Cyber Threat Assessment 2023: more intensive, risk-based collaboration is necessary

Threats and vulnerabilities permanent

The threat picture in education and research has changed little in recent years. Last year seemed quiet in terms of cybersecurity incidents, but this was mainly because fewer incidents made it to the media. DDoS attacks, phishing emails and ransomware attacks are the main and most common threats.

Incidents better detected but not always shared

Institutions are getting better at detecting incidents, especially now that they set up or outsource monitoring and detection more often. However, it is noticeable that institutions do not always contact SURFcert, SURF's computer emergency response team (CERT), during an incident. Through SURFcert, they get help and can share information about their incident, so they can save other institutions from the same fate.

Resilience remains a concern

The professionalism of malicious parties is developing faster than the rate at which institutions can improve their resilience. This remains a concern.

There is a growing realisation among institutions that not only internal processes, systems and people's awareness must be in order, but also the processes for collaborations, chain partners and suppliers. How important this is shows the 2022 incident in which an access card supplier was hacked. This hack had major consequences for a number of educational institutions that use these passes.

Risk management still in its infancy

Risk-based working is a prerequisite for achieving appropriate cyber resilience. The cyber threat picture shows that few institutions have yet set this up properly. Risk ownership is still limitedly embedded in senior management. Officers who have to support risk owners are still often insufficiently positioned and experience capacity problems. However, administrators are increasingly involved and improvement programmes are being implemented across the sector.