Cyber Security at the University of Bern
Prevention alone is no longer enough
Philipp Liechti explains why the University of Bern operates under the assumption that a cyberattack is always possible, despite numerous preventive, organizational, and technical security measures. Alongside prevention, the university’s efforts are increasingly focused on early detection, containment, and neutralization of cyber threats.
Cyber security is a term that sounds good for marketing, but fifteen years ago, we still called it information security or IT security. My job is to ensure that the University of Bern has the necessary infrastructure, organization, and resources in place to manage information security. This involves identifying and assessing risks so that we can define appropriate measures for the organization. Most of the actual implementation then happens within the IT departments of the individual institutes and faculties, rather than through me personally.
What exactly do you do to protect the University of Bern?
At the moment, I am doing a lot of development work and working hard to establish governance at the University and improve our ability to respond to cyber threats. This means defining roles, rules, and responsibilities to ensure the best possible security in our institution.
Why is this important?
The only way our organization can tackle the complex challenges of cyber security is with functioning governance at the appropriate levels. Nowadays, it is assumed that attacks already take place despite preventive security measures such as firewalls or virus protection. That is why we are increasingly focusing on detecting attacks early in the network and averting potential damage. To this end, we are working with partners to set up a Security Operation Center (SOC) at the University of Bern.
What are you doing to prevent attacks?
Preventive measures include password protection, vulnerability management, and raising people’s awareness. A large percentage of cyberattacks, regardless of the type, begin with a phishing email. Raising awareness of this is very important and we want to expand it even further. A year and a half ago, I launched an awareness campaign for the central administration. We deliberately sent our own phishing e-mails to university employees. As soon as someone clicked on the link in these emails, they were warned about the dangers of phishing.
About the person
Philipp Liechti
Philipp Liechti is a trained electrician and telecommunications specialist with further training as a technician in business information technology, CAS/MAS Information Security, CAS Cyber Security Defense & Response and Certified Information Security Manager (CISM/ISACA). He has been working in information security and IT security for 18 years. He is also an examination expert for the ICT Information Security Manager profession (formerly ICT Security Expert). Since 2022, he has held the newly created position of CISO/IT Security Officer at the University of Bern.
If someone at the University falls victim to a cyberattack despite the preventative measures in place, it should be reported immediately- either to me, the Service Desk, or their superior.
Phishing
Phishing is an attempt at fraud in which criminals try to steal personal data such as passwords or credit card information via fake e-mails, websites, or messages. They often pretend to be a trustworthy source in order to deceive the victims.
One of the most prominent threats today is ransomware. These are encryption Trojan horses. Hackers encrypt access to your data and demand money in exchange for releasing it again. Depending on who is affected, this can be disastrous. There are examples of entire companies which were no longer able to access their data. Under some circumstances, this can mean the downfall of the company. Artificial intelligence is another potentially very dangerous area, especially when it comes to the falsification of content or the misuse of videos and photos to forge identities. I don't yet know exactly where this journey will take us. So are cyberattacks always technology-based?
No. Attacks can also come as subconscious influence. Social engineering is a typical example of this. Attackers use social networks such as Facebook to befriend company executives and gain their trust. In this way, they try to obtain confidential information or documents that can be used for a targeted attack. One must therefore be careful when going on social media because it can be used as a gateway for such attacks.
“A large percentage of cyberattacks, regardless of the type, start with a phishing email.”
Phillipp Liechti
Have there already been such cases at the University of Bern?In the last two years, there have been no significant attacks on the University of Bern that I am aware of. Before that, there was one incident in which the use of SWITCH helped the University of Bern avert serious damage. Smaller incidents such as a hacked email account happen all the time. It is important to know that there is never one-hundred percent certainty anyway. You must focus on what you want to protect and how many resources are available, both in terms of personnel and finances.
I like the variety. It's about technology, organization, strategy, and working with people. I have an opportunity to build something new, which is challenging but exciting at the same time. The range of things I do, and the creative possibilities are what make it so appealing, even if I sometimes wish that projects could be implemented more quickly.
Password and encryption
A password should be at least twelve characters long. The same passwords should not be used for business and private purposes. If you have many password accesses, it makes sense to use a password manager and set up a separate password for each access. For sensitive matters such as e-banking, it is recommended that you use two-factor authentication.
If possible, sensitive data should be encrypted to ensure protection. There are some free tools for this, or the simplest method is to use a ZIP file.
Basically, we are switching over to the use of Teams, yes. It’s not possible for an institution like the University of Bern to achieve the same level of technological knowledge and security that a large provider can provide. Companies like Microsoft, for example, have huge resources and invest a lot of money in the security of their products. It is in their own interest to protect their customers. In the run-up to the Teams migration, a lot of time was invested in clarifying data protection issues. We had to show the data protection officers of the Canton of Bern how data protection and information security are implemented in M365. Nevertheless, the use of Microsoft is also a question of trust, as we do not know with absolute certainty what will happen to the data. For this reason, it is not permitted to store particularly sensitive personal data on M365 at the University of Bern. Up to now, we have stored our data on our own server, but even there we cannot guarantee one-hundred percent security. Although we do everything we can to ensure security, we always have to consider the risks. What is security and what risks are we protecting ourselves against? Is it the evil hacker or the company that I don't trust?
“In Cyber Security, there is never one-hundred percent security.”
Philipp Liechti
What are you most worried about at the moment?At the level of classic threats, it is clearly ransomware. At the institutional level, it is the decentralized and heterogenous organization and IT landscape at the University of Bern. With 150 institutes, many of which have their own IT infrastructure, it is a challenge to maintain control or do the oversight necessary to achieve an appropriate level of security for everyone. The focus should be on the centralization and standardization of commonly used IT services as well as close collaboration between all parties involved. This is the only way to overcome the challenges in cyber security at the University of Bern, now and in the future, with the limited resources available.