What are you looking for?

Cybersecurity
Proper security is increasingly important because of the increasing dependence on ICT in education and research. SURF's ambition is to make institutions resilient against cybercriminals. Among other things, by helping them reach NBA maturity level 3.
Angry security

About cybersecurity

That we need to protect ourselves from cybercriminals is not news. But what does this require? How do we work well together as research and education institutions to help each other? And what do we all actually need to do for good security. Technology is not enough. Awareness, that's what it's increasingly about!

Collaboration is necessary

ICT facilities are essential for education and research. A disruption in availability or reliability has an impact. Collaboration on cybersecurity and resilience across the sector is therefore necessary, so that education and research in the Netherlands function smoothly and reliably.

Proper security increasingly important

With the increasing dependence on ICT in education and research, good security is becoming increasingly important. This is not just a technical matter. Nor is it just a responsibility of the ICT administrators, but of the entire organisation. To continue working, researching and learning safely, everyone must be aware of the risks and what your role is to guard against them, from administrator to end user.

Security is more than technology

Getting security right requires attention to the TAO of cybersecurity: technology, awareness and organisation. Within education and research, we do this in collaboration because the challenges are the same for almost all institutions. By working together, we can join forces and share experiences.

Technology

Technology is like a lock on the front and back door: as resistant as possible to burglary attempts, but useless if not used. So technology alone is certainly not enough. Good mail filtering against spam, phishing and viruses, well-designed permissions and security of internal systems is also necessary.

Awareness

Users should be aware that they are an interesting target for cybercriminals and also have their own responsibility in using resources and services securely. Awareness programmes such as Cybersave Yourself, can help users recognise the dangers.

Organisation

Everyone from the bottom to the top of the organisation should recognise the importance of (cyber) security. Integrated security and risk management, including cyber security, should be a regular item on the managerial agenda to weigh up risks and opportunities, learn lessons from the past and make investments for the future. Administrators should be given the time, resources and training to set up their systems securely. Awareness programmes should be conducted in collaboration with communications staff and regular drills should become the norm, similar to evacuation drills and FAFS.

Continuous attention

Continuous effort on awareness, organisation and technology is needed to keep working safely. From administrator to manager and from researcher to student: everyone plays a role in being able to continue to study, work and research safely. By working together, threats can be better countered and the impact - should things go wrong - is minimised.

We already work together a lot

Because many security challenges apply to our entire sector, we cooperate with institutions at all levels. Within the SCIRT and SCIPR communities, we work together on operational and technical security and on (organisational) information security and privacy. At administrative level, we cooperate within the Platform Integral Security Higher Education. We also support institutions in the field of digital security through innovation activities and services. Every two years, we organise a major cyber crisis exercise OZON together with the institutions, and a small-scale exercise is available for the intervening years. At the administrative level, security & privacy working conferences have been launched. The Cybersave Yourself awareness campaign provides institutions with a practical toolkit for setting up an awareness programme for all end users. The biennial information security benchmark allows us as a sector to see where we stand and work towards a mature information security policy.

...But there is still room for improvement!

  • Make integral security, including cybersecurity, and risk management a fixed topic on the board agenda.
  • Ensure continuous attention to the three pillars (TAO) within all layers of the organisation: exploit all technical possibilities, ensure awareness among all users and coordinate cybersecurity well within the organisation.
  • Participate in the biennial information security benchmark to provide insight into shared challenges.
  • Work together and keep practising.