Hi Aram and Max, what kind of incidents do you see as privacy and security officers?

Max: ‘The trouble is that the more interesting the case, the less we can say about it. But in terms of privacy, this could mean emails with personal data or student transcripts being sent to the wrong person. Or, to give an extreme example, how all someone’s data at the university was made public. In the collaboration between our researchers and external companies, participant data is leaked now and then. If you think about how sensitive some research projects are, that poses quite a risk.’

Aram: ‘I also have to be cautious about what I share. But what you see on a daily basis is that we as a university are hit digitally dozens of times per minute, scanned actually, purely to see if there is something to gain. Our colleagues from the ISSC deal with this non-stop. And we still see a huge amount of phishing emails coming in – and they are getting better all the time, particularly with the rise of artificial intelligence. You used to be able to recognise the fake emails from princes from faraway lands straight away but in terms of content and design, they all look perfect now.’

Do our staff ever click on links in phishing emails?

Aram: ‘Definitely! Regularly even. So do not feel ashamed if it happens to you: anyone can fall for it. It could also happen to us.’

Max: ‘You now see really subtle, realistic examples: emails where your manager asks you to do something quickly or a publisher says they want to publish something about your research. They can be difficult to tell apart from the real thing. AI is a real blessing for cybercriminals.’

How can we arm ourselves against these realistic phishing emails?

Aram: ‘The ISSC can help by scanning emails but staff themselves bear a big responsibility to do an initial check. You will find useful tips on the campaign page, such as checking the sender and whether links are safe.’

Are there moments when things could go horribly wrong at our university?

In unison: ‘Yes!’

Max: ‘But we can’t reveal any more than that.’

Aram: ‘We all remember what happened in Maastricht five years ago. Can we say with any certainty that that would never happen here? Unfortunately not. And most incidents are caused by human error. Then it is a bit of a shock to see the lack of awareness and urgency among our staff.’

Max: ‘We see that too. Some people still say: “I’ve got nothing to hide” or “It won’t happen to me”. But that is a fallacy and the trouble is you don’t realise until it’s too late. We see people become really privacy aware after a data breach but by then your data is already out there.’

If you could give your colleagues one cybersecurity tip, what would it be?

Max: ‘Don’t hesitate to contact us. It is hugely important to involve us as soon as possible so we can help you. And an incident can also be something small, so don’t be afraid that we’ll make too much of it. There won’t be any consequences for reporting incidents and your colleagues won’t find out.’

Aram: ‘Ditto. Reporting an incident is never a mistake. Another tip: try to make a habit of basic rules such as locking your computer screen if you leave it even for a moment. You might expect to be back right away but before you know it you’ve met a colleague and have stood chatting in the corridor for 20 minutes. You also try to stay safe all the time in everyday life: you don’t just abandon your bike in the street but put it in a rack and lock it. Strange that so few people see their online activity in the same way. There’s so much to be gained here.’

Text: Evelien Flink
Images: Nanda Alderliefste

• cybersecurity
• privacy