At first glance, the Cyber Threat Assessment 2020 does not differ very much from the 2019 report. The number of threats increased again, but the type of threat has not changed significantly. Phishing, ransomware and identity fraud (as a result of phishing) are still the most common incidents.
The most important conclusions from the Cyber Threat Assessment are:
Due to covid-19, institutions had to switch to online education and working from home from one moment to the next. In order to make this step quickly, the use of cloud services increased even more. Institutions usually use cloud services, for example for video conferencing tools and tools for online proctoring. This has made them (even) more dependent on a limited number of large cloud providers, which can disrupt continuity in the event of a calamity. This makes Dutch education and research vulnerable. The invalidation of the Privacy Shield by the European Court of Justice can also lead to continuity problems, for example if the use of a service is explicitly prohibited. Institutions should take this into account when drawing up a risk profile for the cloud service.
The number of incidents increased again in 2020, especially the number of phishing attacks. The number of ransomware attacks did not increase, but the ransom demanded did. A number of incidents in 2020 (in addition to the ransomware incident at Maastricht University at the end of 2019) show that education and research in the Netherlands continue to be vulnerable. For example, around 6,000 examinations at the UvA could not take place at the planned time due to a malfunction, and at the RUG several hundred online tests.
Institutions are paying increasing attention to knowledge security (the protection of their research data). Partly because of changed international relations, they assess the exchange of knowledge in collaborative ventures or the participation of some foreign students in a different (more critical) way. Under the leadership of the Ministry of Education, Culture and Science, instruments are being developed to support educational and research institutions in organising knowledge security. The survey shows that institutions see professional criminals as the most important actors, followed by (h)activists/cybervandals. However, there are now strong indications that state actors are penetrating institutions more frequently. This has led to a package of measures by the government to better ensure knowledge security.
The incident at Maastricht University prompted many institutions to speed up the introduction of additional security measures to increase resilience. The survey shows that many institutions have paid more attention to awareness among staff and students. In the case of phishing incidents, it is noticeable that cyber criminals are becoming increasingly engrossed in the organisations they intend to attack. Specific officials within the organisation are approached in a targeted manner. Investing in training and awareness is becoming increasingly crucial, so that users become more resilient to the latest threats. After all, the number of phishing attempts has risen explosively and the methods are becoming increasingly sophisticated.
In 2019, we already made a call in the Cyber Threat Assessment for more collaboration so that we can better face threats. In 2020, we saw increasing collaboration both inside and outside the education and research sector. In the next few years, there will still be a great shortage of cyber security expertise. In addition, it is to be expected that after the covid-19 pandemic, financial resources will also become scarcer. This reinforces the need for further cooperation in order to deal with the increasing number of threats.
Making the best use of the expertise available in the sector through cooperation
At the initiative of the universities, SURF started a Security Operations Centre (SURFsoc) in 2020. SURF is doing this in close collaboration with four universities and one HBO institution. The collaboration in SURFsoc is a powerful example of how we can make optimum use of the expertise available within the sector, and how we can deploy resources efficiently. The university security officers have also started the U-CISO consultation group, in which they pool knowledge and exchange information. In the context of the VSNU, data protection officers work together.
Also more cooperation on a national level
Since the beginning of 2020, cooperation in the field of incident response has taken place on a national level in the National Covert System. This is a collaboration between the National Cyber Security Centre (NCSC) and sectoral collaborations, CERTs, and other public and private parties. SURFcert represents the education and research sector. The aim of the collaboration is to exchange information and knowledge about, for example, vulnerabilities and threats.
The cooperation in SURFsoc is a powerful example of how we can make the best use of the expertise available in the sector and use resources efficiently.
What did the institutions indicate in the survey?
In the autumn of 2020, we conducted a survey among organisations affiliated to SURF and all the institutions for professional education. A total of 78 institutions completed the survey, 54 of which completed it in full (read more about the survey on p.16 in the Cyber Threat Assessment). The survey shows that, compared to 2019, there have been no major shifts in the types of threat observed. Acquisition and disclosure of data, identity fraud and disruption of ICT facilities are still the most common threats. Acquisition and misuse of ICT assets has increased in 2020.
Some observations from the institutions' replies:
Budget and capacity slightly increased
Almost half of the institutions spend less than 5% of the total IT budget on information security. It is noteworthy that compared to 2019, the percentage 'unknown' has increased slightly. Almost half of the institutions indicate that they have between 2 and 5 FTEs available for information security. This is a slight increase compared to 2019.
Work is being done to raise awareness among employees
Most institutions conduct regular awareness campaigns. Around a quarter of the institutions state that new employees receive awareness training when they start work.
Security and privacy-by-design and involvement of security and privacy officers in projects
More than 80% of the institutions pay attention to security and privacy-by-design. The involvement of the security officer or privacy officer in new projects has also improved compared to 2019.
How do institutions assess the risks?
For the first seven risk categories, the risks are estimated to be higher than in 2019, both in the education process, the research process and in business operations. Only in the case of deliberately damaging the image is the risk slightly lower estimated for all three processes. Espionage is also rated slightly lower for the education process and for business operations.
Dependence on cloud services creates a different risk profile
In addition, we asked survey participants to provide a risk assessment for Dependence on Cloud Services. We added this as the eighth risk to Table 1. Institutions are increasingly moving their data and applications to the cloud. This creates a different risk profile. It is much more difficult to determine the state of information security of the cloud services themselves. Often, the data is located outside the EEA, which means that the AVG may not be complied with. There is also a limited number of cloud service providers, which gives them a monopoly position. In addition, those suppliers are mainly located in the US.