How would your institution respond if a seemingly ordinary system check uncovered a major security incident?
That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. They quickly realised that an attacker had potentially been inside their network for nearly a month.
Senka Maćešić, the University of Rijeka’s Vice-Rector for Digitalisation and Development, and Ivan Marinović, its Head of IT, share how the university managed the breach, the key challenges they faced, and the lessons they learned.
Uncovering the breach
The incident began when Ivan’s team found an unknown virtual machine template on their vSphere platform — a tool that shouldn’t be accessible from outside the university’s network.
“We started asking ourselves: How did this person get inside? Where is the leak? We were a bit scared,” Ivan recalls. “When we realised it wasn’t a simple issue, we immediately reported it to the National CERT (NCERT) and university management.”
A forensic analysis revealed the attackers had created the template almost a month earlier, during the quieter summer break, giving them potential access to the university’s systems during that time.
Senka and Ivan acted immediately. The IT team focused on detecting intrusions and quarantining parts of the system to prevent further spread: quickly changing passwords, shutting down non-critical servers, and starting to comb through logs. The university also brought in external cybersecurity experts and the NCERT, part of Croatia’s NREN, CARNET.
A lucky escape and a wake-up call
Fortunately, the attackers didn’t take any destructive actions, but the breach revealed gaps in the university’s security and response plans. Ivan reflects:
“We were very lucky, because they could have damaged us in lots of ways: locked us out, run ransomware, compromised our data.”
Senka, Ivan, and their colleagues have used what they learned from the incident to transform the university’s technical and strategic approach to cybersecurity. Here are their key lessons learned:
Lesson 1: Draw on external expertise
Managing a cyber incident can overwhelm an internal team, especially for a small IT department like Ivan’s. They were already managing a heavy workload, delivering normal services plus meeting the additional demands of a new academic year.
“The main challenge our team faced — alongside significant stress — was a lack of personnel,” Ivan says.
“We are a small IT team, so managing the incident while conducting all our regular operations was very difficult. Each team member has multiple responsibilities, and we were stretched thin by this new situation.”
The university’s collaboration with NCERT and a specialised cybersecurity firm proved essential. “Their support was crucial in ensuring a swift and comprehensive response to the network breach,” Ivan says.
“We are so grateful for the NCERT’s invaluable support during the incident,” he adds. “They provided best-practice guidance, helped us with advanced threat analysis, sent staff in person, and validated our responses.”
The hands-on support was vital. “Just one day’s logs were 5–10 gigabytes — big data to sort through. CARNET’s expertise helped us identify how the attacker had moved throughout our network.”
To contain the breach and eliminate any backdoors or vulnerabilities, the external cybersecurity firm provided expertise and advanced tools for malware analysis, vulnerability scanning, and incident resolution. With their help, Ivan’s team installed Velociraptor and SentinelOne on over 1000 computers, enabling real-time monitoring and endpoint security across the university’s network.
Lesson 2: Communicate clearly, consistently, and transparently
Effective communication is just as important as technical expertise during a cyber incident. Senka led communication efforts, keeping university leadership and other stakeholders informed without overwhelming them with technical jargon.
“Consistent internal updates were essential to decision-making. We also kept all our faculty deans informed, to ensure raising awareness was seen as a shared responsibility.”
This transparent approach extended beyond internal communication. The university was quick to notify external bodies, including the national cybersecurity centre, demonstrating a commitment to compliance and trustworthiness.
“We informed the relevant national bodies as soon as we realised there was even a slight possibility of data leakage,” Senka says. “We discovered very quickly that no personal data had been exposed, so we were all happy with that outcome.”
Ivan summarises his advice on communicating effectively about cyber incidents: “Be honest, provide simple and clear communication, and give regular updates to keep everyone informed.”
Lesson 3: Strengthen your incident response plan
Although the university IT team had an incident response plan, the attack exposed some gaps. Since then, they’ve developed a more comprehensive incident response plan with clearly defined roles and responsibilities. They conduct regular training and drills to ensure everyone knows what to do should another incident occur. Ivan reflects:
“The incident significantly improved our IT team’s ability to respond to future problems. We have more experience, better systems, and clearer roles, so we can react faster and gather critical information more efficiently.”
Lesson 4: Leadership support is key to cybersecurity investment
A notable outcome of the incident was a shift in the university leadership’s prioritisation of cybersecurity. The breach highlighted the urgent need for investment in this area, which had previously been overshadowed by other priorities, Senka explains. “People know cybersecurity is important, but when it comes to financing, there are also lots of IT basics that need resourcing.”
