A hack at the Dutch Football Association, data of thousands of TU Eindhoven students stolen and 200 million e-mail addresses of Twitter users on the street. More and more cases of cybercrime are coming to light. What can we do about it? "First of all, we need to talk about it more. Many people don't realize the impact of a hack. Something like this could just happen at our university," says Bernold Nieuwesteeg, a law professor and expert on cybersecurity.
Password manager to protect yourself
Students and staff need to be much more aware of the dangers of a data breach, according to Nieuwesteeg. If you buy a new bicycle you always buy a sturdy lock. We often protect personal data on our computers a lot less well. "De-cluttering the home in popular. You can now have an empty house with only a laptop and still have everything you used to have. Everything is in our computer: photos, letters, videos, official documents, etc. Imagine if everything on your laptop could suddenly be viewed, copied. Everyone should be aware that this can be stolen."
Fortunately, you can take some basic measures that will also make your life easier. According to the researcher, the most important is a password manager. "A password manager is step number one to protect yourself. The safest thing to do is to create a different password for each account: mail, online banking, social media. If one account is hacked, there will naturally be attempts to log into your other accounts. Having the same password everywhere is a big problem. A password manager makes your life a lot safer and easier. You no longer have to remember your passwords yourself or keep them on post-its somewhere."
What can we as university do?
Our university can always be a target of hackers. We certainly wouldn't be the first. As a large organization, you can focus on two directions to protect yourself: the people or the design. "Teach the people within your company what the dangers are and how to protect themselves. In our case, that's tens of thousands of students and thousands of employees. It only takes one person to click on a phishing link and the hackers are in. That's where a large portion of all hacks originate. You understand it's a huge job to train everyone. If you focus on design you make sure that when someone is inside that person does not have immediate access to all the data. I personally think good protection is a it's always a combination of both."
"It only takes one person to click on a phishing link and the hackers are in"
Even within the university, we need to make people aware of the dangers. This is now happening with the 'Watch your data' program for employees. "It has to come alive with everyone. Conversation at the coffee machine. Who are the people behind our cybersecurity? You know the doorman of your building on campus, but you often don't know who the digital doorman is. While online is a much greater risk. The best way to raise awareness is to get hacked once, then you feel what can go wrong. Employees and students know they can be hacked, but don't feel the seriousness. The issues are really important."
Still, Nieuwesteeg thinks it will take a long time before everyone is really aware of the dangers: "There are even still people who don't want to pay with debit cards and do everything with cash. Furthermore, there are people around 30 who are not yet aware of the effect of hacks. Then you know we still have a long way to go."
Tax on paying to hackers
The business model of hackers is that victims pay a hefty sum. During the September 2021 Studio Erasmus talk show, Bernold Nieuwesteeg told us that organizations should never actually pay to undercut hackers' business model. How does he feel about that now?
"That was a bit of a bludgeoning. The discussion did get going, but there was also criticism. Suppose Erasmus University Rotterdam is hacked and there is no backup. That's a real problem. Years of research data gone. So sometimes it does make it better to pay. At the same time, it is bad that you pay, because you are stimulating a criminal organization. So I have a new idea," says Nieuwesteeg.
"Paying shouldn't be a license for organizations that really shouldn't have had to pay. Companies should not take the easy way out. Only in extreme cases should you have to pay. I would introduce a tax on ransomware. You can pay, but then you also pay a fine. That companies should weigh very carefully what they do."
Not all hacks are problematic
It is important to see the difference between different types of hacks and data breaches. After all, how bad is it if your e-mail address is "stolen"? "If it's just a mail address, it's not problematic," says Nieuwesteeg. "Anyone can find my mail address or phone number through Google. We have to look at each data breach individually. We don't always have to scream murder and fire."
Nieuwesteeg: "It is mainly sensing which data breach is important. If your password is stolen, that is of course much more serious. Especially if you also use that password for other important accounts. It's something a password manager can prevent. If the university is hacked and you as a researcher cannot access your research data then you have a problem. Four years of working on your research and everything is gone. So my tip is: make sure you have a backup. You can do that online or offline on an external hard drive. As a student I would do the same with all my study materials."