Office of the Chief
Information
Officer

The University of Toronto (U of T) is an absolutely amazing place to work, and even more so as it rises to challenges presented by the COVID-19 pandemic. That is in terms of getting people working from home to carry on University business, to working with students to finish courses remotely and driving the massive research enterprise to focus on COVID-19. It is incredibly inspiring to watch and be part of, but that innovative and agile ability also causes challenges when it comes to enhancing information security.

Late last year, we ran an external security assessment with chief information security officers (CISOs) from University of British Columbia, University of California Davis and Yale. They commented on the issues around the distributed way we operate, including the lack of clarity in roles and responsibilities and the visibility and authority that the CISO has.

We have been wanting to roll out a simple enhancement to Microsoft Office 365 (O365) that would place an alert banner on any email messages that we receive that originated outside of the University. This is a simple and effective awareness piece that nudges people to think twice before clicking or responding to external messages. It just reminds them to not click on links or open attachments unless they recognize the sender and know the content is safe. We know that we have an increased risk of compromised accounts and we know this will help prevent some of them. Many other organizations use this feature and the response from the community is favourable.

The challenge is the distributed environment and how O365 views many legitimate U of T mail senders as external, which requires a large number of exceptions. For example, many areas use email distribution services for communication tools such as a newsletter that would get labelled with the alert. In essence they are external, even though we generated them here. We also know some individuals forward their email (something I do not endorse) and those services make their sent email look like it is from U of T, but it isn’t. There are many other examples of this including local email servers.

As the chief information officer (CIO), I see the risk that we are mitigating with the banner as much higher than the cost of putting the banner on messages that are generated internally using outside services. We have very little visibility into many of these services and although we have been doing broad pilots, we know we haven’t got everything. At this point in time, we are considering moving forward with the banner and handling any issues that are presented as they arise.

This is one of the realities of operating within a distributed environment.