A new University of Utah-wide, multi-phased cybersecurity initiative is underway.

The program was commissioned by the Office of the President and Board of Regents and is being led by the Information Security Office and Univeristy Information Technology Partner Relationships.

Clay Postma, director of UIT Partner Relationships at the U, said in an email interview that the size of the university makes them susceptible to cyber-attacks and cybersecurity threats, and this program is going to help prevent this.

“Like other Research 1 universities, the University of Utah is a high-profile target for cyberattacks,” Postma said. “By implementing the Cybersecurity Program, the university can better prevent and respond to current and future IT security threats.”

According to Mu Zhang, assistant professor in the school of computing at the U, implementing better cybersecurity is necessary because of the increased intensity of cyber-attacks in recent years. He added just one cyber attack could be devastating for the U.

“Usually these attacks are very targeted and very well organized, and these attackers have advanced techniques and are specifically looking for opportunities where they can profit,” Zhang said. “That means they are usually targeting large companies, schools, university campuses and supply chains.”

In the past, the U has faced cybersecurity threats that have affected the university and faculty, according to Postma, and many smaller security threats have taken place, emphasizing the need for protective software.

“Rare serious incidents, such as the 2020 ransomware attack on the U’s College of Social and Behavioral Science, have occurred,” Postma said. “More commonly, some members of the U community have experienced smaller attacks, such as scams, password phishing, viruses and malware.”

Postma said cybersecurity threats often present themselves in harmless ways as everyday items, and people at the U should be wary of suspicious or untrustworthy emails.

“These types of attacks are endemic across all sectors of society and typically occur when people open malicious email attachments and links or visit malicious websites,” Postma said. “Everyone, including students and faculty, should be constantly on guard for suspicious emails, links and websites in order to protect personal and university data.”

One improvement the initiative makes is using a security method called Defense in Depth, said Zhang, which uses several levels of defense to stop stealthy attackers and ensure that they can’t enter the system. 

“No defense mechanisms and no tools are perfect,” Zhang said. “You cannot expect to use one single tool right to capture all the attacks. That’s why we actually need to use security defense at different levels. The assumption is that if the attack is not captured by one level of attack, it can be captured at another level at attack.”

This initiative also has five strategic goals that it intends to accomplish, some of which have already been completed. These goals are to conduct a third-party assessment of university-wide IT security, increase the likelihood of obtaining cyber insurance, implement cybersecurity maturity model certification standards, establish college/department/organization-level IT security reporting responsibilities and measure progress toward the U’s desired security state.

Postma said the program is going to be a ongoing effort to help the U reach industry-standard IT security that will implement the appropriate tools and techniques over time.

“The program is a long-term, U-wide continuous effort that includes policy and process improvement, education and outreach, and collaboration with university partner organizations to support and track information security measures at local and central levels,” Postma said.

According to Postma, students shouldn’t notice a difference or be expected to change the way they conduct their education, this program overall will enhance their experience at the U.

“The program will affect students in a positive way by enhancing IT security outreach, education, and protections,” Postma said “Students shouldn’t need to take action other than continuing to practice standard IT security precautions.”

[email protected]

@steviechrony

This article was updated on March 22, 2023, to clarify the scale and frequency of cybersecurity attacks on the U, according to Clay Postma, director of UIT Partner Relationships at the U.