’Everyone can and must contribute to IT security’

Ludger Becker and Sophia Stöber look after IT security at Münster University © U
Ludger Becker and Sophia Stöber look after IT security at Münster University © University of Münster - Sophie Pieper
The University of Münster reorganises its IT security and

Almost every week we read about cyberattacks on companies or authorities - quite often on universities, too. Are we to conclude that basically the danger is constantly increasing, including for the University of Münster?

Ludger Becker: Recently, there has been a significant increase in the number of attempted attacks and in the professionalism displayed - with the corresponding danger of being the target of such an attack. This also applies to Münster University, of course. The CIT and the Information Processing Units (IVVs) that are responsible for IT support in the faculties, have already been taking a variety of measures to counteract this trend in the past few years. However, this is always a continuous process of action and reaction.

Individual members of staff or students may well think that by themselves they can’t do anything to increase IT security or to counteract cyberattacks. Are they wrong?

Sophia Stöber: Actually, everyone can and must contribute to IT security. Information security only functions as a joint effort. After all, everyone who works on a computer comes into contact with dangers and with IT security measures on a daily basis. Locking the screen when you leave your workstation, or pausing when you read an unusual email, can often make a big contribution.

At Münster University, IT security is seen as being a joint effort, and you have drawn up a concept entitled -Recognise-Protect-React-. What does that entail?

Stöber: These three steps - -Recognise-Protect-React- - are used as the guiding principle in all information and training material for students and staff with the aim of making the issues of IT security and information security more tangible. -Recognise- stands for example for recognising the value of information or for recognising how attackers work. -Protect- comprises tips and tricks for implementing important protective measures, for example in the form of easy-to-understand instructions and checklists. The -React- step provides users with guidelines on what to do and who to contact in an emergency, in other words in a security-critical situation. We talk about these various points on the new websites of the Information Security Department, for example, as well as in our training sessions for staff and students.

Which areas and systems can be protected by the CIT? And when is it the responsibility of individual members of staff and students?

Becker: The CIT implements the operative security measures for the central IT infrastructure. This includes for example the firewall or the introduction of two-factor security for some services. The IVVs are responsible for safeguarding department-specific services and systems. When it’s a question of individual, security-aware behaviour, then it becomes the responsibility of every single member of staff and every single student.

Stöber: Individuals should be aware of possible threats in their everyday work and recognise them when they occur. Another important security measure is to be vigilant when reading emails so as to be able to recognise any attempts at phishing. Bearing in mind recent occurrences, activating two-factor security in the IT portal is a particularly important measure for all staff and students, and one which is quickly and easily done.

How is IT security structured at the University of Münster? And who does what?

Becker: IT security is part of information security, and the Information Security Department, which is headed by the Chief Information Security Officer (CISO), looks after that. Here is where the scope of drawing up and implementing security concepts is defined. The Department also provides support for IT operatives to comply with these stipulations. At the same time, both the Department and the IT operatives are given support by the CIT-s Computer Emergency Response Team (CERT) in recognising and dealing with security incidents. CERT and the Information Security Department coordinate their activities very closely. Another important aspect is information security awareness, which is an area where we collaborate very successfully with IT Security Awareness Coordinator Sophia Stöber from the CIT.