As part of an administration-driven effort and directive to better secure employee email and reduce the risk and impact of continued cybersecurity intrusions, Technology Services Privacy and Cybersecurity has taken action as of October 5, 2021, to restrict university employees' ability to auto forward from @illinois.edu, @uillinois.edu, and @uiuc.edu email addresses.
University of Illinois and its employees who auto-forward official Illinois email introduce increased risks and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois law.
In a time where the university's #1 cybersecurity risks overwhelmingly start with email phishing leading to account compromise and intrusion, we must change practices we may have long enjoyed, but present great problems and risks in the here-and-now.
The past practice of auto-forwarding faculty and staff email outside the official, supported university service has created continual and unsustainable opportunity for cybersecurity intrusions to increase and continue to impact the university and its mission. Whether it's a consumer service like Yahoo or even another Illinois service that was set up only for student use like the Google g.illinois service, these are all unsupported, less controlled, and ultimately less secure places for our university employee business email. It diminishes the university's ability to secure its people, information, university data, research, internal processes, and business interests.
Additionally, auto-forwarding email to a private account, subjects any such account to potential Illinois Freedom of Information Act (FOIA) reviews, official access, and disclosure. As a result, university personnel might potentially require and demand access to any such personal accounts to search for, identify, and retrieve items in response to a legal request.
Employees (faculty and staff) who auto-forward any mail from their Illinois email account are affected.
Employees who use the electronic directory editor (EDE) to redirect their individual Illinois mail to another account are affected (Note, EDE use for mail redirection is currently deprecated and being phased out as well)
Role accounts, group accounts, service accounts, mail enabled groups or lists and other non-individual email accounts are not affected.
Roughly two thousand employees forwarded their official email via O365 e-mail rules or electronic directory editor (EDE). There were two concerns:
The university implemented a new policy restricting email auto-forwarding for employees on October 5, 2021. This required new email habits for those used to fielding their official work email from other places, or with different solutions.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university did 4 things:
Tuesday, October 5, 2021
In addition to not having ability to know about or react to cybersecurity events outside the O365 environment, the university does not support use of Google email for employees. Email forwarding to Illinois Google is not a supported option for university employees who have a primary affiliation of faculty or staff.
NOTE: This pertains to Google email only. All other Google apps licensed by the university are still supported.
People with Illinois email service provided within their unit by way of a local server or service will continue to be able to use such services. However, forwarding will no longer be an option for those employees in either the departmental subdomain or in the main O365 environment, including forwarding from one to the other.
The directive has been implemented. If for some reason it is necessary to explore this path, it might be possible, but the risks of any variance requested must be accepted by the executive officer at the unit level. Note also that on a logistics level, changes to email policy groups must be done manually, and will be processed as a work order, on roughly a 2-6 week timeline. You may still access your Illinois email in O365, see https://techservices.illinois.edu/email-how-to-log-in/. Cases presented are subject to approval and risk acceptance by campus governance and your unit executive.