A United Front Against Cyberattacks

Ransomware, DDoS, data theft, data loss: in recent years, universities have increasingly been targeted by cybercriminals. The University of Zurich has not been spared and was threatened by a cyberattack earlier this year. For hackers, universities are attractive for several reasons. For one thing, their computers and servers contain vast amounts of valuable data belonging to students, teachers, employees and researchers. For another, they have complex computer and network systems which are difficult to monitor as a whole due to their vast scale. In addition, securing these systems must be balanced against the need to maintain an open academic community with active knowledge sharing, to provide user-friendly services for students and university staff, and to ensure the availability of necessary resources.

Following the cyberattack on UZH’s IT systems, the Chief Information Security Officer (CISO) Oliver Schmid launched a university-wide awareness campaign to encourage UZH members to be alert to cyberspace threats and to inform them of sensible protective measures (see article of 10 July 2023).

Oliver Schmid, why should individual employees bother to think about information security?

Nowadays, most jobs require a computer. Familiarity with common software programs and basic IT skills are prerequisites for most employees. And yet, it has long been left to the IT specialists to assess and deal with the risks that come with an electronic workplace. But various types of cyberattacks increasingly target individual employees in companies, institutions or universities, with the aim of obtaining one important asset: our information. These attacks may be made via a variety of different channels, from e-mails to social media platforms, and aim to trick employees into disclosing sensitive information or installing malware. Employees today therefore must have the skills to ensure their IT use is safe and responsible, be able to identify potential hacker attacks such as phishing e-mails, social engineering attacks (i.e. the psychological manipulation of people to perform actions or divulge confidential information) and phishing phone calls, and know how to react in accordance with the applicable IT security rules in their organization.

So cybersecurity is everyone’s business?

Yes, absolutely. To strengthen resilience to cyberattacks, all members of an institution must pull together. This is especially true in universities like UZH with a decentralized IT infrastructure, as they have a large potential attack surface for hackers. Also, the easiest way for cybercriminals to penetrate a network and steal or render sensitive data unusable is often through individual employees. It is clear that we cannot rely only on technical measures – which require a lot of resources and are expensive – to defend against these attacks. Information security is an interplay of field-specific requirements, technical measures by the IT departments and IT Security Office, and the awareness of all employees – and it is an ongoing task that continuously creates challenges. It is the responsibility of all of us to keep the attack surface of UZH as small as possible.

What do you see as your main tasks?

My duty as CISO is to alert the Executive Board of the University and other executives to strategic IT risks, prioritize risk management measures based on the actual threat situation and existing resilience, and recommend possible enhanced security measures or new technical investments; in addition, it is also my responsibility to ensure that each and every individual in our diverse UZH community receives all the necessary information about cybersecurity.

Should every UZH employee acquire a certain basic understanding of cybersecurity for themselves?

It is in the interest of each and every individual to inform themselves about possible threats from the internet – after all, you’ll be able to use the knowledge in your private life too. However, it is also the responsibility of leaders and managers to support their employees and, for example, to make them aware of our website and the various course offerings.

Where can I get information about IT security at UZH?

All necessary information can be found on our website. We’ve put the most important IT rules for university life in a couple of flyers to give an easy overview: The Ten Golden Rules of IT Security and Password Cheat Sheet. In several short videos, we also explain how cybercriminals work, how malware like Cryptolocker works, what social engineering is, why we need to apply certain technical security measures, and what we ourselves can do to improve resilience.

Let’s say I accidentally open a phishing e-mail – could this actually trigger a university-wide cyber security incident?

Yes, it could. If you click a link in a phishing e-mail and then enter your login and password, it could trigger or at least support an attack. But there are also other hurdles standing in the hackers’ way. Our cyber defenses have many levels and measures. Cyber incidents aren’t attributed to one initial click on a phishing e-mail, but are looked at holistically, examining all the security issues involved. It makes no sense to hold one person responsible because they clicked on a link. (For more on this topic, check out the articlefrom CyrenZH, a joint project of UZH and ZHAW for the canton of Zurich).

Nevertheless, we can all do our part to avoid giving hackers our login data – by incorporating security measures into all plans, by developing awareness of the risks of internet use, and by being mindful when handling data and e-mail.

What should I do if I suspect or realize that I have been taken in by a phishing email?

If you recognize a phishing e-mail in your inbox, you can report it to IT Security at the Central IT Office and delete it without worrying further. If you’ve already clicked on the link or entered your login data, you should immediately contact IT Security or the helpdesk. The sooner the better, because then it may still be possible to prevent the stolen login data from being used or the installed malware from being activated. The same applies for other media, for example telephones. Most people get a gut feeling that something is wrong in cases of social engineering attacks. It is worth getting into the habit of listening to your intuition and reacting accordingly. 

Could I be held responsible if I behave carelessly?

Responsibility for cybersecurity is spread across all levels of management. However, employees are responsible for their own actions in accordance with their position, especially if they act negligently, intentionally or in violation of the rules. But a person who accidentally (i.e. unintentionally) falls for a phishing e-mail or accidentally contravenes the IT security rules will not be held responsible for any resulting security incident. An employee from IT Security may nevertheless contact that person to obtain information needed to combat the incident.

As CISO, how can you check how security-conscious UZH members are in their IT use?

Measuring people’s awareness of a particular topic is indeed a challenge. Some organizations use fake phishing emails to test how aware employees are of this form of cyberattack. However, this measurement method is poorly suited for capturing this complex issue and also rarely generates an improvement in awareness. (See a study from Ruhr University Bochum [link: https://idw-online.de/de/news818941]). Such measures are often more about creating a sense of security than actually improving reality. I try to avoid these “false best practices”. I participate in the research work of the CyrenZH (the Cyber Resilience Network of the canton of Zurich), which aims to develop approaches to evidence-based cybersecurity awareness and a corresponding measurement method using approaches from psychology. Security measures that are ineffective and that also disrupt or even hinder employees in their work are counterproductive. One thing is certain in any case: cyber threats are real and require real security. And because reality is complex, the solutions are too.