BU Today

Campus Life

University to Tighten Cybersecurity

BU president launches initiative to recommend solutions


The age of internet innocence gets less innocent every day.

In an email to faculty and staff this morning, President Robert A. Brown announces the University’s plan to tighten cybersecurity measures following a December phishing attack that saw the BUworks usernames and passwords of 10 employees stolen and their direct deposit paychecks siphoned to outside accounts.

That attack on BU, as well as on other higher education institutions, revealed to administrators the relative vulnerability of University information technology networks and information systems. “We have focused on sound policy, user education, and detective controls to secure information,” Brown writes in his letter. “While this approach has supported creativity and productivity, it now increasingly places us at risk—particularly in comparison to less open organizations. Cyber-criminals choose softer targets, as we have just experienced.

“Social engineering techniques such as ‘phishing’ take advantage of people’s trusting natures and are increasingly sophisticated and deceptive,” he continues. “We must strengthen our technological means to help protect our information in order to forestall these kinds of attacks and limit exposure if they succeed.”

Brown’s email says that Tracy Schroeder, vice president for information services and technology, and the chairs of the Information Security Governance Committee will spearhead an initiative to find ways to “strengthen technical protections against exposure, theft, or loss of personal information.” The president will then share the group’s recommendations with the Administrative Council and the Council of Deans before the measures are implemented.

Schroeder, Quinn Shamblin, the University’s executive director of information security, and other initiative members have already begun meeting to discuss measures the University could take to reinforce online security. Part of that process, says Schroeder, is learning from past mistakes. An investigation of the December incident revealed that the University needs stronger controls to access the BUworks central portal.

“We know from industry best practices that you can’t change your banking information now without a second factor for authentication,” Schroeder says. “A password is something you know, a second factor is something you have,” such as a phone or a computer. With such a system in place, employees trying to access information from a phone or computer other than their own will be asked for information about a second device.

Schroeder says the goal is to find a new process that is secure, but not onerous. Having a second factor for authentication is “the best way that we can protect folks’ personal information and not be basically just protecting against the last exploit that we got hit with.”

Initiative members may also recommend that BU’s smartphone users be required to use passcodes to access University email, a move many employees may have already made when they encrypted their device.

Schroeder expects to present the initiative’s recommendations this spring, and anticipates the work by her and others will “not be a one-shot deal,” but a continuing effort to strengthen the University’s system-wide security.

Leslie Friday, BU Today, Boston University
Leslie Friday

Follow Leslie Friday on Twitter at @lesliefriday.

10 Comments on University to Tighten Cybersecurity

  • Nicholas on 02.28.2014 at 8:28 am

    Ironically, using LastPass, a secure password manager with built-in two factor authentication (choose one of several options), is an onerous task on BU Web Login pages. The script on BU Web Login pages explicitly rejects automatically-entered passwords.

    As a work-around, I copy and paste the password in and refresh the page, but wouldn’t it be nice if technologies like LastPass were welcomed and made compatible with our IT? Nowadays these free or inexpensive services are powerful, sophisticated technologies; you won’t see my bank accounts compromised so easily, I promise you that.

    • Bryan on 02.28.2014 at 8:57 am

      @Nicholas – I also use LastPass and it appears that the login page rejects items that are filled right after page load so if you disable the auto-fill, you can still use your plugin to auto fill it after the page loads and it works just fine. It’s an extra step, but it’s easier opening, unlocking, copying and pasting :)

    • J on 02.28.2014 at 3:02 pm

      Totally agree with this. A password manager encourages use of long, random, secure passwords. The benefits far outweigh the risks.

  • Bryan on 02.28.2014 at 9:02 am

    Personally, I would love to have the ability to enter a longer password. When you compare short “complex” passwords to the simpler but longer passphrases, the passphrases will win every time. IWishICouldUseALongerPassphraseAtBU is a better password than KfJ#@s8zf%9ty05

  • Jimmy on 02.28.2014 at 10:29 am

    For one, let’s get a refund on that whole “BU Works” fiasco. How much did we pay for a payroll system that’s only fully Compatible with IE?

    • Eggroll5215 on 02.28.2014 at 11:59 am

      I agree with Jimmy!

    • Jake on 02.28.2014 at 12:24 pm

      I use BU Works daily work my job and it works perfectly fine with Firefox, thank you very much…

    • Max on 02.28.2014 at 2:31 pm

      Amen. On a Mac, both Safari and Chrome fail to render the output of this disgrace of a system. I have to open my trusty Windows XP virtual machine to see my paycheck, every time.

  • Annonymous on 02.28.2014 at 12:52 pm

    I agree with Nicolas and Bryan about LasPass. I also use it. It’s the best. It was recommended

    to me by a friend who was a Computer Tech for HP.

  • Annonymous on 02.28.2014 at 12:54 pm

    I agree with Jimmy. Why can’t BU Works be compatible with other search engines.

    Like Google Chrome which is the safest search engine on earth.

    Come on BU. Get with the times. Do some research and you’ll see Google Chrome is the best.

Post Your Comment

(never shown)