10/30/2024
By Ed Brennen
Each week, some 3 million emails are sent to the 22,000-plus students, faculty and staff at UMass Lowell — about 137 per person.
Less than a third of those messages actually make it through to UML inboxes, however. That’s because the Information Security team in the Office of Information Technology uses the latest software to weed out annoying spam and, even worse, dangerous malware and phishing attempts.
The scammers are “endlessly inventive and awful,” says UML’s new chief information security officer, Heather Fowles, who replaced the retired Jim Packard in February.
Fowles came to UML after more than a decade in the health care industry. She was an information security officer at Mass General Brigham from 2019 to 2023; before that she was director of information security at the Massachusetts Eye and Ear Infirmary.
“I have always been more drawn to organizations that have a public mission, and that is something that made UMass Lowell stand out,” says Fowles, who leads a team of four information security engineers and several student employees.
“So much of security is having good IT partners, and that was another selling point here,” she says. “You want to have people on the infrastructure side who are thinking about how to manage the systems, keep them patched and keep them up to date. That definitely will reduce your exposure.”
Image by Ed Brennen
Chief Information Security Officer Heather Fowles chats with members of her Information Security team during a recent cybersecurity awareness tabling event at the Pulichino Tong Business Center.
Fowles long thought she would work in higher ed — as a professor. She earned a bachelor’s degree in the history and philosophy of science and medicine at her hometown University of Chicago and holds a master’s degree in the history of science from Harvard University.
“Then I was like, ‘Whoa, what am I doing? I am not college professor material,’” says Fowles, who found her way into the information security field at New England Financial.
“It’s a really good field if you like being at the intersection between technology and people,” she says. “The technology is always changing and the threats are always changing, and you’re trying to get ahead of things with the technology solutions. But a lot of times your problems are human problems — what people do with their technology and their attitudes about rules or restrictions.”
Fowles sat down in late October, which was National Cybersecurity Awareness Month, to talk about her new role and why her team sends you those fake phishing emails.
Q. How does information security in higher education compare with health care?
A. A lot of the challenges are the same. We probably have more diversity on a college campus in terms of technologies that we support, and that can be challenging. In health care, some of the concerns of physicians who conduct research are similar to concerns that you might have in a faculty position here. It’s not just the IT infrastructure; you also have some things that are harder to protect, like research and more one-off type things that are more unique to a research and teaching environment.
Q. What are some of your immediate priorities?
A. One of the first things we did was improve our security monitoring. The team is small, so one of our big efforts was to get a 24-7 network monitoring service in place. We have a lot of great monitoring tools across our systems, but if an alert goes off in the middle of the night and somebody doesn’t wake up and hear it, at least we’ve got an eyes-on, third-party service. That gives us a little more peace of mind.
Image by Ed Brennen
Heather Fowles joined UML as chief information security office earlier this year after working for more than a decade in the health care sector.
We are also doing more on the awareness front. We’ve done tables around campus for Cybersecurity Awareness Month, and we’re doing some phishing testing, sending simulated messages to expose our workforce to the different kinds of attacks. We’re going to extend those to our students, as well.
No matter how good your technology is, there’s always some small percentage that gets through. It’s a big population here, and the cybercriminals are pretty inventive. I get some feedback from people like, “I can’t believe you’re making me do this.” But I do think that little pop of awareness when you click on something you shouldn’t is a better learning experience than any number of videos that I can make you watch. There’s no better way to learn than experientially with this kind of stuff.
Q. What kind of phishing scams should students be aware of?
A. At the beginning of semester, there’s an uptick in job scams: work from home and make money. A student is paid to go out and buy things, maybe gift cards. They think they have received a check, but the person who puts the money into their account has the ability to pull it back within three days, so they pull the money out of the student’s account and they’re basically out of pocket for the cost of the items. And then there’s the marketplace scams for things like concert tickets, where they don’t get the money or the goods never materialize. We had an academic integrity scam this year that was unbelievable. The scammer told the student that they were the subject of an academic integrity investigation, and the university required them to pay $750 for the investigation. Fortunately, the endgame involved sending money to Kenya, and the student was like, “Oh, now I know that this isn’t real.”
Q. How have you seen the threats evolve during your career?
A. In the ’90s, we got religion about patching systems. No one really thought that that was a big issue until you started seeing these massive malware attacks, most of them from actors in other countries, so law enforcement couldn’t deal with it. That’s moved into things like ransomware. For a while, the ransom was all about, “We’re going to lock down your systems, and you won’t have access to your operations unless you pay us.” And then the ransom operators realized they don’t even need to do that — “I’ll just steal your data and ransom it.” Cryptocurrencies like Bitcoin were a huge accelerator for scams, because now they can get paid anonymously online, and they don’t see the humanity of the person that they are scamming.
Q. With more people learning and working remotely since the pandemic, how does that complicate your job?
A. There were some smart architectural decisions made here, where students are pretty much on a separate network, so they can bring their own device into that network. But we are careful about authenticating them and understanding what systems are out there. And then we have our administrative or internal systems, which are kept at an arm’s length from that of our students. From the work-from-home perspective, we don’t tell our staff to use any home system. We’re providing a laptop and saying, “This is what you work on.”
Q. What about the security of mobile phones?
A. People are a little more susceptible to scam messages from their phones. It’s a small screen, and it’s a little harder to see subtle details. And people are often rushing. If you are in this mobile lifestyle where you’re doing a lot of work from your phone, slow down and make sure you know what you’re clicking on. Or wait until you’re back at your desktop, if you can. And if you’re getting those annoying spam texts, just block them.
There’s an old “Far Side” cartoon by Gary Larson that I really love. It’s a business guy in a little space capsule. He’s flying off to work, and his cup of coffee is sitting on the outside. Technology changes, but people stay the same.