CIO Luijten: "Working from home no extra risk for cyber security"
Bart Luijten, the new Chief Information Officer and head of IMS updates Cursor on his findings in his new position and on the university’s policy on digitalization and cybersecurity. Are hacks via third parties – as recently occurred at various institutions, including UvA, NWO and Inholland – a source for additional concern? Does TU/e have a good plan in place that we can rely on?
There are many questions about cybersecurity, naturally, especially in light of the recent hacks at institutions such as NWO, HvA and UvA. Nevertheless, Luijten can’t divulge too much information on TU/e’s security measures. “That would only make it easier for criminals.” Should we be worried about collaboration with third parties? Because with that strategy, Moodle was used (which affected Inholland) to cause damage to educational institutions. “The general threat level is changing, so we’re not surprised. Individual situations such as the ones at the UvA, NWO and Inholland are isolated initiatives; the reason, motivation and mode of operation varied. We need to be careful that we don’t generalize this and end up panicking. But the threat is serious, which is why we’re focused on this. It requires continuous vigilance. And we benchmark our policy within the academic community and outside. And each time we work with third parties, we check the security risks as well as the risks concerning the handling of personal data, for example.”
An exercise was recently carried out on how to deal with a concrete threat: cyber crisis exercise Ozon. Luijten looks back on this with satisfaction. “I thought it was great. It’s a nationwide exercise organized by Surf, but is also included a bit of specific attention for TU/e. It went very well. There are always things you can learn from of course; it would be strange if that wasn’t the case. But communication went well, the escalation lines worked, and we got people to work on the right things.”
Working from home no extra risk
Does all that working from home pose a greater risk of a cyberattack? That’s not how Luijten would like to put it. “Our security policy is based on three pillars; technology, policy and the user. Technology isn’t really the issue here. You could of course worry about the security of people’s local network, but you can easily work in a safe manner via VPN. The policy is also independent of location: wherever you are, you always need to follow the same procedures. The human side is interesting: some people have more trouble working safely than others, but that applies both here on the campus and at home.”
From random ideas to strategy
Luijten is still a relative newcomer at our university and brings much knowledge from industry. For example, he was responsible for information management at Philips and Volvo for years. “I mostly used my first months at TU/e to talk to a lot of people,” Luijten says. “In doing so, I also took a good look at Strategy 2030, and at whether digitalization had been properly taken into account. I noticed that there were mostly random ideas on this subject, but that these hadn’t really been made part of a strategy. I’m actively working on that now. Digitalization is all around us, which is why it shouldn’t be absent from the strategy. We identified four objectives: creating excellent education, the further development of research through digitalization, simplification of operational management, and creating a modern user experience.”
“Cybersecurity also features in the strategy, naturally, that’s a top priority in my view. But we really shouldn’t view cybersecurity separately from integral security. That is why the strategy surrounding the entire issue of digitalization is of such importance, as is the acknowledgement of the interfaces between physical and digital security.” Someone who comes to the campus and inserts a flash drive in a USB port somewhere is an example of how physical and digital security overlap.
A campaign aimed as user awareness will be launched later this year, probably around the summer. This needs to make every user at TU/e aware of his or her own behavior concerning security, and it will stimulate everyone to improve on this issue. But the idea is also to improve user experience: how, for example, can you make it easier to find people or information? “Something simple we’ve already done, is to change the display name in MS Teams from last name and initials to last name and first name. That’s something I immediately noticed as a newcomer, and a small change like that can certainly help to make it easier to find your colleagues in the system. We need to put user experience at the center. We claim to be a personal university. In that case, you have to match your campus identity with your digital identity,” Luijten says.
New password policy
In order to improve the security level, a stricter password policy applies as of March 1, 2021. All students and staff members are required to reset their password, as could recently be read in the TU/e newsletter. Luijten: “There was no password policy in terms of the frequency with which people reset their password, or in terms of its contents. That’s no longer acceptable and has now been changed with this password policy. This has already been taken care of within IMS and will be rolled out in stages within the rest of the university this year.”
Staff shortage
Cursor’s editorial board sometimes hears signals about staff shortage at IMS. Is that true? And if so, does that perhaps compromise cybersecurity? “I don’t recognize that in the field of security,” Luijten says. “We’re obviously dealing with a difficult market and we have a very ambitious roadmap in our strategy, but we can achieve our goals with the people we have.”
Discussion