"That cybercriminals want to get in 24/7 is a fact. The question is: how do you keep them out? That starts and ends with creating awareness."
Step into the mind of a cyber criminal
How do you proceed when you want to steal someone's log-in data to gain access to a secure system? That is one of the assignments of the workshop for employees. Coordinator Information Security and Privacy (IBP) Samantha Rodolf Lejeune creates awareness among her colleagues to reduce cyber risks for VISTA College.
Educational institutions are a favourite target for cybercriminals. Samantha is more than aware of the cyber risks that the South Limburg mbo-education institution is running: "That they want to get in 24/7 is a given. The question is: how do you keep them out? That begins and ends with creating awareness."
"Phishing mails are becoming more and more insidious," says Samantha. "A few years ago it was still easy to spot them, because they were full of spelling mistakes or started with 'Dear customer'. But nowadays they are hard to distinguish from the real thing and the temptation to click on them is increasing. Because they appeal to your emotions, or because they look very much like emails or messages you are used to receiving. Take a notification that a parcel is on its way: even if you haven't ordered anything, you've clicked on it before you realise. This means that everyone in the organisation has to be very alert. Because if a system is hacked, it almost always starts with a phishing mail."
An insignificant link
Samantha: "One moment of inattention from one of the employees, one click on an insignificant link, and it can happen. At the moment we are developing workshops to make employees alert. With the assignment to write a phishing mail themselves, we want to show the workshop participants how it works. But we also want them to get inside the head of a cyber criminal for a while. We actually ask them to write an e-mail that they would fall for themselves. The other day I almost clicked on a link in an e-mail that offered free coronation tests. I then went to check whether it was pure coffee. Fortunately, there was nothing wrong with it. But if I were a hacker, I would see a gap in the market.
New challenges all the time
In January 2018, Samantha was given responsibility as IBP coordinator for information security and privacy at what was then still ROC Leeuwenborg, which would merge with Arcus Collegeto become VISTA College a year later. In May of that year, the General Data Protection Regulation (AVG) took effect. And at the end of 2019, Maastricht University was hit by a severe ransomware attack, which put security departments across the education world on edge. The pandemic, which broke out in the Netherlands in March 2020, presented data security and protection professionals with very different challenges again."
Balance between 2 interests
Samantha: Students always come first, we do everything we can to prevent interruptions in education and delays in their studies. At the same time, I have to ensure that their privacy is guaranteed and their data safe. I am constantly looking for the perfect balance between those two interests."
"In late 2019, Maastricht University was hit by a severe ransomware attack, which put security departments across the education world on edge."
"In the beginning, I found the heavy ICT component of this job particularly difficult," she says. "Now it may be different, but when I studied criminal law, cybercrime was less an issue. It was abracadabra for me so I had to learn everything from my technical colleagues. It's a constant cat-and-mouse game with the hackers. I like to be told what kind of wall we have put up to keep them out. We are getting better at protecting, but they are getting smarter at attacking. We continue to develop on both sides. That makes it exciting."
"With the assignment to write a phishing mail themselves, we want to show the workshop participants how it works. But we also want them to get into the head of a cyber criminal."
"It is also interesting to see how other educational institutions deal with information security. SURF plays an informative but also a connecting role in this. What is going on and what can we learn from it? Best practices are nice, but sometimes it's also good to hear where things went horribly wrong. It's a new field, but we don't all have to invent the wheel ourselves."
"My legal background is a good basis in this role. I know how to deal with laws and regulations, without those rules paralysing the dynamics of education or getting in the way of communication. And that really starts with awareness. That's why we continue to develop refresher campaigns, send newsletters, remind employees of the clean-desk policy and all the measures they can take themselves to protect the community from cybercrime."
Text: Charlotte Snel