“After the incident, management better understood why we needed more funding to keep us secure,“ Ivan says. “So we easily got funding for additional security tools.”
Since joining the university several years ago, Senka has driven a change in attitude towards IT investment.
“When I arrived, the idea of spending €2,000-3,000 on software — not just for cybersecurity but in general — seemed unjustifiable to some. I’ve worked hard to help leadership understand why cybersecurity should be a priority, and this incident has helped convince them.”
Lesson 5: Balancing security with academic freedom
When introducing new security measures, Senka and Ivan are mindful of the unique challenges universities face in maintaining security without disrupting academic collaboration and research.
“In a company, you can precisely regulate what employees can and can’t do, and exclude anyone outside,” Senka says.
“For us, it’s harder — our professors and researchers are part of global research teams and need to share digital resources. We can’t shut out those external collaborators or enforce the exact same security measures as a company.”
To address this, the university introduced role-based access controls, limited server logins to specific users and computers, and implemented multi-factor authentication for VPN access. These measures enhance security without significantly impacting the day-to-day activities of researchers and students.
“We’ve tried to do everything we can to increase security without disrupting the usual way people do things at the university,” Senka explains.
Lesson 6: Turn crisis into opportunity
Cyber incidents are stressful, but they can also serve as powerful catalysts for positive change.
Since the incident, the university has upgraded its IT systems, introducing tighter security controls, improved log management, and new backup systems. All its servers have been migrated to cloud-based servers hosted by SRCE, the national University Computing Centre Zagreb.
“These changes took time and significant effort, but were vital,” Senka says.
“The incident gave us the push to make long-planned changes, like upgrading our systems and moving servers to the national centre. It spurred us to complete that work and keep increasing security step by step — and that’s a great outcome.”
The university has also launched new training programs, increased collaboration with external experts, and enhanced security awareness, encouraging a cultural shift toward greater cybersecurity vigilance.
Final thoughts: Advice for other universities
Having emerged stronger from the incident, Senka and Ivan have some practical advice for other universities. “Create a detailed incident response plan, conduct regular training, invest in advanced tools, educate your staff, and always maintain backups,” Ivan advises.
“Most importantly, stay calm and approach the problem methodically. Don’t panic, because panic can lead you to poor decisions.”
“Everybody is vulnerable to cyber attacks today. We were fortunate that no damage was done, but other institutions have experienced very severe problems,” Senka adds. She warns against complacency:
“Do everything you can to increase cybersecurity, but never relax and think you’re so well prepared that an attack couldn’t happen to you. It’s like protecting your house from burglars — you can invent so many ways to secure your house, but there will always be a way in.”
Ivan agrees: “Recognise that cybersecurity is an ongoing process. No matter how good you are today, and how advanced your solutions are, tomorrow you might face new types of threat. Continuous improvement is essential.”
Building a more resilient future
For the University of Rijeka, what could have been a catastrophic breach became a turning point. The incident not only prompted technical upgrades but also strengthened their strategic approach to cybersecurity, securing leadership support and contributing to national awareness raising.
“A key benefit of incidents like this is helping to raise awareness at the national level,” Senka says. “Cybersecurity is climbing higher on the priority list, as CARNET is now signalling.”
Their experience offers valuable lessons for other universities facing growing cybersecurity threats. With the right preparation and mindset, cyber crises can be averted or minimised — and even transformed into an opportunity for growth and resilience.
Senka Maćešić is Vice-Rector for Digitalization and Development and a Professor in the Faculty of Engineering at the University of Rijeka (UNIRI). Her research area is applied mathematics: numerical methods and mathematical approach in machine learning, with applications from flooding and pollution to epidemiology. As Vice-Rector, she led a comprehensive reform of the university’s IT systems. Senka is committed to aligning UNIRI development with the UN sustainable development goals, from community engagement to improving energy efficiency. She participates in different UNIRI project teams, including the Young Universities for Future of Europe alliance and North Adriatic Hydrogen Valley.
Ivan Marinović is an experienced IT professional with nearly 20 years of expertise, currently leading the IT Department at the University of Rijeka. He specialises in network design, system administration, and virtualisation, managing large-scale campus networks and VoIP infrastructure. Proficient in O365, VMware, HyperV, and Cisco technologies, he also holds multiple industry certifications. With a strong background in troubleshooting and IT infrastructure management, Ivan focuses on optimising efficiency and improving system performance.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Your brain is the first line of defence‘. Read articles from cyber security experts within our community, watch the videos, and download campaign resources on connect.geant.org/csm24
