Cat-and-mouse games with the cybercriminal

Pioneering research makes Wageningen University & Research an interesting target for cyber criminals. Last year, about 9 million phishing e-mails were sent to WUR-employees each month. Remon Klein Tank, Information Security Officer, explains how WUR keeps intruders at bay.

Hey, you just created a text paragraph! Somebody once said that the pen is mightier than the sword — and that

Photo: Judith Jockel

Remon Klein Tank, Information Security Officer at Wageningen University & Research, knows that sending out and providing information is out and that interaction is in. ‘People are deaf to the rules and regulations when it comes to safely using computers. They have to experience what it really means when malicious parties breach the university’s computer system. This is best achieved by relating it to their own personal situation.” Workshops and real-life scenarios that reflect digital safety in their daily work have proven to be much more effective, says Klein Tank, in charge of online safety at WUR. ‘Gamification is especially effective in achieving this. Last year, we did nationalOZON cyber crisis exercise with SURF for the second time. A total of 1,200 people from 50 different universities participated in this exercise. The best part is that everyone takes part, from students to the Executive Board.’

Alert to infiltrations

The importance of online safety is becoming an increasingly salient topic at WUR, says Klein Tank. ‘As WUR is a university where vast amounts of intellectual property is stored, we have been warned by the security department to be extra alert to infiltrations by foreign powers. I am not allowed to say which powers these are, however. But it really is a game of cat-and-mouse. Although security systems are getting better and better, the tools that our intruders use are also becoming more sophisticated. Phishing is and remains the biggest risk. Every month, 9 million e-mails are sent to our staff and students and 7.6 million of these are recognised as spam or phishing e-mails. Our security software filters them out and ensures that these e-mails never reach the user.’

1,200 people

participated in a cyber crisis exercise on cybersecurity last year

Currently, IT manages 20,737 personal user accounts

1,167 reports of phishing in 2018, a third more than in 2017

In 2018, 34 ethical hackers worked for WUR

WUR can currently store 6 Petabytes (6,000,000 Gigabytes) of data. Work is under way to expand this capacity

In 2018, at least 7,6 million spam and phishing e-mails were sent to WUR e-mail addresses per month

It is difficult to say how much of the remaining 2,4 million e-mails are spam. ‘Last year we received 1,167 reports of phishing from users who have recognised a phishing e-mail in their inbox. This is a third more than in 2017. However, there is always a percentage of our users who fall victim to a phishing attack. The users are often people who are simply responding with the best intentions. They are the people who immediately jump into action when something is asked of them. And then they receive an e-mail, for example, asking them to log in to a counterfeit website or asking for an urgent transfer of an amount to a cleaning company on behalf of their manager. These types are e-mails are becoming more and more authentic. The malicious parties first go through the website to find out who works in a certain department and which manager or colleague they should impersonate.’

‘Just as in the real world, cybercriminals also look for the easiest way in’

‘Just as in the real world, cybercriminals also look for the easiest way in. So if you automatically send a lot of e-mails, asking users to fill in their name and password, there is always someone who will respond. That is why we are in the process of introducing a two-factor authentication at the university. This means that in addition to your username and password, you will also receive a text message or app with an extra means of identification. That makes it more difficult for criminals to access our data.’

Remon Klein Tank, Information Security Officer at Wageningen University & Research. Photo: Judith Jockel

‘Although our security is up to scratch, there are always things that can be improved upon. In addition to our own checks, WUR is also assisted by an army of ethical hackers, mostly computer users from Asia, who point out possible weaknesses in our security. If such a breach is reported to us only, we call it 'responsible disclosure'. Positive reports are rewarded with a WUR T-shirt. Everyone in the hacking world knows about our reward and we send about ten T-shirts to India every year.’

‘As WUR is a university where vast amounts of intellectual property is stored, we are extra alert to infiltrations’

Is this security officer afraid of being hacked in his personal life and work

Klein Tank takes his wallet from his pocket. ‘Look, I even lined this with aluminium foil. This ensures that people who want to skim my bankcards from a distance don't stand a chance. I'm also extra-alert about using free apps, as they often request information that has absolutely nothing to do with them.’

Are you maybe not being overly cautious?

Klein Tank laughs. ‘I also make mistakes. Just last week one of my colleagues noticed that I had left my workstation without locking my laptop. They didn’t manage to change my desktop but did leave me a surprise on my computer. That just shows you, nobody is perfect.’