Chief Information Security Officer: ‘Don’t delete phishing emails right away’
It’s Cybersecurity Awareness Month, and we’re spotlighting the importance of digital safety in the workplace. Our Chief Information Security Officer, Sylvia Bunte-Thelen, shares how staff can help keep our university a safe place to work and study. ‘We need to work together to protect our knowledge.’
Hi Sylvia, you’ve been Leiden University’s Chief Information Security Officer (CISO) for six months now. What does your role involve?
‘As CISO, I oversee how the university manages information security and cybersecurity. Within the university, I work with faculties, expertise centres, Administration and Central Services, the Data Protection Officer and the IT auditor. I also stay in contact with the CISOs from other universities and with government bodies to monitor the evolving cyber threat profile. Knowledge is the university’s core product, and this needs to be kept safe for all of us. Knowledge drives our progress as a country, but it also attracts risks, including geopolitical threats or foreign influence that could compromise the integrity or confidentiality of our data. That’s why we need to protect our knowledge together.’
‘Knowledge drives our progress as a country, but it also attracts risks.’
Data breaches and cyberattacks are constantly in the news. How do these affect our university?
‘Like most organisations in the Netherlands, we face up to a thousand hacking attempts per day. Most of these are automated scans by cybercriminals knocking to see if any doors will open. If your basic security measures are in place, these criminals won’t get in. But we can also be targeted more deliberately. If we’re conducting high-impact research, countries with an offensive programme against the Netherlands may try to gain access to our data, and we may need to take extra measures. It’s just like a physical break-in: if a thief really wants your bike, they’ll bring bolt cutters with them.’
How is the university protecting our knowledge and data?
‘In recent years, we’ve significantly strengthened our security efforts and expanded our security team. We see that in our partnerships with Administration and Central Services, the ISSC and across the faculties and institutes. Thanks to our openness, diversity and cultural differences, we have developed a unified approach. The Security Office and the security staff at the ISSC and the Security Operations Centre are becoming more visible, which shows that their efforts are valued. I’m also pleased that each faculty now has a Local Information Security Officer who monitors and supports information within their area.’
What’s next on your agenda?
‘My next step is working with the faculties to identify key assets that need protection and to take extra measures to do so. These assets could be processes, datasets or physical or digital objects – something that helps us achieve our organisational goals. By protecting them centrally, we reduce the need for each faculty to develop its own measures and minimise the risk of gaps.’
‘My next step is working with the faculties to identify key assets that need protection.’
Why is Cybersecurity Awareness Month important for the university?
‘I think it’s good to remind everyone how vital information security is. People often say, “I’ve never been hacked, so it won’t happen to me” or “I just delete emails with suspicious links.” But if you delete those emails, cybersecurity experts lose the chance to investigate the origin of that link and prevent future attacks. So before you hit delete, report the mail to the ISSC helpdesk! And if you’ve accidentally clicked on a suspicious link, don’t panic. You’re not alone. Just contact the helpdesk right away, so we can take any necessary measures and learn from the incident.’
Good advice! Any other tips?
‘Always lock your screen when you leave your desk. It may seem minor, but if you’re working on sensitive research, someone with bad intentions only needs 30 seconds to gain permanent access to your computer – and perhaps for your data to fall into the wrong hands. So don’t hesitate to remind colleagues to lock their screens.
‘And one last thing: make sure to take part in Cybersecurity Awareness Month! You’ll find tips for working safely and a tool picker to help choose safe software on the staff site. And join in the ‘Using AI safely at work’ coffee webinar on 30 October (in Dutch). AI’s a fantastic tool, but you can’t believe everything it says. You can use generative AI to request information, but don’t rely on it to write entire papers.’
Report incidents
Do you think you may be dealing with phishing, a data breach or malware? Always report this to the ISSC Helpdesk (tel. 8888). Also report loss of confidential data to your own manager.
Dare to ask
If you have any questions about data breaches or security incidents, please send an email to the Privacy Office or Security Office via privacy@bb.leidenuniv.nl or security@bb.leidenuniv.nl. You can also always contact the privacy or security officers from your faculty or department. Find your contact person on the staff website.
Banner photo: Danique ter Horst