University to Tighten Cybersecurity
BU president launches initiative to recommend solutions
The age of internet innocence gets less innocent every day.
In an email to faculty and staff this morning, President Robert A. Brown announces the University’s plan to tighten cybersecurity measures following a December phishing attack that saw the BUworks usernames and passwords of 10 employees stolen and their direct deposit paychecks siphoned to outside accounts.
That attack on BU, as well as on other higher education institutions, revealed to administrators the relative vulnerability of University information technology networks and information systems. “We have focused on sound policy, user education, and detective controls to secure information,” Brown writes in his letter. “While this approach has supported creativity and productivity, it now increasingly places us at risk—particularly in comparison to less open organizations. Cyber-criminals choose softer targets, as we have just experienced.
“Social engineering techniques such as ‘phishing’ take advantage of people’s trusting natures and are increasingly sophisticated and deceptive,” he continues. “We must strengthen our technological means to help protect our information in order to forestall these kinds of attacks and limit exposure if they succeed.”
Brown’s email says that Tracy Schroeder, vice president for information services and technology, and the chairs of the Information Security Governance Committee will spearhead an initiative to find ways to “strengthen technical protections against exposure, theft, or loss of personal information.” The president will then share the group’s recommendations with the Administrative Council and the Council of Deans before the measures are implemented.
Schroeder, Quinn Shamblin, the University’s executive director of information security, and other initiative members have already begun meeting to discuss measures the University could take to reinforce online security. Part of that process, says Schroeder, is learning from past mistakes. An investigation of the December incident revealed that the University needs stronger controls to access the BUworks central portal.
“We know from industry best practices that you can’t change your banking information now without a second factor for authentication,” Schroeder says. “A password is something you know, a second factor is something you have,” such as a phone or a computer. With such a system in place, employees trying to access information from a phone or computer other than their own will be asked for information about a second device.
Schroeder says the goal is to find a new process that is secure, but not onerous. Having a second factor for authentication is “the best way that we can protect folks’ personal information and not be basically just protecting against the last exploit that we got hit with.”
Initiative members may also recommend that BU’s smartphone users be required to use passcodes to access University email, a move many employees may have already made when they encrypted their device.
Schroeder expects to present the initiative’s recommendations this spring, and anticipates the work by her and others will “not be a one-shot deal,” but a continuing effort to strengthen the University’s system-wide security.10 Comments