There is no one solution to completely secure your organisation. Just as there are many different ways a criminal can plan his attack, there are many different approaches to how you can orchestrate your defense. However, you can talk to different experts, and they probably all advise on different focus points. That’s why we invited three knowledge cybersecurity specialists from three very different backgrounds to share their experiences and tips.
Are we aware Criminals don't care?
The local baker knows about sourdough bread, not security threats. Still, his website and online personnel registry can be targeted just as well as the digital environment of the city’s town hall or the multinational organisation across the street.
Even though a cyber-criminal usually goes where the most money is, the impact of a successful attack on smaller entrepreneurs is often much bigger. Criminals don’t care about personal circumstances and use fully automated techniques to exploit any digital weakness.
Together with Dave Woutersen (Security Evangelist at NCSC), Pepijn Vissers (co-founder of Chapter8), and Xander Koppelmans (Strategic advisor at Gemeente DNA), we set out to discuss:
Are Dutch organisations sufficiently prepared
for a cyber-criminal’s methods and mentality?
You can only spend your money once
Dave, Pepijn and Xander share their vision on cybersecurity in the Netherlands by reacting to statements, questions, and audience remarks. An initial poll of the statement “Cybersecurity in the Netherlands is doing well” resulted in a 1-2 against, opening the discussion.
When Dave is asked what one of the most important factors is when any organisation develops their security programme, he says that “you can only spend your money once, so make sure you know what there is to protect, and what the relevant risk is.” He continues saying he has often seen organisations set up their security, without having identified the ‘crown jewels’ or the full extent of their attack surface. “If your asset management is not in order, or don’t know who is responsible for certain systems, how can you make a sound investment?”
The impact of a hack
Out of the three speakers, Dave has seen most cyber-attacks take place firsthand in his career. Pepijn has executed the most attacks, and Xander has experienced the most impactful hack.
Xander is a successful entrepreneur, leading a business of 50 people. One morning in 2015, he received a message: "We're being hacked".
"We literally saw document folders and customer files disappearing from our servers," Xander says. Even though he had invested in firewalls, password protocols, a sysadmin monitoring the servers, and more, criminals used automated brute-forcing to hack the randomised, 10-character password in mere hours. The criminals didn't ask for ransom, they just destroyed everything.
"We didn't know what to do. How can you stop that? So we pulled the plug. At first, I though it would cost us a few weeks and roughly 60,000 euro to get back on track."
However, when they restarted the servers, the situation was much more grim. "We lost 85-90% of all our files," Xander said. "The estimated quarter million euros in damages hurt, but we could handle that. The worst part was what it did to everyone in the organisation, their lives at home, the trust from customers... It's many times as bad and lasts much longer."
Training for a cage fight
Since 2017, Xander has transformed the negative experiences from the attack into a new start of his business, as his network and business opportunities were still strong. He now shares his story with other entrepreneurs, helping to prevent them from a similar fate.
Pepijn responds by saying that "we learn plenty from our own mistakes, but not from the mistakes of others. You can't expect to beat a cage fighter when you've trained with a punching bag a few times. It doesn't prepare you for that mentality. You have to train as they fight."
Dave adds from his experience that organisations dealing with a cyber-attack lose too much time with mapping their environment and detecting the affected systems before they can start proper incident response. "Before all else," he concludes, "understand what you have to protect."