Cybersecurity threats around the globe and at UMass Boston are relentless and evolving, so the university’s cybersecurity operation must be as well. Wil Khouri, Assistant Vice Chancellor and Chief Information Security Officer (CISO), put it this way, “The cybersecurity improvement project that we run annually should actually be called a ‘program’ because, by definition, a program is for the long haul.” This unrelenting commitment is good news for UMass Boston and frustrating for bad actors worldwide.

According to Wil, “The Information Security Office (ISO) employs the services of a third party auditor to assess the university’s cybersecurity operation, identify cybersecurity risks and provide risk mitigation recommendations while providing an overall score for our cybersecurity program. Our score year-over-year has increased from 80% to 91%, with further improvements to come. That was a significant improvement.” Another metric the ISO uses to measure and improve the UMass Boston cybersecurity posture is what’s known as the secure score from Microsoft. The initial secure score was 16%, but after implementing numerous cybersecurity enhancements, that has gone up to 55% over the past two years. Khouri called this another great accomplishment given the fact that most of our higher education peers score well below that, comparatively speaking. “Just to give you an idea of this challenge, to raise the score (a tenth of a percentage point), I have to commit time and resources to implement a major endeavor such as multi-factor authentication across the campus.” Khouri added that UMass Boston’s secure score was higher than the nationwide average for all US universities using that metric.

“Our score year-over-year has increased from 80% to 91%, with further improvements to come. That was a significant improvement.”

Wil Khouri, Assistant Vice Chancellor and Chief Information Security Officer.

These impressive scores—audit and secure—affirmed that the cybersecurity strategy at UMass Boston is intelligent and effective. Khouri said the strategy is based on the idea that the new perimeter in cybersecurity is identity. That is further emphasized in the cybersecurity training and awareness campaign, “Identity is the New Perimeter.” This means that while previous security plans focused on protecting access to systems, the new approach recognizes that people are the weakest link and focuses more on effective identity management, making each member of the UMass Boston community less vulnerable and harder to victimize. The recent adoption of multi-factor authentication (MFA) was just a small piece of that strategy. Wil likened it to having a second lock on your front door to protect your home. A strong password is one’s first lock; if bypassed, MFA provides the extra protection. Khouri said that MFA has been so effective against phishing attempts, “We now get less than five a day, and we used to average about 200 a day.”

Another step the ISO took over the past year was to extend its Secure IT educational awareness and phishing simulation program to students. Secure IT provides students, faculty, and staff with brief online information security courses and sends simulated phishing attempts to the campus community afterward. Other universities have similar programs for their staff and faculty, but Khouri said UMass Boston is one of, if not the only, university to have a student program. “I don’t know of any campus, at least in Massachusetts, that does that.”

Not one to rest on his laurels, Khouri reinforced the importance of running the Information Security Improvements project year after year and continuously improving the campus cybersecurity posture. The ISO reviews the cybersecurity assessments annually and uses them to figure out how and where cybersecurity needs to be strengthened. Then it issues an annual report describing how they plan to meet that objective in the coming year. The ISO released its Fiscal 22-23 Information Security Improvements plan in June 2022, where it describes a new “Defense in Depth” strategy.

As the report describes, Defense in Depth contains four tactical elements: Visibility, Layered Security, Zero Trust, and Foundational Guidelines. Visibility and Zero Trust were the general themes of the strategy the past two years, and Defense in Depth will build upon and enhance what those past strategies have established. As it is further described,

Defense in Depth is an information security approach in which a series of security mechanisms and controls are intelligently layered to protect the confidentiality, integrity, availability, and nonrepudiation of the infrastructure and the data within.

For our purposes, there is no need to go into more detail. The UMass Boston community can rest assured that Wil Khouri, Chief Information Security Officer, and the UMass Boston Information Security Office’s staff are endlessly focused on making UMass Boston as cyber-safe as possible.