October is cybersecurity month. In the spirit of it, we speak with Vice President Ellen van Schoten, Chief Information Security Officer Rory O'Connor and EUR AVG specialist Marlon Domingus, giving their best cybersecurity tips for students and staff. "Because the security of the university is partly in all of our hands," says Ellen van Schoten.
Why is cybersecurity so important?
Ellen van Schoten: “Cybercrime is a growing problem. Think of hacking, or ransomware attacks, where companies have to pay ransom. It is also occurring more and more in our private domain. For example, I come across more and more phishing mails in my mailbox, and they are also becoming more sophisticated. You must be careful with a payment link on Marktplaats. You may think: I won't fall for it. But anyone can fall for it, for example because you are busy doing something else.
For companies, it can have far-reaching consequences if data is stolen, or computers held hostage. For individuals as well. Something like identity fraud can haunt you for the rest of your life. Unfortunately, an educational institution seems to be a target.”
Why is an educational institution a target?
Rory O'Connor: “An educational institution has an open character. There are many students who use their own equipment. And it is visible. These are precisely the attractive characteristics for cyber criminals. Educational institutions suffer sixty per cent of all cyber attacks, Microsoft has calculated.
An attack on a university can be done via student data. A criminal may try to break into the central system of a university or college via a student account. Therefore, security begins with personal cyber-hygiene. If we all protect ourselves, we also protect the university better.”
That's interesting: does the responsibility lie in our own hands?
“Partly, yes. And as Ellen says, criminals are becoming more and more resourceful. In the Netherlands we see that ordinary crime has halved. Cybercrime has more than doubled. It is also a growing problem worldwide. And hacking tools are available worldwide. Local criminals use international tools, making attacks sometimes difficult to intercept.”
"Security starts with your personal cyber-hygiene" - Rory O'Connor
Do people realise how dangerous it is, or how important cybersecurity is?
Ellen van Schoten: “I don't think so. Rory and his team have posted a very good course on Canvas but it is hardly used. That is a pity. Because the security of the university is partly in all our hands.”
Why is cybercrime still seen as an abstract problem?
Marlon Domingus: “The purpose of universities and schools has traditionally been knowledge development and knowledge sharing. The idea is that we share knowledge with each other. We have open buildings, we strive for transparent science. And that openness is good. But in developing the internet, we assumed that we are all gentlemen, that we can trust each other. From the point of view of good faith, it seems like an abstract problem. Unfortunately, we are increasingly seeing people that are emphatically not to be trusted.”
What can all go wrong with my or your data?
Marlon Domingus: “If a lot of your personal data is 'on the street', people can abuse it. Think of identity fraud with a passport copy. They can use your profile pictures for fake accounts. If you are famous, your private photos can be used for advertisements. You can lose control over your own life. An important tip is therefore not to share too much data. If less of it is online, it can also be less abused.”
" An important tip is therefore not to share too much data. If there is less of you online, there can also be less abuse of it" - Marlon Domingus
But what can a criminal get out of student-data?
Ellen van Schoten: “Via an individual account, a cybercriminal can gain access to the EUR. They can also misuse your Erna account.”
Rory O'Connor: “The other day we had a student whose Osiris account had been hacked. He had received a notification from his Google account, which had been hacked first, but he had taken no action. Then his Osiris account was hacked. You don't want hackers to access your grade list.”
Is this why regular password refreshing is important?
Rory O'Connor: “Even more important than refreshing is using different passwords for different sites. They often leak via ticket websites or simple garage websites, for example. You must make sure that if your password is cracked on one site, it can't be used on another. And a good password is at least 12 characters and has a number and a special character. I always say: use a sentence, not a word. That's harder to crack and easier to remember.”
Do you have any other tips for everyday use?
Rory O'Connor: “Fraud also takes place over Wi-Fi networks. Students like to use free Wi-Fi. Make sure you always use an EduVPN. It's free to download.”
Marlon Domingus: “People often use their business or student email for private matters. That is allowed. But they buy or rent a house, receive e-mails from the bank. They organise a conference or trip abroad and receive passport information from friends or colleagues. If you keep all that data in your inbox, that becomes very vulnerable. In fact, you shouldn't use your mailbox as an archive. You can solve that problem by archiving your mails and storing them safely.”
Ellen, privacy and security are in your portfolio, in what way does the subject appeal to you personally?
Ellen van Schoten: “I have worked in the public sector for a long time, and I have also had colleagues in other countries who worked for an unsafe regime. An example: if we work together with people in Afghanistan and have data on them, this can literally be dangerous for those people if it is not properly secured. As an institution, we really have an important task. We have a huge capital of people's data and research results, we have to protect that very, very well.”
Rory O'Connor: “We are also seeing more and more LinkedIn being used by criminals. The latter are posing as senior academics and using a clever story to ask for money. The biggest criminal activity of all took place in Canada, where ten million euros was transferred from the university to a fake construction company.
Another thing: SMS fraud is on the rise. Be wary of text messages, they can be a way to take over your phone. For example, a real company will never send you a website link via SMS. On top of this, make sure your Find My iPhone is on and that it has a six-digit password.”
Kapitaal aan gegevens
"We have a huge capital of data on people and research results, and we need to protect that very, very well" - Ellen van Schoten
Finally, what can students and staff do if they have doubts about messages or notifications they receive?
Marlon Domingus: “If you have doubts about whether an SMS or e-mail is genuine, check it. For example, you can type part of the text into Google and see what comes up.”
Ellen van Schoten: “It's also good to realise that criminals are very clever, they capitalise on what's going on in society. Because there is a high housing shortage, students now receive phishing mails with attractive houses.”
Rory O'Connor: “We want to ask everyone to report to our IT Service Desk (see the box below) if you see or receive anything suspicious. We collect all attacks, we learn from them, and we can all be more secure from that.”
Marlon Domingus: “Finally, I would like to add that we are not doing all this because it happens to be the theme of the month. Trustworthiness and transparency are important Erasmian values, ensuring security online is an essential part of our university, and it is also necessary to be able to have an impact.”
A few more Netflix tips that focus on the themes of cybersecurity and social media:
- The Great Hack is a 2019 documentary film about the Facebook–Cambridge Analytica data scandal.
- The Social Dilemma is a 2020 American docudrama film which provides a deep dive into how social media's design nurtures an addiction, manipulates people’s views, emotions and behavior, and spreads conspiracy theories and disinformation, to maximize profit