Privacy & Cybersecurity, Employee Email Auto-forwarding, Disallow by Policy Effort FAQ
As part of an administration-driven effort to better secure employee email and reduce cybersecurity intrusions, Technology Services Privacy and Cybersecurity will take actions on September 27, 2021 to restrict university employees' ability to auto forward from @illinois.edu, @uillinois.edu, and @uiuc.edu email addresses.
What is this all about?
University of Illinois and its employees who auto-forward official Illinois email face high and increasing risks, and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois law.
Why is this happening?
In a time where the university's #1 cybersecurity risks overwhelmingly
start with email phishing leading to account compromise and intrusion, we must make changes to things we've long enjoyed, but present great problems in the here and now.
Forwarding of faculty and staff email is risky and moves opportunities for university cybersecurity intrusions into less controlled or secured environments. It diminishes the university's ability to secure its people, information, university data, research, internal processes, or business.
When auto-forwarding email to a personal account, your personal mailbox becomes subject to potential Illinois Freedom of Information Act (FOIA) reviews and disclosure. As a result, university personnel might potentially require access to any such personal accounts to identify FOIA items.
Which email accounts/who will be affected and not?
Employees (faculty and staff) who currently auto-forward any mail from an Illinois email account will be affected by this change.
Employees who use the electronic directory editor (EDE) to redirect their individual Illinois mail to another account will be affected by this change
Role accounts, group accounts, service accounts, mail enabled groups or lists and other non-individual email accounts will not be affected by this change.
What does the problem look like right now?
A few thousand employees currently forward their official email via mail rules or electronic directory editor (EDE). There are two concerns here:
1) Phishing and email are the most successful cybersecurity attack vectors upon our university. They continue to be the most effective vehicle for threat actors worldwide to spread malware, access our work, and steal
our most valuable assets. Illinois' Cybersecurity cannot provide much value or relief when employee email is being sent to a place where
attacks cannot be detected or dealt with.
2) (For offsite forwards only)
Employee email forwarding as an allowed practice has and will continue to build potential for putting personal accounts in scope for the Illinois State Records Act and FOIA. This puts individual personal privacy at risk. It also puts the university in a difficult position, being that it cannot comply with laws unless owners grant official access to private email.
What the university doing about it?
The university will be implementing a new policy that will disallow email auto-forwarding for employees. This may require new email habits for those who are used to fielding their official work email from other places, or with different solutions.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 4 things:
1) Identify and give ample notice to university employees and support personnel of those who auto-forward their email in EDE or via O365 rules.
2) Provide guidance on how to eliminate rules or what to do. O365 "how-to" guidance EDE guidance
OR "do nothing" (any existing rules will be disabled or disappear once we implement)
3) Provide support and guidance to non-technical audiences who need to convey the new requirement to their support people.
4) Quickly implementing new policies within O365 and departmental mail services.
When will the policy be implemented?
New date! Monday, September 27, 2021
Where can I find resources to guide me through the change?
If you wish to wait for the implementation, there is nothing to do. Any rules set up will cease to function at the time the university disables auto-forwarding.
If you wish to cease forwarding immediately, see:
(EDE) "How to stop forwarding to an alternate email address": https://answers.uillinois.edu/illinois/86742
What if I am forwarding to an Illinois Google Email account (g.illinois.edu)?
In addition to not having ability to know about or react to cybersecurity events outside the O365 environment, the university has also deprecated its use of Google email for employees. Email forwarding to Illinois Google will no longer be an option for those university employees who have a primary affiliation of faculty or staff.
NOTE: This item pertains to Google email only. All other Google apps licensed by the university are still supported.
What if I am forwarding to a Illinois subdomain or departmental Email account (*@dept.illinois.edu)?
People with Illinois email service provided within their unit by way of a local server or service will continue to be able to use such services. However, forwarding will no longer be an option for those employees in either the departmental subdomain or in the main O365 environment, including forwarding from one to the other.