Cybersecurity – Cyber threats, strategies and policies for research actors

As digital threats posed by state and criminal actors are increasing, universities and research organisations are also becoming targets of cyberattacks. In a hyperconnected world, research is inextricably linked with the security of information and communication systems. For this reason, research actors need to be aware of potential pitfalls and install adequate cybersecurity systems.

3d illustration with programming data

© Adobe Stock/monsitj

The frequency and sophistication of cyberattacks commissioned by state and criminal actors is increasing vastly. Together with vulnerable information and communication systems this poses serious threats to the scientific community.
Universities and research organisations are complex and relatively open networks, which is why dealing with cybersecurity issues is a demanding task. Research data, findings and publications need to be sufficiently secured. At the same time measures to identify and counter possible incidences need to be put in place.

What are the threats to research & innovation posed by cyber attacks?

According to the ENISA report on the threat landscape 2022, the main threats to cybersecurity are:

  • Ransomware
  • Malware
  • Social Engineering threats
  • Threats against data
  • Threats against availability: Denial of Service
  • Threats against availability: Internet Threats
  • Disinformation – misinformation
  • Supply-chain attacks

These threats can lead to unauthorized access to research results, data leaks resulting in the release of sensitive/confidential/protected data, denial of access to crucial infrastructure and manipulation of data. Targets range from internal processes, infrastructures to people, including students, staff, researchers and executives. Attacks are often successful due to misconfigurations or vulnerabilities in systems. However, the main gateway for cyberattacks are human failures. Possible consequences are the loss of knowledge and reputation of the affected entities, associated financial risks or failure of operations and even entire research ecosystems.

How to put in place adequate cybersecurity strategies?

There is no one-size-fits-all cybersecurity strategy. However, an integrated security culture can help to promote cybersecurity as a tool for academic freedom. It is necessary not only to detect cyberattacks but also think about prevention, how to respond and ultimately recover from attacks.
Cybersecurity strategies need to put a strong focus on equipping staff and researchers with basic cybersecurity knowledge and raising awareness for potential pitfalls. Furthermore, universities and research organisations need to identify and prioritize their digital assets. Once identified, potential attack methods and actors can be collected and addressed via different (counter-)measures.
Possible aspects to be included in an adequate cybersecurity strategy are:

  • Training and awareness raising methods
  • In-house policies, standards, guidelines and procedure
  • Documentation of threats
  • Set-up reporting mechanisms or screening procedures
  • Regular audit of cybersecurity controls
  • Secure management of research data and intellectual assets (e.g. data protection technologies)
  • Appoint responsibilities for cybersecurity
  • Business continuity planning and disaster recovery

Solution providing entities (examples)

German Federal Office for Information Security (BSI):

The BSI offers expert advice and consulting services that address all facets of information security. It is the Central Reporting Office for IT Security within the federal administration. Read more

Dutch National Cyber Security Centre (NCSC):

The NCSC identifies and clarifies risks and trends in the digital domain. It connects parties, knowledge and information and provides expert support and advice. Read more

Cybersecurity at European level

European Union Agency for Cybersecurity (ENISA):

At European level, the European Agency for Cybersecurity (ENISA) was established in 2004 with the mission to “achieve a high common level of cybersecurity across Europe”. Read more

EU Cybersecurity Act:

The EU Cybersecurity Act is an instrument for EU cyber policy. It establishes an EU-wide cybersecurity certification framework for products, services and processes. Read more

EU Cybersecurity Strategy:

The European Commission and the High Representative of the Union Foreign Affairs and Security Policy have presented a new EU Cybersecurity Strategy. The strategy aims at ensuring a global and open internet with strong safeguards to build resilience to cyber threats. Read more

NIS Directive:

The Directive on security of network information and systems (NIS Directive) tackles the cross-border characteristic of cybersecurity by fostering the creation and cooperation of governmental bodies for supervision of cybersecurity in all EU Member States. The directive will enter into force on 16 January 2023 and governments have 21 months to incorporate its provisions into national law. Read more

European Cybersecurity Atlas:

The European Cybersecurity Atlas lists research centres working on cybersecurity security issues in the EU. Read more

EU Cybersecurity Policies:

Further cybersecurity policies can be found on the website of the European Commission. Read more

Open Source Intelligence (OSINT):

OSINT refers to the practice of collecting, analysing, and interpreting information that is freely available in the public domain. The objective of OSINT is to gather information from a variety of publicly available sources to provide valuable insights that can be used in decision-making processes.

Read more

ENISA threat landscape 2022 (October 2022): This report summarizes the status of the cybersecurity threat landscape in the period July 2021 to July 2022.

Related topics