Queen’s updates cybersecurity measures to protect data

The Queen’s IT team faces tens of thousands of cybersecurity threats to systems every day, according to Marie-Claude Arguin, Queen’s chief information officer and associate vice-principal (IT services).

Queen’s is changing its multi-factor authentication (MFA) system through the Microsoft Authenticator App on Feb. 27. The authenticator app will send two-digit numbers to the device the user is logging in with, and those numbers need to be inputted to log in. The app will now display the location of the authentication request.

Frequently updating MFA systems is one way to protect systems and data against attackers by confirming the identity of users in multiple ways, Arguin said in a statement to The Journal. Queen’s made MFA mandatory for students, staff, and faculty in 2021.

IT systems—especially those at universities—faced higher threats since the pandemic, Arguin said.

Some threats are blocked by automated tools, while others require oversight from the Security Operations Centre and IT teams across Queen’s.

“The COVID-19 pandemic triggered an explosion of global cyber threats in both number, ferocity, and complexity,” Arguin said.

Queen’s faced higher levels of unusual traffic from Russia and “malicious” cybersecurity activity in February 2022. Arguin said Ukraine’s western allies were targeted at the start of the Russia-Ukraine conflict, including higher education institutions in Canada.

There’s no one way to defend against cyber threats as they are “multi-layered” and complex, Arguin said. Data protection requirements are different, for example, for public websites compared to “highly sensitive” research or health data.

The level of protection required for data at the University level is determined by Queen’s Risk Management Framework and legislation like the Personal Health Information Protection Act.

“As with all cybersecurity, user behaviour is key to protecting data—it starts with all of us,” Arguin said.

The University responds to threats with its Cybersecurity Incident Response Plan but urges students to complete trainings. According to Arguin, most incidents stem from human error.

She referenced a study conducted by a major consulting firm that looked at 50 cybersecurity incidents in 2021 in which 77 per cent of the incidents were because of human error, compared to only 23 per cent because of “inadequate” technology.

Individuals are susceptible to attacks such as phishing and social engineering tactics which can extract valuable data.

“Canadian higher education institutions, including Queen’s, are definitely clear cybersecurity targets for malicious actors,” Arguin said. “We must all be very vigilant and do our best to stay up to date with our cybersecurity training.”

The University “overhauled” its cybersecurity training in 2020. Students are emailed to complete the course in October each year, which takes a couple of minutes.

Most students don’t complete the training, according to Arguin.

“Technology alone can’t defend against cybersecurity threats—human behaviour is a significant risk factor, and we must all do our part,” she said.