University renews emphasis on email policy
In a June 12, 2020 email to UT Austin staff and faculty, the Information Security Office (ISO) announced that the university is renewing efforts to enforce a longstanding university policy requiring all employees to use official university email accounts for university business.
ISO explained that the policy is in place for two important reasons. One is that the Texas Public Information Act makes some university records, including emails, available to the public upon request. Using a personal email address for university business means your entire personal email record could be subject to open records. These emails and responses to them are also subject to state records retention and security requirements.
“The last thing you want is for your personal mail account to be brought into scope for open records or litigation involving the university,” said Cam Beasley, the university’s chief information security officer.
Another reason for the policy is that university email accounts have a higher level of protection and security from cyberattacks and phishing scams than personal accounts. These attacks and scams have greatly increased since the start of the COVID-19 (coronavirus) pandemic.
“We’ve observed a sustained 700% increase in social engineering attacks launched by advanced nation state adversaries since the beginning of the pandemic,” Beasley said.
ISO asks staff and faculty to take these actions:
- Ensure you are using your official university email address for university business, both for sending and receiving email.
- Check your listing in the University Directory to verify that you have a university issued email address listed. If there is no email address, an inaccurate email address, or you see that a personal email address appears in the directory, update your work email address in Workday. For questions, email firstname.lastname@example.org.
- Do not forward email from a university email account to a personal email account. Forwarding university email to a personal email account is prohibited by policy and will be restricted in the future.
- If you maintain a university listserve or mass mailing list for communicating official university business, remove any non-university email addresses for employees.
Staff and faculty have options for obtaining a university email account. To learn more about these, visit the IT@UT webpage on university email, or contact your unit desktop support or ITS staff for help. In the meantime, personal email addresses have been removed from the work email address field in Workday. Where possible, Office 365 or UTmail business accounts have been loaded to ensure there is an official email address on file.
“Adhering to these changes will not only best protect your personal email resources and data, but will position the Information Security Office to better defend you from these highly skilled bad actors,” Beasley said.