In the interest of better securing email and reducing the risk and impact of potential cybersecurity incidents, Eastern Illinois University Information Technology Services will disable auto forward emails from @eiu.edu email addresses to external service providers.
The practice of users auto-forwarding potentially sensitive emails introduces increased security risks and liability related to accounts, data, privacy, phishing, and Illinois law compliance. The most common cybersecurity risk and attack vector starts with email phishing, which can easily cause account compromise, data loss, and intrusion.
The past practice of auto-forwarding emails outside the official supported EIU service has created a continual and unsustainable attack vector that increases and continues to impact the university and its mission. Any external email service is ultimately a less secure place for our university email. It greatly diminishes the university's ability to secure users, protect university data, and research potential security incidents.
Additionally - and equally important - auto-forwarding email to these personal and private accounts could subject any such account to potential Illinois Freedom of Information Act (FOIA) reviews, official access, and disclosure. As a result, university personnel might potentially require and demand access to any such personal accounts to search for, identify, and retrieve items in response to a legal request. EIU ITS always recommends using university email only for business needs and not personal matters.
All users (faculty and staff), who auto-forward any email from their EIU (@eiu.edu) email account are affected.
Role accounts, group accounts, service accounts, mail-enabled groups or lists and non-individual email accounts are not affected.
Numerous users were found to be forwarding their official @eiu.edu email via O365 email rules.
There were concerns:
The university will implement a new policy restricting email auto-forwarding for employees on July 1, 2023. Since this will require a change in user habits in reviewing official EIU email from external sources, EIU ITS will do the following in preparation and to assist in this transition:
July 1, 2023
Exceptions are not being considered for individual accounts as this is viewed as a campus-wide risk and this policy helps to combat cybersecurity threats as outlined on this page. We are sorry for any inconvenience this may cause in having to check a couple different email sources (personal and EIU related). We acknowledge several service providers have very reputable email infrastructures, but again those are private entities and cannot be supported or provided security incident response solutions by EIU. If you do not utilize a Microsoft O365-capable machine, please get with your department head and request a device that is able to successfully access your official @eiu.edu emails. As a reminder, everyone should utilize separate personal and business-related email accounts for privacy, law compliance, and in case of a life change (retirement, job separation, etc.).
Some key regulation and legal requirements to be aware of: