Omslagbeeld Cyberdreigingsbeeld onderwijs en onderzoek 2021-2022

Cyber Threat Assessment Education and Research 2021-2022: Dutch education and research scales up by increased cyber threats

Compared to 2020, 2021 shows an increasing threat of major incidents within the education and research sector. That is one of the conclusions of the Cyber Threat Assessment published annually by SURF. In addition, major incidents in the chain such as Log4j also constitute a new threat to education and research.


In the event of major incidents, cooperation in the field of information security and privacy has increased within the sector. In order to exchange information quickly and share experiences, both universities and universities of applied sciences have monthly CISO consultations. SURF, and in particular SURFcert, is taking on an increasingly coordinating role in the event of major incidents. At the national level, there has been collaboration on incident response since 2020 within the National Disaster Response System (LDS), a partnership between the National Cyber Security Centre (NCSC) and sectoral organisations. This collaboration has been further intensified over the past year.

Cyber threats

As in 2020, threats to the education process, the research process and business operations in general are rated higher than in the previous year. The survey shows that the risk perception of the risk categories Acquisition and disclosure of data and Dependence on cloud services have increased considerably compared to 2020 and that that of Disruption of ICT facilities continues to be rated as very high. Respondents also mention the lack of capacity within the institution as a major vulnerability.

New trend: threatening to publish stolen data on the dark web

The Education and Research Cyber Threat Assessment 2021-2022 (PDF, in Dutch) contains an overview of the major incidents that occurred in the sector in 2021. It shows that ransomware posed the greatest threat. A clearly new trend is that after a hack, cybercriminals threaten to publish the captured data on the dark web if the demanded ransom is not paid. In a number of incidents, stolen data was actually published.

Charting the dependency chain: who is responsible for what

The Log4j vulnerability in December 2021 illustrates how the dependence on software suppliers, service providers and other third parties can lead to problems. To be better able to withstand incidents of this nature, it is necessary to map out these dependencies and make sound agreements with suppliers about who is responsible for what in the chain. Knowledge sharing and information exchange within the sector are crucial for this.


The survey shows the three most important measures taken by institutions to increase their resilience: introducing multi-factor authentication, paying attention to awareness among staff and students, and implementing technical measures. Technical measures include the use of a Security Operations Centre (SOC) and Security Information & Event Management (SIEM), the effective application of network segmentation, patch management and the creation (and regular testing) of offline backups.

Political attention

The number of major incidents in 2021 has led to extra political attention for cyber security. For example, questions were asked in Parliament about a number of incidents and about the state of information security within the sector. Agreements have been made within the umbrella organisations to allow the sector to grow to a higher maturity level in the field of information security.

About the Cyber Threat Assessment

The Cyber Threat Assessment 2021-2022 is based on a survey of 70 Dutch educational institutions (secondary vocational, higher vocational and university) and research institutes. Public sources have also been used to identify trends in cyberthreats. SURF has published the Cyber Threat Assessment annually since 2014.

Education and Research Cyber Threat Assessment 2021-2022