University workers value cybersecurity, but also consider it a hassle

Hackers recently attempted to infiltrate the Dutch Research Council (NWO). They are far from being the only victims: in the past, data about students enrolled in a university of applied sciences were leaked (article in Dutch only, Ed.) and a university was targeted by ransomware. There are countless examples.

Oftentimes, the firewall isn’t the problem. Most cyberattacks are caused by “unintentional unsafe actions taken by people”, according to SURF. People just happen to click the wrong link or accidentally let someone watch while they enter their passwords.

Trust
SURF, the joint ICT organisation for education, investigated how teachers, researchers and support staff handle these things. Over six thousand employees of higher education institutions and research institutes filled in a questionnaire, as well as two hundred employees in secondary vocational education.

The outcomes of this research are unveiled in a report titled "Security and Privacy Awareness 2024"(available in Dutch only, Ed.). According to the report, higher education employees are becoming more knowledgeable about cybersecurity, but practice is lagging. Almost all respondents say they value information security (some even say consider it "very important") but they don’t always pay attention to it. Only 67 percent do, which makes them trust their colleagues less in this regard.  

Pen and paper
Sometimes, adopting additional measures to ensure cybersecurity is simply a hassle. “It is tiring to click through several screens, complete forms, and check additional devices”, says one of the respondents. “ I’m afraid someday we’ll go back to pen and paper. It isn't feasible to have all these rules.”

However, other employees feel that the approach is too permissive. "We must create an accountability culture, in which we call each other to account. After all, making agreements is one thing, but acting according to them is another. We need to call each other to account, correct one another and enforce the agreements.”

At research universities, staff members believe themselves fairly capable of staying safe, but they rate their motivation to do it with a low score. In their opinion, they’re not always properly equipped to pay attention to safety.

Employees would like to be provided with a VPN connection (which makes it difficult to track internet traffic) and a password manager (so they don’t have to remember strong passwords themselves). They also want to know which software they can use and when they are allowed to share personal data.

Sceptics
The recommendations in the report are obvious. For example, it says that educational institutions must remove obstacles to working safely, creating a strong "security culture". They must also make it easier to report a data leak: currently, many employees have no idea what to do when faced with one. In addition, SURF recommends ensuring that new employees are aware of the dangers, as not everyone knows about this.

Lastly, SURF states that universities must keep in mind that some people are sceptical about cybersecurity and privacy, deeming the attention paid to these topics over the top. It's a small group but they can pose a threat. “Talk to them and listen to their arguments”, writes agency BDO, which administered the survey on behalf of SURF.