By Ignacio Lobos and Gretchen Konrady
As 2022 rolled to the finish line, about 60,0000 UW students across three campuses secured their UW NetIDs with two-factor authentication (2FA), joining faculty and staff in an ongoing journey to make personal and institutional data safer from cybercriminals.
This was but one of multiple fronts where UW Information Technology (UW-IT) has been playing a pivotal and strategic role in building a more secure online environment across all campuses, medical centers and other UW facilities.
Cybercriminals pose threat to all public institutions
The UW is not alone in its cybersecurity efforts. It’s a problem so large that Educause, a non-profit national association whose mission is to advance higher education via information technology, named cybersecurity and privacy one of the top issues facing colleges and universities in 2023.
Educause bundled privacy and cybersecurity together because keeping personally identifiable information private is critical to cybersecurity programs. And the UW, like any other institution, is a trusted steward of vast amounts of personal data, from grades to social security numbers to financial donor information.
At the UW, cybersecurity experts are also seeking to bundle protection and education together. What many in the UW community may not realize is that students, faculty and staff can do a lot to protect valuable data and private information.
“Protecting UW data is both an institutional and personal responsibility,” said Andreas Bohman, vice president for UW-IT and CIO. “It starts with the institution, but it never ends there. Cybercriminals are relentless in changing their tactics, and so we must continue to strengthen our defenses. As individuals, we need to educate ourselves about cyberthreats and remain vigilant.”
Protecting UW data is both an institutional and personal responsibility. It starts with the institution, but it never ends there. ~Andreas Bohman
In the past year, the Office of the Chief Information Security Officer (CISO), one of seven UW-IT divisions, has revved up its cybersecurity awareness, training and education campaigns, offering seminars to faculty and staff, ramping up its presence on the web and delivering timely advisories and sharing messages through multiple media, including the University’s Twitter accounts.
Cybersecurity awareness and education are essential for any higher education institution that takes its security seriously, Educause emphasizes, and UW is heeding that advice.
“We provide practical tips and cybersecurity training on the CISO website,” said Melissa Albin, an information security analyst with CISO. “There are a handful of security practices, such as using strong passwords, multi-factor authentication and anti-virus software, that can go a long way toward securing your personal and UW data.”
Doubling up on log in protection
The broad use of 2FA is a proven tool against thieves who seek to steal passwords and break into computing systems, which is why UW-IT implemented it for the entire UW community.
Faculty and students became the last two major groups to protect their UW NetIDs with 2FA during 2022. Today, 100,000 students, faculty and staff across three campuses are using 2FA, and UW Medicine is in the process of implementing 2FA for employees who have a UW NetID and adding 2FA to MyChart accounts to help protect patient’s health care information.
The UW, like any institution across the country, has seen an increasing number of attacks that attempt to steal UW passwords, said Rebekah Skiver Thompson, the UW’s chief information security officer.
“Using 2FA helps protect against those attacks and stop the scammers from stealing information and resources,” she said.
Adding this extra layer of protection was fundamental to the UW’s comprehensive strategy to reduce institutional cybersecurity risk, she said.
The UW partners with Duo, a private vendor that reports its service decreases the risk of compromised credentials at universities up to 96 percent.
“Even if someone has your password, 2FA helps prevent others from signing in as you,” Skiver Thompson said.
Using 2FA helps protect against attacks and stops from stealing information and resources. Adding this extra layer of protection was fundamental to the UW’s comprehensive strategy to reduce institutional cybersecurity risk.
Guarding against email threats
Another facet of UW-IT’s strategy to deter cybercriminals involves protecting emails, which roll into university email boxes at a staggering rate of about 1 billion per year.
To stay ahead of cybercriminals, UW-IT unveiled a new email filtering system, Proofpoint, during the first quarter of 2022.
In its first month of operations, Proofpoint scanned 62.7 million inbound messages and blocked 30 percent, or about 18.6 million spam messages, from reaching UW email boxes. It continued at that pace through the rest of 2022. Emails with malicious content that could have compromised the University also were stopped before they could get to their intended recipients.
While there are no perfect solutions that will prevent all unwanted email from getting to inboxes, Proofpoint created a significant technological barrier against malicious or time-wasting emails, said James Morris, who manages the University’s email infrastructure.
“We continue to make enhancements to the system so we can stay in front of the bad actors,” he said.
Creating a more cyber-secure environment for the UW community
Cybersecurity goes beyond protecting customer-facing systems. UW-IT, for example, is leading University-wide efforts to improve IT business continuity and disaster recovery, essential steps if there’s a serious attack against IT systems or a storm knocks them out.
That work is part of an overall enterprise risk management plan with multiple initiatives that touch just about every aspect of cybersecurity, from updating existing security policies, improving compliance among units and departments that fall under these policies, establishing security standards for UW confidential and restricted data and streamlining procurement practices.
Much of the work is driven by the UW’s desire to stay ahead of cybercriminals and other bad actors who are relentless in efforts to break into university systems.
But some of the pressure comes from state and federal laws that govern cybersecurity policies. UW-IT worked with several units and departments to reach compliance with the law, and it continues to work with colleagues across campus to mature the University’s cybersecurity program — work that will continue through 2023 and beyond.
“Protecting email and asking everyone to use 2FA were major accomplishments in efforts to protect the University during the past year,” Skiver Thompson said. “But we also accomplished a lot that went unseen but was as important, and we will continue to collaborate with all of our partners to keep our university secure.”