Just recently, hackers attempted to infiltrate the Dutch Research Council (NWO). In the past, there have also been instances where data about students at a university of applied sciences were accessed and a university was targeted by ransomware. There are countless examples.
Oftentimes, the firewall isn’t the problem. Most ‘cyber incidents’ are caused by ‘unintentional unsafe actions by people’, the report reads. You just happen to click a wrong link or accidentally let someone watch while you enter your password.
Trust
That’s why SURF, the joint ICT organisation for education, would like to know how teachers, researchers and support staff handle these kinds of things. Over six thousand employees of higher education institutions and research institutes filled in a questionnaire, just like two hundred employees in secondary vocational education.
The outcomes are in the report entitled ‘Security and privacy awareness 2024’. Knowledge about cybersecurity is growing, but practice is lagging behind, is the message. Almost everyone thinks information security is important, or even very important, but they don’t always pay attention to it (only 67 percent) and they’re even less trusting of their colleagues when it comes to this.
Pen and paper
It’s just such a hassle sometimes. ‘Clicking through several screens, completing forms, checking extra devices: it’s tiring’, says one of the respondents. ‘One day we’ll go back to pen and paper, I’m afraid, because all of those rules aren’t feasible.’
Conversely, other employees sometimes feel the approach is too free of obligation. ‘A culture must be created where we call each other to account, because making agreements is one thing, but acting according to them is another, as are calling each other to account, correcting one another and enforcing the agreements.’
At universities in particular, people think they’re fairly capable, but they do give lower scores for their motivation. In their opinion, they’re also not always properly equipped to pay attention to safety.
What employees want? To be provided, for example, with a VPN connection (which makes it difficult to track internet traffic) and a password manager (so you don’t have to remember strong passwords yourself). They also want to know which software they can use and when you can and cannot share personal data.
Sceptics
The recommendations in the report are obvious. For example, the education institutions must remove obstacles to safe working and create a strong ‘security culture’. It must also be made easier to report a data leak, as many employees have no idea what to do when they encounter one.
Making sure new employees are brought up to speed on the dangers is another recommendation. After all, you don’t know if these people are aware of those or not.
The education institutions also have to keep in mind that there are sceptics, who think the attention being paid to cybersecurity and privacy is exaggerated. They are a small group, but can pose a risk. ‘Talk to them and listen to their arguments’, writes agency BDO, which administered the survey on behalf of SURF.