null Harjoittelu valmistaa kriisitilanteisiin

Practicing prepares for crisis situations – what do the information security managers advise for worst-case scenario

Maria Virkkula

The situation is critical. The health data  of over 17,000 students has leaked online. Journalists and students demand a response from the university to explain how this has happened and what will be done to make sure it does not happen ever again in the future.

Nevertheless, six security experts are having a convivial chat and sharing their experiences.

Although this is a crisis exercise, security-related threats are part of everyday life for these people. In the exercise they have just orchestrated, the participants carried out a realistic crisis situation and learned to prepare for the worst.

Communication, communication, communication

In a so-called desktop exercise taking just over an hour, the crisis progresses through different turns under the guidance of a chair person leading the action. Experienced persons in the situation room are looking for the best solutions through analytic discussion.

During the exercise, the team members adopt roles which differers  from their real-life jobs, and, for example, an Information Security Specialist plays the role of a Deputy Dean of an university.

The exercise makes the participants think.

– One clear observation was that there should be ready-to-use communication templates. In that case, people would immediately know what to communicate when there is very little information available, says Information Security Manager at University of Jyväskylä Teijo Roine.

– The information should be provided to the actual communicator, such as the Rector. And the communication should be complemented as soon as there is more information available.

Different templates will be required for different scenarios.

– It was also a good learning point to realise that we need to organise similar exercises with the research teams at Aalto University, Cyber  Security Specialist Timo Salin from Aalto University continues.


People are the primarly security risk

The typical crisis situations faced by the universities are less severe than the exercise. Extra work is caused by, for instance, death, if no substitute arrangements are in place, or if the information is hidden in personal e-mail.

The specialists point out that it would be good to ensure that role-based email addresses are used and continuity plans are in place.

Other typical security events include accidentally published materials, hacking of passwords, phishing or malicious software.

– Universities are expected to cope with increasing security risks and new security requirements due to complex cyber risks and the obligations of the General Data Protection Regulation. It is no longer sufficient to react to deviations, but our capacity needs also to be proactively a developed by practising, says Head of Security at CSC, Urpo Kaila.

Information should also be shared between the universities.

– The shooting incident that took place in Seinäjoki in 2008 is an example of a crisis that we can only hope will never happen again. Seinäjoki University of Applied Sciences has kindly shared its experiences and conclusions made on the basis of the incident to other universities, Kaila continues.

Easiness has its flipside

In addition, cloud services, or rather, their users, cause many headaches: do people always know what may and should be stored in the cloud?

– I would personally not store any personal information there, Salin points out.

– Aalto University's current policy still outlines that everything in the cloud is public information. This is currently under revision, and the goal is to come up with controls: we are in the process of discovering what possibilities we have for encryption, Multi Factor Authentication will be implemented, and we have already recovered and saved logs from the Microsoft cloud services. In addition, we are considering the use of cloud firewalls.

The policies are university-specific.

High expectations are pinned on cloud services in terms of storing documents, but few think about the reverse side of the coin. For security reasons, higher education institutions do not advise people to store all information in international and commercial cloud services. What about backup copies?

– When we talk about backups, many people do not understand the fact that data is by default not retained for all that long, Roine says.

– By default, recovery times are surprisingly short. You can buy more time with money, but even these services have their limits, Salin ponders.

"Half an hour spent on training could save you weeks' worth of time when processing an important information security issue."

The Cyber Security Specialist reminds us that you should always remember the four letters in cloud discussions: DPIA (Data Protection Impact Assessment). The assessment is designed to help you identify, assess and manage the risks involved in the processing of personal data.

The Information Security Officers emphasise that in cloud services, the user carries increasingly more responsibility for sharing information while the university's control is reduced. Information can be easily shared on purpose – but also by mistake.

– The default is that information is visible to everyone who knows the link. I think that this is a serious problem, and I wonder how I could get people to realise this, IT Security Manager Esa Mätäsaho from the University of Lapland says.

Increasing understanding through practical training

In the increasingly digitised university world, various types of training and instruction videos have increased in importance beyond all recognition. According to this group of experts, a moment spent on considering security issues can protect from huge damage in the future when the practices become a routine.

– Half an hour spent on training could save you weeks' worth of time when processing an important information security issue. The whole project and all related activities may come to a halt. In comparison to this, half an hour is a small investment, especially if sensitive data is being processed, Salin stresses.

The development of a security-oriented culture is one of the shared missions of this group. EU's General Data Protection Regulation (GDPR), which came into force in May almost a year ago, and the related hype contributed to the subject significantly. This increased people's understanding of and interest in questions related to data processing.

At the same time, however, some people felt that information security issues do not concern them, as they do not process personal data in their work.

– But they almost forgot that if they have something to protect, such as unpublished research information, and it leaks out of their own system in some way, such as accidentally to an open cloud or similar, and if someone then has access to the data and publishes it, they will own the rights, Salin says.

– This often makes people's jaws drop to the floor. In this sense, it is not only about the General Data Protection Regulation, but the entire research sector as a whole.

Finnish higher education institutions set an example for others

According to this group of experts, higher education institutions have traditionally been at the forefront of security issues in Finland. For example, the entire process related to the General Data Protection Regulation was completed with flying colours last year. Next, it is time to tackle the changes required by the Finnish Act on Information Management.

– It sets pretty strict requirements for documentation, and demands learning new practises, Salin points out.

All universities have appointed trained Data Protection Officers, and cooperation between higher education institutions is regular.

– Universities already have long-standing and comprehensive cooperation in the different aspects of security. Annual Information Security Days have been organised for the past 20 years in cooperation between the hosting university, CSC and the Security  group of universities, says Kaila.

This year, CSC wanted to bring together universities' Data Protection Officers and CSC's international data security partners.

– Therefore, CSC invited Charlie van Genuchten from Surfnet, the sister organisation of CSC in the Netherlands, to organise a crisis management exercise at the Information security day event. The exercise has been under preparation since last summer with CSC, Kaila describes.

This group of experts, if any, knows: research data should be carefully maintained. And security issues concern everyone.

FACT: Information Security Specialists' advice for crisis situations


  • Stay calm
  • Practice
  • Plan the communicational responsibilities and other roles in advance, so that you do not have to decide who does and what during the actual crisis
  • At first, focus on finding out what has happened, when, and who is involved
  • Be prepared to inform the necessary parties, such as a data protection authority or your own in-house staff
  • Name a leader for the crisis management team, who will assume overall responsibility and make decisions
  • Stay firm. The operation must be efficient and well-managed.


  • Do not blather to third parties
  • Do not blame anyone

The interviewees include ICT Security Manager Esa Mätäsaho from the University of Lapland, Information Security Managers Teijo Roine from the University of Jyväskylä and Jan Wennström from Åbo Akademi University, Head of Security Urpo Kaila from CSC, IT Security Specialist Timo Salin from Aalto University, and Chair of universities' information security team Sami Kinnunen from the University of Vaasa.