"That cybercriminals want in 24/7 is a given. The question is: how do you keep them out? That starts and ends with creating awareness."
Story
Step into the mind of a cyber criminal
How do you proceed when you want to steal someone's login details to access a secure system? That is one of the assignments of a workshop for VISTA College staff. Information Security and Privacy (IBP) Coordinator Samantha Rodolf Lejeune creates awareness among her colleagues to reduce cyber risks.
Educational institutions are a favourite target for cybercriminals. Samantha is more than aware of the cyber risks facing the South Limburg mbo educational institution: "That they want to get in 24/7 is a given. The question is: how do you keep them out? That starts and ends with creating awareness."
Dear customer
"Phishing emails are getting more and more cunning," says Samantha. "A few years ago, you could easily pick them out because they were full of spelling mistakes or started with 'Dear Customer'. But these days they are barely distinguishable from the real thing and the temptation to click on them is increasing. Because they respond to your feelings, or because they are very similar to mails or messages you are used to getting. Take a notification that a parcel is on its way: even if you haven't ordered anything, you have clicked on it before you realise it. That makes everyone in the organisation have to be very alert to it. Because when a system is hacked, it almost always starts with a phishing email."
A trivial link
Samantha: "One moment of inattention from one of the employees, one click on an insignificant link, and it can have happened. We are currently developing workshops to alert employees. With the task of writing a phishing email themselves, we want to show workshop participants how it works. But we also want them to crawl into the mind of a cybercriminal for a while. We actually ask them to write an e-mail they would fall for themselves. I myself almost clicked on a link in an e-mail offering free coronas the other day. I went to check whether it was pure coffee. Fortunately, it turned out to be nothing wrong. But if I were a hacker, I would see a gap in the market there."
"Students always come first, we do everything possible to avoid interruptions in education and delays in their studies. At the same time, I have to make sure their privacy is guaranteed and their data safe."
Constantly new challenges
In January 2018, Samantha was given responsibility for information security and privacy as IBP coordinator at then ROC Leeuwenborg, which would merge with Arcus a year later to form VISTA college. In May that year, the General Data Protection Regulation (GDPR) went into effect. And in late 2019, Maastricht University was hit by a severe ransomware attack, which put security departments across the world of education on edge. The pandemic, which broke out in the Netherlands in March 2020, presented data security and protection professionals with yet another set of challenges.
Balancing two interests
Samantha: "Students always come first, we do everything we can to avoid interruptions in education and delays in their studies. At the same time, I have to make sure their privacy is guaranteed and their data safe. I am constantly looking for the perfect balance between those 2 interests."
"In late 2019, Maastricht University was hit by a severe ransomware attack, which put security departments across the education sector on edge."
Abracadabra
"At first, I found the heavy IT component to this job particularly difficult," she explains. "Now it might be different, but when I was studying Criminal Law there was less focus on cybercrime. It was abracadabra for me so I had to learn everything from my technical colleagues, I honestly did not think I would enjoy that very technical element the most now. It's a constant cat-and-mouse game with the hackers. I like to be explained what kind of wall we have now put up to keep them out. We are getting better at protecting, but they are getting smarter at attacking. On both sides, we keep evolving. That makes it exciting."
"With the task of writing a phishing email themselves, we want to show workshop participants how it works. But we also want them to get inside the head of a cybercriminal."
Dead wrong
"It is of course also interesting to see how they deal with information security at other educational institutions. SURF plays an informative, but also a connecting role in this. What is going on and what can we learn from? Best practices are great, but sometimes it's also good to hear where things went horribly wrong. It's a new field, but we don't all have to reinvent the wheel ourselves."
Refresher campaigns
"My legal background is a good foundation in this role. I know how to deal with laws and regulations, without those same rules paralysing the dynamics of education or getting in the way of mutual communication. And that really starts with awareness. That is why we continue to develop refresher campaigns, send newsletters, remind employees of the clean-desk policy and all the measures they themselves can take to protect the community from cybercrime."
Text: Charlotte Snel
