Improving Email Security with Proofpoint at University of Hawai‘i

Institutional Profile

The University of Hawaiʻi System encompasses three universities, seven community colleges, and seven university and education centers serving over 50,000 students across all islands, providing access to a wide range of degrees and certificates. UH is a designated Minority-Serving Institution, and UH Manoa (the flagship campus) is an R1 research institution with $617 million in extramural funding in fiscal year 2024. UH Manoa is one of the few universities in the United States to hold land-grant, sea-grant, space-grant, and sun-grant designations. Information Technology Services (ITS) in the Office of the Vice President for IT is responsible for all UH systemwide information systems and services, including email services for more than 100,000 students, staff, faculty and affiliated community members.

The Challenge/Opportunity

The University of Hawaiʻi is one of many institutions going through a digital transformation over the past few years, leading to much more available data and a greater need for securely storing and protecting those data. Bad actors have been using email to target end users and get around some of the institution's more robust cybersecurity tools and procedures to gain access to the institution's data. With generative AI as a tool for these bad actors to create more natural messaging in those emails, threats are getting better at evading many current cybersecurity systems, as well as at duping users, and institutions need to find ways to protect their users and data with email gateways and firewalls. 

The exploitation of end users through email can lead to incidents with serious consequences that could potentially add up to hefty costs for institutions. In 2022, some individuals at UH were tricked into giving up their login credentials via a well-crafted phishing attack that directed them to a fake university login page where the users entered their valid university credentials. The attackers then used the stolen credentials to log in to the users' email accounts to send additional phishing emails and intercept any incoming messages that would alert the real owner of the email account to the intrusion. The attackers also used the stolen credentials to attempt to log in to other university systems, including the users' payroll accounts. For Jodi Ito, the chief information security officer for the University of Hawaiʻi system, that incident was a big wake-up call about the growing resource challenges of effectively combating email attacks. Ito has a lean team, with six positions to support all the information security needs for the entire UH system. They relayed the matter to leadership, and a consensus was quickly reached that they needed to look into email security gateways to help protect their people and the institution from further attacks.

Ito knew her team didn't have the necessary human and financial resources to quickly build their own solution. She explains, "We grew up doing everything on our own—we always look internally first. But the realities of our limited people resources and the increase in threats against our environment mean we can't keep up on our own. The investment of care and feeding of a project like this is very significant, so we knew we had to outsource." She and her team knew they needed "a mechanism by which we could monitor the types of threats coming in through emails and quickly respond," and with the go-ahead from leadership, they started the process of looking for a third-party partner.

Process

To determine which third-party solution could best help UH address its pressing need for an email security gateway/firewall, Ito and her team surveyed the higher education field to identify what other institutions were using. They also expanded their search beyond higher education, reaching out to the CISO of the State of Hawaiʻi government and other Hawaiʻi businesses and organizations. With the information they garnered from these various sources, they settled on working with Proofpoint as the best fit.

The urgency of needing something in place to prevent another similar incident had Ito and her team working quickly and closely with Proofpoint over a couple of months to build out the initial system to start monitoring and filtering email. Once the initial system was in place, Ito's team dedicated about one staff FTE and also worked with their Client Services and Operations Center (CSOC) to help monitor and edit their filtering rules, submit tickets, review potential false positives, and create alerts for large-scale phishing attacks. 

An important factor to note for institutions is that many companies are still learning how significantly higher education's environments and needs differ from those of the corporate world, and Proofpoint was no exception. Like many organizations, Proofpoint had to learn to customize and adapt to the individual needs of a higher education institution. Managing the rules and exceptions for different staff roles across campuses, as well as faculty and students, precludes having a one-size-fits-all approach. As a result, Proofpoint created a higher education Customer Advisory Board to improve its understanding of higher education needs and to provide ways to request modifications to their product to help address the specific needs of higher education institutions, including UH.

Over the past two years, Ito and her team have continued to work internally and with Proofpoint to build and refine their rules and processes for their email security gateway. And even though Proofpoint has introduced some new features and improvements, UH has taken a slow, deliberate approach to adopting them because of the difficulty of implementing new rules for their users across the entire system, and also due to a lack of human resources to dedicate to new projects. Ito and her team must prioritize where to spend their time, devoting resources to issues with the biggest impacts to their people and processes. But Ito continues to work with IT leadership, highlighting her team's work and a strategic security plan that is mapped to the overall IT strategic plan at UH to continue to improve security in the coming years.

Outcomes and Lessons Learned

Showcase the benefits of security where and when you can. Since the introduction of Proofpoint, millions of potential email attacks have been blocked. But like many technology solutions, the results can be hard for users and leadership to see because noticing the absence of problems can be difficult. Ito helps highlight her team's work with semesterly briefings they host on data governance and information security. During these briefings, Ito shares overall Proofpoint statistics, such as how many emails have been blocked because of either malicious or inappropriate content. When users and leadership see data on the millions of emails that get blocked, they can better understand and buy into the value of a product that is doing its job and understand that it hasn't negatively impacted their workloads or workflows. Those briefings and regular interactions with the CSOC help them understand which adjustments they want to make as they move forward with the implementation of more of Proofpoint's features.

Tools and partners can help simplify the process of understanding and identifying threats. The introduction of a system that's already been tested and proven at other institutions has led to a much easier method of understanding and identifying threats at UH. A single dashboard is now available that doesn't require highly trained, technical analysts to manage the environment, and users can monitor and do deep dives into their own email by reviewing their quarantine daily digests and fine-tuning their own personal filters. Additionally, the ability to create granular administrative accounts in Proofpoint allows the CSOC to be directly involved and connected with the IT security staff, distributing some of the load of monitoring from Ito and her staff. Proofpoint also continues to work on updates that will have significant impacts as they adapt to new threats, such as blocking all email sent by third-party providers appearing to be from UH unless those providers have been vetted and approved by UH. The stable and forward-looking system, updates, and communication with Proofpoint position UH well for the future.

When surveying the field, make sure your references reflect your environment as closely as possible. When Ito was surveying other institutions about their experiences with third parties, many were working with both Google and Microsoft environments and said they had good experiences with their implementations. But because UH was running almost exclusively a Google environment, they experienced more growing pains and issues in the early implementation days, given that the other institutions were using Microsoft for faculty and staff email. When surveying peer institutions, ensure that questions about their environment are specific and thorough. Additionally, pay attention to what cybersecurity insurance surveys are starting to ask about. Ito noted that over the past few years, many of those surveys have expanded what they include, and she uses them as a way to align her plans with what the insurance companies determine are risks to institutions.

Be careful tweaking the settings too tightly early on, or users may get upset. During their initial implementation, Ito's team set filtering rules that were a bit too strict and ended up filtering out some important emails that faculty signed up for. The outcry from the faculty led to some intense discussions about privacy versus security, and Ito continues to be concerned about potential pushback when implementing new features of the email security gateway system. Earlier conversations and communication with users and careful implementation and monitoring of rules can help avoid conflict.

Sean Burns is a Researcher at EDUCAUSE.

Jodi Ito is Chief Information Security Officer at the University of Hawaiʻi System.