Professor Bart Schermer on digital threats to the university
Professor of Privacy and Cybercrime Bart Schermer researches the relationship between new digital technologies, enforcement and human rights. What cybercrime trends can he see that are relevant to an organisation like Leiden University?
What threats should university staff be aware of?
‘We have actually seen the same threats for several years now. They are mainly from people wanting to gain access to your staff account. They can then use that access to penetrate the university network. Suppose they take over my account. They still won’t be able to access crucial systems directly. But they will be able to send a mail from my account to an administrator. That mail will seem trustworthy because it came from my account. So they try to advance one step at a time until they have full administrative access to the network.’
What do attackers want to do once they have gained that access?
‘They could be criminals wanting to extort money with ransomware (software that holds a system hostage until a payment is made, Ed.). But it could also be for espionage. Say you want to know what real estate the university is going to purchase. Then it can be interesting to get into the board’s mailbox. And you could also find interesting trade secrets such as new discoveries at faculties where basic research is conducted. But it could also be students who have not done their revision and want to change their marks in our system.’
Have there been any new threats in recent years?
‘In general, we are seeing more interference from state actors. The more we do online, the more interesting it becomes to gain access to certain systems. Take Russia, for instance, which is trying to attack critical infrastructure such as logistics, transport, industry or utilities. A university is a less obvious target but that depends a bit on the discipline. A researcher involved in nuclear science or information security is much more likely to be a target.’
What can the university do to prevent digital threats?
‘It always starts with the basic hygiene of every staff member. We have to realise that we work at an organisation that is interesting to cybercriminals. So don’t choose simple passwords, don’t use the same password for multiple services and don’t click on emails without thinking. We have been hammering this home for years but these are still the main ways ransomware attacks are made. And in recent years deepfake technology is being used more often to trick people. Then you get a phone call and hear your manager’s voice, for example. You think the Dean is on the phone but in fact it’s a cybercriminal. That’s something we should all be aware of.’
For more tips on privacy and security at the university, see the campaign page Check it: work privacy and security smart
Image: Nanda Alderliefste