Information security course will be mandatory for new employees

The purpose of the course is to strengthen the security culture at Uppsala University and reduce the risk of incidents, ultimately leading to better protection of the University's information assets.

In order to improve information security within the University, the general level of knowledge and security awareness among employees need to be improved, according to the Security and Safety Division. In general, security awareness has improved in recent years and more and more people are reporting suspicious emails with malicious links to the Security and Safety Division. But one of the biggest challenges is still a lack of awareness and basic knowledge about information security.

“Part of the Security and Safety Division’s reactive information security work involves identifying the user accounts that ‘fall into the trap’ by clicking on fraudulent links, where in the worst case individual employees can lose their user credentials,” says Fredrik Blomqvist, Security Manager at Uppsala University.

These user credentials basically consist of the user’s username and passwords.

“Based on this work, statistics are gathered on which parts of the organisation are affected right down to the individual employee level, as well as the proportion of those affected per disciplinary domain, and in the University Administration and the Library.

‘Be sceptical and remain alert’

On occasion, fraudsters have managed to access information through phishing, or when sensitive information has been handled in an insecure way. This information has then been used to steal information from the University’s IT systems. Your username and password are a commodity that can even be resold and exploited for hacking.

A big red flag or warning sign is if you have clicked on a link in an email and you are then asked to fill in your user credentials,” Fredrik Blomqvist emphasises.

“Don’t do it! Be very sceptical and remain alert about where you enter your user credentials. Neither the Security and Safety Division nor University IT Services sends emails in which employees are asked to do things such as secure the storage space in their inboxes,” he says.

Continuous monitoring of information security

Since 2024, the Security and Safety Division along with University IT Services (UIT) has produced information security reports. The reports provide a picture of the University’s strengths and challenges in the area of information security, and show what the University’s information security work ought to look like in five years’ time.

Since 2024, the University has also strengthened its systematic information security efforts by involving and informing the University Management more often than previously. At the same time, cyber criminals are using increasingly advanced methods to steal usernames and passwords or in other ways block user access to, destroy or access data.

“A number of active measures have been implemented and several are in the pipeline for 2025–2027. For example, multi-factor authentication has been introduced in a number of systems that are considered sensitive,” says Fredrik Blomqvist.

Enhanced login requirements and expanded national requirements

More systems will also be subject to enhanced login requirements to access the University’s IT resources. Another requirement being implemented is mandatory completion of the basic course in information security, which has been quality-assured by representatives from the teaching faculty within the University.

“As a new employee, you must have completed the basic course in information security within 65 days of starting your employment at the University. The requirement to complete this basic course will apply from 18 August 2025,” Blomqvist says.

In the University’s appropriation directions for 2025, the wording regarding information security has been expanded to cover cyber security as well. With this comes requirements for the University to report on this work, and for analyses of threats and vulnerabilities in this area where applicable. Cyber security is an important issue at the national as well as the government agency level, according to Fredrik Blomqvist.

“We are seeing a trend of more and more regulation through directives in the area that will also very likely impact operations at Uppsala University.”