On May 28, 2025, a new cybersecurity mandate will fully go into effect for all University of California (UC) campuses, with several key requirements for campus instructors. This was outlined initially in a letter from President Michael V. Drake, sent to the 10 UC Chancellors on Feb. 26, 2024. It details expectations for each campus’ individual plans, which included continuation of mandated faculty cybersecurity training.
Within it, new policies were issued to ensure identification and tracking is available for all devices which are able to access the network, requiring multi-factor authentication upon login, and deployment of UC-approved endpoint detection and recovery (EDR) software. Each campus was then expected to submit their own detailed plan that follows these requirements for how they would proceed to enhance the campus network’s cybersecurity.
Cyberattacks have become all too common on university servers, with attackers looking for classified information, either professional or personal, or simply looking to lock away sensitive or irreplaceable research in the interests of collecting a ransom. The UC system was victim to large scale cyber attacks twice in the 2010s, first at UCLA Health in 2015 and then at UC Davis Health in 2017.
Both of these attacks required costly follow-up from the UC’s healthcare systems, including experts to trace the breach and tighten up security, as well as security measures such as credit monitoring for any individuals whose social security information may have been accessed, free of charge to the individual. There are also legal requirements set out by Health Insurance Portability Accountability Act of 1996 (HIPAA) rules that require such corrections, on top of the costly financial penalties that can be laid out as a consequence.
The UC Riverside (UCR) campus has laid out three steps to be taken by their employees to adhere to the 2025 Cybersecurity Mandate. One is to remain up-to-date with the UC cyber security awareness training that all UCR employees were already required to take yearly. As of now, there may be stiffer penalties for not being compliant with training requirements, such as being shut out of university servers until the training is complete. Another is to verify identity upon login using multi-factor authentication (MFA). This can be done through mobile number or through the Duo app, in the same way that students use MFA to log in to student accounts. The third is to only connect to the campus servers via a device which has the new security toolset installed.
This is a requirement only set out for employed instructors at this point in time, which means that as of May 28, graduate students who instruct classes are not required to have the security toolset downloaded. This does, however, include lecturers on staff, many of whom plan their classes, post their Canvas pages and grade their students from personal devices.
This became a point of concern for many, because the security toolset includes NinjaOne, which is a UC-approved endpoint management (EM) tool. The purpose of the program is to “gather device information for the university’s records so that UCR can track devices when they connect to UCR networks or resources,” according to the UCR security toolset whitepaper.
This means that anyone who has access to the security database would then have access to any and all information and activity that is present on the device itself, which raises immediate concern from staff who still conduct their university work from their own personal devices. Precise complaints range from general discomfort at their personal data being stored to HIPAA concerns relating to telehealth information that is stored on personal devices.
The security toolset web page currently states that “security tools must be installed on personal devices if the user wishes to connect to secure UCR resources and applications”, but it now also states that “staff members should not conduct university business nor access secure UCR resources from a personal laptop/computer.”
This concern is now being addressed by the UCR administration, as Provost Elizabeth Watkins confirmed that the campus will be “purchasing computers to provide to lecturers who do not currently have a university-issued device.” The security toolset webpage has also updated their frequently asked questions (FAQ) section to reflect the concerns of faculty and staff, answering that the tools are set up to detect harmful activity on the device and that there is no plan to manually review any information collected from university-issued devices.
Any information collected from these devices will be kept safe within the UCR secure servers. Even in the case of a security investigation, the Information Technology Solutions (ITS) Information Security Office is required to adhere to strict campus privacy policies while doing so.
