‘The importance of information security cannot be overstated in these days of increasing cybercrime. And that's not just about technology’, states Frans Möhring, HR director and principal of the Information Security program at Fontys. 'Behavior is just as important, and in this we often overestimate our knowledge.' What can you do yourself and what does Fontys do?
From student files to financial transactions and research data, we collect and process enormous amounts of sensitive information every day. Of course, we all know that we shouldn't leave resumes open and exposed on our desks. That we shouldn't use the same password everywhere. And that we shouldn't share our passwords with others. But yes, sometimes it is convenient to give a colleague access to your system. If you are ill, for example, and a document has to be sent out urgently.
'It often happens with the best of intentions,' Möhring also knows. 'After all, we all want our work to continue and think it won't go that far. And that is precisely where it often goes wrong.' A security breach not only causes financial damage and loss of reputation, but can also undermine student and faculty trust.
Accidents happen so easily
The ransomware attack on Maastricht University in 2019 also shook Fontys University of Applied Sciences. 'Fortunately, we have never experienced an incident of that magnitude where the whole system was down and we had to cough up huge amounts of money,' says Möhring.
'It was limited to a relatively harmless incident where a resume accidentally ended up with too many people via reply to all. We were able to rectify that quickly, limiting the damage. But it does show that accidents happen easily and how vulnerable our data and those of others are.'
Signaling function of research
‘Information security may sound technical, but above all it has a human side. For example, everyone has to log in with an authenticator and surveys are being conducted in which we ask colleagues what they already know about things like security and password use.'
The main purpose of these is to gather information. 'But at the same time, these questionnaires also have an important signaling function. People often think they know how it all works, but find out while filling it out that they may not be very well informed at all.'
Managers set the good example
A second initiative is to include information security in the onboarding program for new employees. 'If there's one department within Fontys that should know about influencing behavior, it's Fontys HR. That's why we want to create awareness among starting colleagues from day one about things like laptop and password use.'
Managers have an important role model function here, says the director. 'They don't have to exude that information security is simply mandatory, but by setting a good example themselves they can initiate an important change in behavior.'
Maintaining an open character
Möhring emphasizes that he wants to preserve Fontys' open character as much as possible. ‘We don't use physical gates anywhere. We want to be in contact with the outside world 24/7 and be able to show what wonderful things we have to offer. Inside and outside literally intermingle and that is a great thing. But all the more reason to be conscious of your own information security and that of others,' says Möhring.
'The amount of data we generate as a college is immense. Think of personnel data, payroll and sick notes. But also the research results of professorships and partnerships with the field. All of this is knowledge that can be very interesting to others. You just don't want those crown jewels to be out in the open.’
Keeping work and private life separate
Möhring would like to take the opportunity to give some tips. ‘We regularly see that colleagues who leave employment still have all kinds of important private documents on their laptops and lots of photos. I'm not exactly spotless myself, but I do want to make people aware of the risks they run. Just try to separate work and private as much as possible.'
Furthermore, every institute and department has an information manager. 'Having doubts about an e-mail you received? Or not sure how to store an important document encrypted? Ask. Our information managers are very approachable and would rather you call them three times than try to solve a security issue yourself.’
Giving feedback to colleagues
Like any change, the road to optimal information security requires the necessary behavioral adjustments. 'But it's really not higher math,' Möhring believes. 'We all learned to work with an iPhone too, so this should work as well.'
'Feel free to point out to your colleague that one resume lying open on the table. In the Netherlands we are not so much about feedback, but just speak out it if a colleague spreads someone else's medical data. You really help to improve our information security by saying: "This is not very convenient”. In a nice way, of course.’
Everything about information security