Review of the University’s IT security culture

By jean [dot] odgaard [at] irev [dot] lu [dot] se (Jean Odgaard) - published 23 November 2023

Teamwork cyber security and programming with business.

In recent days, 1,100 staff members at Lund University have been the subject of a staged email phishing attack and selected heads of department have faced a faked attempt to defraud via telephone calls. The fabricated attacks are part of the Internal Audit Office’s review of information and IT security culture.

An important element in an organisation’s information and IT security management are the actions of staff members.

“Technical measures are not sufficient, as it is rather the human factor that becomes the “door opener” for cybercriminals and creates information and IT security risks. That is why, this year, Lund University’s Internal Audit Office is reviewing the University’s information and IT security culture,” says Jean Odgaard, Head of Auditing, Internal Audit Office.

The review is being carried out through a number of different activities conducted during autumn 2023. Two of the activities are focused on getting a picture of how security-conscious University staff members are. The Internal Audit Office has therefore engaged an external IT security expert who, working in cooperation with the Internal Audit Office, has staged a phishing attack via email on 15 November as well as an attempt to defraud using phone calls (known as voice fishing, or vishing) between 20 and 22 November.

Results will be analysed

The activities are now concluded, and the Internal Audit Office will process and analyse the results. The results and the associated analysis, as well as recommendations for improvements, will be presented in the Internal Audit Office’s overall report to the University Board. The work on improvements will start in the next stage.

“The aim of the staged activities has not been to single out individual staff members, managers or functions – we wanted to get results for Lund University as a whole. We will not be looking at how individuals or parts of the organisation have acted,” says Jean Odgaard.

“We saw that there were many people within the University, both managers and staff members, who were vigilant and immediate in both their response and actions regarding the activities. That is very positive.”

“The numerous touchpoints universities represent have been increasingly exploited by hostile interests who are out to steal, distort or destroy research data, for example. It is often the human factor that determines if these interests are granted access to data. A good IT security culture presupposes that all users are aware of the risk that they could be faced with fraudulent communication,” says Therese Kropp, internal auditor, who led the review.

Information on the activities

On 15 November, an email message was sent to 1,100 staff members at Lund University. The message was sent from an address created especially for the purpose and contained information linked to the University’s recently completed change of bank for salary payments. The message included a link that staff members were asked to click on in order to be directed to a webpage where they were asked to write their username and password. Both the email message and the webpage were rigged up by the external IT security expert.

Between 20 and 22 November, selected heads of department at Lund University received a telephone call that claimed to come from the University’s Division of Finances. The conversation was followed up with an email message containing a link that they were asked to click on and then fill in their details on a webpage. Both the email message and the webpage were created by the external IT security expert.