TU/e has significantly strengthened its digital security following the hack a year ago. Understandably, the university is not publicly disclosing the exact nature of the new measures.

What the university ​​can share is that significant progress has been made by replacing outdated protocols. These rule sets determine how devices and systems communicate with each other, exchange data, and perform tasks. It is important to keep these up to date so that criminals cannot exploit any vulnerabilities in these old protocols. 

Automated

Library & Information Services (LIS) handles all IT-related matters within the organization. The Chief Information Security Officer (CISO)—responsible for strategic information security policy—​​was also part of LIS, but since CISO Joost de Jong took over, that role has fallen under General Affairs.

De Jong explains that the security of the TU/e ​​network, including student and staff laptops, has been automated for years. After all, it considers thousands of users.

“If we had to do it manually, it would be a full-time job. Moreover, we would constantly be playing catch-up, as criminals have automated their attacks as well.”

IT staff therefore does not manually access laptops remotely without the user's knowledge. Only if you call the helpdesk and give permission, a helpdesk employee can access the system via Team View to resolve issues.

Incidents

LIS has several teams dedicated to digital security. The Incident & Response (I&R) team is specifically responsible for analyzing and addressing these incidents. This could involve, for example, an email with an infected attachment arriving in TU/e ​​mailboxes, or a hacker unauthorizedly accessing the network through a non-owned account.

Normal behavior

Security systems are fed information about how a normal user behaves in an application and what deviates from it. Criminals try to stay as close as possible to that ‘normal’ profile to avoid detection.

Therefore, application or website developers are reluctant to disclose exactly what constitutes normal behavior and what doesn't. “Sometimes it's very simple,” De Jong says. “If someone logs in from Eindhoven and suddenly pops up on the other side of the world half an hour later, you know something's wrong.”

Another example is login behavior: a normal user isn't going to log in thirty times a minute. A hacker trying a huge number of passwords to crack an account, might. They still try to stay just below the radar, while pushing the boundaries to succeed in the hack. It’s a cat-and-mouse game that’s constantly going on.

Unusual behavior

As soon as a TU/e ​​account exhibits unusual behavior, an alarm goes off for Calvin Bots and his colleagues in the I&R team. The system monitors the unusual behavior and notifies I&R of what's happening and whether automatic action has already been taken. Cursor spent a morning shadowing them to see how they, as vigilant guard dogs, detect and handle digital threats.

“Our team focuses on detecting and mitigating incidents,” says Bots. “Think, for example, of a party trying to install malware on an employee's laptop.” Something like this can happen after clicking on a malicious link or downloading an infected attachment.

He shows an example of a notification that came in last week. A small spiderweb appears on the screen, showing the user's device and the steps they take within the network. The IP address—a unique address for a PC—and the country are also visible. Bots and his colleagues follow a flowchart to determine the nature of the incident and how to respond.

Crypto

Bots’ team distinguishes roughly two types of incidents: identity-related and endpoint-related. At TU/e. the former ​​primarily involves the misuse of accounts and the associated personal data. Hackers then attempt to obtain data for later misuse. For example, a phishing email that tries to trick you into opening a link and entering your personal information.

In the case of endpoint-related incidents, criminals seek access to a device (the ‘endpoint’) to misuse it. For example, to perform heavy processing to mine cryptocurrencies, or to install software that continuously collects information about the user. To achieve this, the hackers remotely issue commands to the hardware.

TU/e received a total of 3,800 incident reports between December 14, 2025, and January 14, 2026. That amounts to nearly four thousand reports in a month, but fortunately, the majority of these do not require direct staff attention.

Every day, five to ten incidents require manual investigation or action. An example is a malicious email that quickly disappears from your mailbox after it arrives because the system recognizes and deletes it.

However, manual deletion can also be done: if an employee opens a malicious email, the team can then remotely delete that message from the inboxes of all TU/e ​​employees who also received it. No IT staff member needs to wade through mailboxes for this.

Another action I&R staff can perform to protect a user from attackers is remotely shutting down their laptop. This makes logging in impossible. The student or employee then receives a phone call to bring the device to the help desk.

IP address

After processing an incident, Bots and his colleagues check whether the attacker's IP address is already known from previous suspicious behavior. “You can often find quite a bit about such an address online.” Security tool Microsoft Defender for Endpoint is also crucial for this. Software giant Microsoft has a huge user base and therefore a database of millions of suspicious IP addresses. Access to this is crucial, “but also one of the reasons why it's difficult to switch from Microsoft to a non-American alternative,” De Jong acknowledges.

More resilient

The world has changed significantly in recent years. “We've started connecting more systems online," observes the CISO. “That's great for users, but it also attracts criminals. They can gain more in a single attack, which also increases the potential impact of such a hack for the victim. Becoming more digitally resilient is therefore more important than ever.”

This article was translated using AI-assisted tools and reviewed by an editor