In 2022, Wofford saw a dramatic increase in online scams. The IT department decided to make campus-wide changes to address these problems, such as two-factor authentication. While originally these changes may have slowed down logging-into myWofford for both students and faculty, These procedures have now become a new normal and have been fairly successful in achieving their goals.
Trey Arrington, the associate vice president of information technology, spoke on the changes that he has overseen since joining Wofford.
“I came to Wofford in July 2022, and one of my top priorities was information security,” said Arrington. “We have a director of information security on staff and he had a lot of good ideas that needed someone to make some of those things happen.”
Arrington got to work leading a positive change regarding the college’s information technology.
“We have implemented next generation firewalls, which protects us from the outside world on the internet,” said Arrington. “We’ve also done intrusion prevention, advanced end-point protection, multi-factor authentication (MFA), advanced phishing protection and we also started employee security awareness training.”
Through implementing these defenses, the goal was to prevent the inevitable information security problems and work towards protecting already compromised accounts.
The most noticeable of these problems was phishing schemes that would ask a user for their information. Whenever an unlucky user would fall for the email scam, they would then send an email to the rest of the campus. Luckily for Wofford, these emails in particular were not much more than a nuisance.
“We were fortunate that this didn’t turn out to be some data being stolen… it mostly became gathering peoples’ credentials, and we would have to lock down and reset those accounts,” said Arrington.
The implementation of MFA was one of the first and most effective changes to dealing with this problem, but that does not mean that scams are not being attempted.
“Since we have implemented MFA and advanced phishing protection, we’ve seen a reduction in compromised accounts in the last few months,” said Arrington. “There have been many attempts that have failed because of MFA.”
While originally trying to make MFA as easy and quick to use as possible, the department quickly realized that protection needed to come before ease for professors and students.
“When we first set it up, you would just get a notification on your phone and all you had to do was click allow, but what was happening is that employees would keep hitting allow and compromise their accounts,” said Arrington. “We switched it up where you had to look up at the screen and enter a code.”
Outside of MFA, many of the implemented changes are preventative, meaning that Wofford internet users are not aware of the impact these technologies have in protecting information. .
“Over the last 30 days, our phishing protection system has blocked over 12,000 phishing emails,” said Arrington.
But as the field of technology advances, Wofford will need to evolve to address changing problems.
To address this concern the department is looking at changes such as the expanding protections offered through Microsoft, switching to a more cloud-based storage like Workday instead of having information all stored on campus and using AI and machine learning to identify and preemptively work to prevent and contain scams and other information threats.
But technological protections are not all that will help prevent all scams and information threats in the future.Wofford offers training and programs to help people identify and avoid such threats as the internet becomes a more important part of our lives and internet scams become more complex
While this is usually done through bi-annual training at Wofford, there are also less scheduled ways to help employees be more aware of their security.
“We do phishing simulations where we do phishing attacks,” said Arrington. “It’s not to be a gotcha moment but to learn what people fall for in a phishing attempt.”
While employee training and other programs have been helpful to combat scams and threats, Arrington also wants to include students. For example, the department would be willing to offer optional training sessions for online security.
He sees a potential training session as a valuable lesson for students to learn as they may experience these issues in the workforce and beyond as well.