Think Twice before Clicking

Cyber-attacks are on the rise in Switzerland, and universities aren’t immune to this trend, as UZH learned first-hand in spring. As in other organizations across society, IT systems are a core part of research and teaching. Establishing a security culture at UZH is therefore key. This means making UZH members aware of potential cybersecurity risks and continuously developing protective measures across the university.

To achieve this, Oliver Schmid, Chief Information Security Officer (CISO) of UZH since June 2022, has launched a campaign to raise awareness of the risks lurking in cyberspace. Fostering a cybersecurity culture is a continuous task, says the CISO. One of his main goals is to draw attention to the various methods of attack used by hackers to exploit our human weaknesses. Bolstering technological defenses against cyber-attacks is one thing, but recognizing strategies to deceive and dupe users is just as important.

Oliver Schmid, cyber-attacks on public authorities and institutions seem to be on the rise. As the Chief Information Security Officer at UZH, does this keep you awake at night?

I try not to think about security risks when I go to bed, so it doesn’t really affect how I sleep. But it is true that certain groups are increasingly targeting the IT systems of universities.

Do you have an explanation as to why higher education institutions are being targeted?

I can only speculate. One reason could be that the attackers believe that universities and their students are easier to hack than banks or insurance companies, for example. They may think there are fewer security barriers at universities. The attackers’ motives are usually financial, and so they look for easy targets.

Are universities easy targets?

Not as a rule, no, but this can’t be generalized. A decentralized IT infrastructure offers numerous points of attack.

Most cyber-attacks or incidents begin with a human error. What are the most common errors committed by users?

I wouldn’t use the term human error because hackers are very clever and know all about how people can be deceived and duped. This is called social engineering and involves “hacking” people. Hackers know how to sound credible, whether in an e-mail or message or in a conversation, and they exploit our weaknesses. Our decisions aren’t purely rational when we decide to click on a link in a phishing e-mail that turns out to be a trap. We often realize too late that we had a bad feeling about the message to begin with and then think back and wonder why we fell for it and clicked on the link.  

So we should trust our gut instincts and when in doubt hit “delete”?

Yes, definitely. It’s important that you take your hunches seriously and pause when you come across questionable e-mails, suspicious requests or strange websites. Stop what you’re doing and ask yourself what’s not right. It’s best to report the suspicious item to the IT Security Office in Central IT.

Awareness of cyber threats is a key part of my work as CISO. My goal is for all UZH employees to be aware of the dangers so that when in doubt they do not click on a link or respond to a suspicious request. There’s a lot at stake. It can take months following a successful hack to get systems back up and running and make all research data available again, provided they haven’t been lost. We definitely want to avoid that.

Can you tell us about the recently launched cybersecurity awareness campaign?

Our campaign aims to promote fundamental knowledge about cybersecurity issues using various info materials, videos and events. The community at UZH is very diverse, so we’re working with different tools at different levels. We’ve designed a leaflet that lists the 10 golden rules of IT security, with simple recommendations that anyone can follow. We also made a video that explains possible motives and goals behind cyber-attacks.

We are constantly adding to these explainer videos, and I recommend that UZH members visit our website on a regular basis to check them out. Fostering a cybersecurity culture is a continuous task. And we need to distinguish between information security or cybersecurity and IT security. While information security is concerned with all relevant information and stored data, IT security primarily deals with protecting IT systems and networks.

10 golden rules of IT security (in german) Download

One of the 10 golden rules of IT security is to never use your work profiles for personal purposes. Why?

Yes, I recommend separating the different profiles that users have online. The reason is that it can’t be ruled out that one of online services you use will be attacked by hackers and your password gets stolen. If this is the same password you use at work, then your work profile is also compromised, creating a potential entry point for attackers.

Two-factor authentication makes things a bit more difficult for hackers, but even then it’s important to use different passwords. For more information about multi-factor authentication (MFA), go here. (UZH Login)

You should also make sure your passwords don’t follow the same pattern. Our password cheat sheet (in german) can help you generate secure passwords. Or you could use a password manager such as KeyPass.

In recent months, UZH has stepped up its cybersecurity barriers by introducing two-factor authentication for example. What else are you planning?

We are constantly thinking about how we can keep our IT systems as secure as possible and are examining further measures. We are currently addressing the vulnerabilities revealed by the attack this spring. And that’s all I can say about that, of course.

The challenge is to find the right balance between the greatest possible security and good usability. UZH’s digital infrastructure is incredibly diverse, which doesn’t make things easier. As we often say, security is a trade-off.

What does that mean?

It’s always about weighing things up. Increasing security will have a negative effect in other areas. For example, money needs to be spent on new systems, or access becomes a bit less user-friendly. Security comes at a cost.