Small Businesses Need More Than Just Technical Support

• Many small businesses do not recognize their cybersecurity risks until they experience a breach or incident. Clinics play a key role in bridging this awareness gap.
• Effective outreach—through partnerships like LSU’s collaboration with LSBDC or UNLV’s student-led client engagement model—ensures that small businesses know help is available.

No Single Model for Assessments

• Clinics design their own assessment frameworks based on student skills, client types and needs, and available resources.
• Some clinics conduct penetration testing and in-depth risk assessments, while others focus more on security policy, governance, and fundamental cyber hygiene.

Hands-On Learning with Real-World Impact

• Students gain practical experience that strengthens their employability, while businesses receive security services they couldn’t otherwise afford.
• Hearing directly from students and clients in this webinar underscored the value clinics provide—not just as a training ground for students, but also as a meaningful cybersecurity resource for communities.

Legal and Ethical Considerations
Cybersecurity clinics work closely with their institutions and clients to align on expectations and to develop safe and ethical structures for students to work with real-world organizations. These relationships are often supported by:

• Legal and operational frameworks such as NDAs, MOUs, and Student Codes of Conduct to ensure confidentiality, shared expectations, and ethical practices.
• Creative engagement models such as:
  • Students being hired by clients as interns, ensuring proper oversight and structured learning.
  • Clinics partnering with local Small Business Development Centers (SBDCs), which manage the client relationship and legal liability while providing cybersecurity services via the clinic as part of their broader support offerings.

Conclusion

This webinar reinforced the critical role cybersecurity clinics play in both workforce development and providing cybersecurity services to local small businesses. As more universities launch clinics, LSU and UNLV’s models offer valuable lessons on structuring programs, engaging students, and delivering meaningful security support to small businesses.

For more information about cybersecurity clinics and how to connect with one, visit the Consortium’s website.

Watch a replay of the webinar below.

On November 11, 2024, the Consortium of Cybersecurity Clinics hosted 66 students representing 14 different universities for the Fall 2024 “Clinic of Clinics,” a semesterly event for students participating in clinics to network, learn from experts in the field, and partake in group activities. 

Matthew Nagamine, the Director of Membership of the Consortium, began the online meeting by emphasizing how the event served as a way for clinic students from all over the country to meet peers, including some who might end up as colleagues in the future. 

In a lighthearted icebreaker, students were asked to introduce themselves in the chat using only emojis. This engaging start set a collaborative and communicative tone for the event. 

A highlight of the event was a keynote by Dr. Jeff Tully, who leads the Healthcare Ransomware Resiliency and Response Program at the UC San Diego Center for Healthcare Cybersecurity. Tully provided a compelling overview of the intersection between healthcare and cybersecurity, and gave insights into the consequences of cyber threats on patient health care and hospital operations. 

In his presentation, Tully shared that cyber attacks on healthcare are growing, and it is affecting and degrading hospitals’ ability to perform operations. Not only is this a point of weakness of critical infrastructure from the perspective of national security, but it also worsens disparity in health care. At the granular level, it can also impact individuals and families in devastating ways. Tully shared an example of an incident at a hospital in Alabama, where a nine-month old baby passed away. The child’s mother claims this to be the result of diminished care due to a malfunctioning computer system during a cyber attack that was not disclosed. 

Ransomware attacks, in addition to impacting patient care and the ability to provide medical care, also impacts patient health information, as stolen data often ends up leaked. The financial impacts can also be very costly; for example, Tully cited a cyberattack that cost Scripps approximately $113 million dollars in lost revenue. 

With all these concerns, how do you study a problem like this? 

Dr. Tully highlighted how we can apply the scientific method to the field of cybersecurity by asking questions and performing experiments. He explained how early medicine relied on trial and error, but evolved into a data-driven discipline through scientific research and hypothesis testing. 

For example, one of the challenges of studying a ransomware attack to see if it disrupts patient care is that organizations are not eager to show everything that went wrong. However, rather than study the direct data, one of Tully’s suggestions was to study the ripple effects. When hospitals are attacked by ransomware, they attempt to stem the damage by shutting down the network and locking down services, and hospitals that cannot take patients may send them to nearby hospitals. Rather than focusing solely on IT systems, researchers could examine impacts such as patient health outcomes, emergency diversion rates, and operational disruptions, before, after, and during a cyberattack. 

“We could be doing more of these scientific studies with respect to these cybersecurity practices,” Tully said. Sharing an example of this, Tully shared the results of a phishing study, in which a test group that underwent phishing training did not have any significant impact on the group’s vulnerability to phishing attacks. 

Tully also shared innovative tools and solutions to mitigate the effects of cyberattacks on healthcare operations. For example, detecting when ransomware attacks are occurring may be possible by using publicly accessible information. Hospitals are usually very noisy on the internet, so if they shut down, they suddenly become very quiet. If signals of network activity go away, it can be an indicator that something may be occurring. 

Inspired by military technology, Tully also proposed using rapidly deployable 5G networks and point-to-point Wi-FI systems to ensure that hospitals can continue to function even when their primary networks are compromised. 

In closing, Dr. Tully shared advice for students. He encouraged them to think creatively and embrace diverse opportunities in cybersecurity, noting that the field is open to those with a variety of skill sets and backgrounds. He remarked, “[it is] important to understand what happens when we fail, and how to fail better, rather than how to avoid failure at all.”

Following the keynote, students came together in breakout rooms to share their unique journeys and aspirations in cybersecurity. Reinforcing the advice that Dr. Tully imparted, students met peers of all different backgrounds; the meetings brought together graduate and undergraduate students, as well as students from different universities. For example, in one breakout session, there were Computer Science, Management and Information Systems, and English majors, as well as students with military and animation backgrounds. Some were interested in how cybersecurity work is done for the government, while others were interested in malware analysis. Students also shared how their university runs the clinic program and imparted advice based on their experience. 

The Consortium’s Fall 2024 Clinic of Clinics demonstrated the spirit of collaboration and innovation. As cybersecurity challenges evolve, events like these are helping to empower the next generation of cyberdefenders.