Digital threats from state and criminal actors are increasing. Knowledge institutions in the Netherlands are also targets for cyber attacks. A wide variety of methods are used, ranging from attempts to reveal information and phishing emails to DDoS (Distributed Denial of Service) and ransomware attacks. Given that knowledge institutions often purchase services from several large tech companies, cyber attacks on these service providers can lead to widespread outages at the institutions.
Scope for action: what can you do?
What cyber security measures should be in place at the institutional level? Which processes and procedures should there be? How can you ensure that everyone is familiar with them? How can everyone contribute individually? How can you ensure sufficient ‘digital hygiene’? Where is there a particular need for cooperation and sharing of knowledge and information? There are two elements that you yourself can address:
Human behaviour can override all technical and procedural measures. The greatest primary cause of reported cyber safety incidents is ignorance and incorrect action by people. People are thus also an important factor in cyber security. To reduce the risk of a cyber attack, it is important to help students and staff members to develop safe behaviour. The following are examples of measures that your institution can take to raise awareness:
- Use a variety of communication channels (e.g. newsletters, special intranet pages, infographics and vlogs by experts and board members). Publish regular news items on best practices that describe cyber-security incidents, including items containing suggestions for behaviour and action.
- Develop educational programmes, training and recurring information sessions for researchers, students and administrative and support staff on topics such as cyber hygiene, risk identification. Teach them how to avoid or cope with such risks. This can also be done using physical and digital campaign activities (e.g. Cybersave Yourself by SURF).
- Implement e-learning tools for students and staff members (e.g. the SURF Digital Privacy and Security Certificate).
- Participate in cyber-crisis exercises (e.g. OZON at SURF).
Risk management and administrative and strategic attention
Which agreements do you make within your institution and with external stakeholders in order to ensure the continuity of education, research and knowledge sharing in the event of a cyber attack? And to ensure the integrity and confidentiality of the data? It is crucial to be prepared for a cyber attack. Pay attention to security at board and strategic levels. Implement measures to detect and monitor possible attacks. In addition to the basic measures proposed by the National Cyber Security Centre (NCSC), take the following technical and organisational measures:
- Join a Computer Emergency Response Team (CERT) like SURFcert, in which member institutions receive 24/7 support in the event of a security incident. SURFcert is in direct contact with the NCSC.
- Join a Security Operations Centre (SOC) solution (e.g. SURFsoc), thereby ensuring 24/7 monitoring and threat detection for your networks.
- Perform internal and external audits that generate greater insight into the extent to which your institution is in control of information security and identify priorities for improvement.
- Consult the AIVD and MIVD publication entitled ‘Cyber-attacks by state actors’ (only available in Dutch). This document provides insight into the threat of cyber attacks and practical tips for recognising and preventing an attack.