Tablet with email envelopes

The number of compromised university email accounts has dropped significantly, thanks to a behind-the-scenes security improvement made by Information Technology Services.

ITS previously saw more than 800 compromises per month, but in the 30 days after the change only 80 were reported. Just two compromises were reported last week; before, there were up to 300 a week.

ITS disabled older, less secure login methods (known as legacy authentication protocols) for students, faculty, and staff that hadn’t used them for at least one year. They have also been turned off by default for all new accounts. IT professionals are now reaching out to people who still use the older methods to determine if they can be migrated to new protocols as well.

The change helps protect users from hackers who use the older login methods as a backdoor to access UI accounts, and then send sophisticated phishing messages from those compromised accounts to other university users.

A welcome side effect of the change has been a drop in the number of phishing messages hitting campus inboxes. Phishing emails are scams that try to trick you into providing personal information or download malware onto your computer.

“We’re very happy with the immediate impact this change had on email security,” says Ryan Lenger, manager of messaging and collaboration in ITS. “Newer tools diminished the need for legacy protocols and most users won’t notice the change, but it’s making a big difference in curbing compromises.”

University IT professionals are working on several fronts to protect email accounts and personal information. ITS filters about 69 percent of the 2.5 million email messages that get sent to students, faculty, and staff every day. Earlier this year, it introduced external tags, which flag emails originating from outside the university as [External], signaling that the message could need more scrutiny.

In June, users already enrolled in multi-factor authentication (known on campus as Two-Step Login with Duo) became required to use it to access online Office 365 tools, including email. Employees must already use Two-Step Login for several key services, and plans are underway to get all students enrolled.

Frequent awareness campaigns educate campus on how to spot deceptive and dangerous emails, and examples of scams are posted to a phishing examples page and on ITS Facebook and Twitter accounts.

Mitigation tactics are also part of the equation. When phishing scams are reported, the information security office investigates to identify users that might have provided sensitive information. Further dissemination of the message is blocked, and account credentials are reset.

“Phishing is a problem worldwide, and it can cost individuals and the university considerable time, money, and a lot of worry,” says Shari Lewison, Chief Information Security Officer. “We’re working hard to combat the problem from as many angles as possible. We’re glad to see that our multi-faceted approach, including this latest move to disable legacy protocols, is having a significant positive impact.”