<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Prevent, prepare and prevail: 3 perspectives on cybercrime

by Sebastiaan Bosman Blog 22 Apr 2021

There is no one solution to completely secure your organisation. Just as there are many different ways a criminal can plan his attack, there are many different approaches to how you can orchestrate your defense. However, you can talk to different experts, and they probably all advise on different focus points. That’s why we invited three knowledge cybersecurity specialists from three very different backgrounds to share their experiences and tips.

 

Are we aware Criminals don't care?

The local baker knows about sourdough bread, not security threats. Still, his website and online personnel registry can be targeted just as well as the digital environment of the city’s town hall or the multinational organisation across the street.

Even though a cyber-criminal usually goes where the most money is, the impact of a successful attack on smaller entrepreneurs is often much bigger. Criminals don’t care about personal circumstances and use fully automated techniques to exploit any digital weakness.

Together with Dave Woutersen (Security Evangelist at NCSC), Pepijn Vissers (co-founder of Chapter8), and Xander Koppelmans (Strategic advisor at Gemeente DNA), we set out to discuss:

Are Dutch organisations sufficiently prepared
for a cyber-criminal’s methods and mentality?

MicrosoftTeams-image (1)

Watch the panel discussion  (Dutch only)

You can only spend your money once

Dave, Pepijn and Xander share their vision on cybersecurity in the Netherlands by reacting to statements, questions, and audience remarks. An initial poll of the statement “Cybersecurity in the Netherlands is doing well” resulted in a 1-2 against, opening the discussion.

When Dave is asked what one of the most important factors is when any organisation develops their security programme, he says that “you can only spend your money once, so make sure you know what there is to protect, and what the relevant risk is.” He continues saying he has often seen organisations set up their security, without having identified the ‘crown jewels’ or the full extent of their attack surface. “If your asset management is not in order, or don’t know who is responsible for certain systems, how can you make a sound investment?”

 

The impact of a hack

Out of the three speakers, Dave has seen most cyber-attacks take place firsthand in his career. Pepijn has executed the most attacks, and Xander has experienced the most impactful hack. 

Xander is a successful entrepreneur, leading a business of 50 people. One morning in 2015, he received a message: "We're being hacked". 

"We literally saw document folders and customer files disappearing from our servers," Xander says. Even though he had invested in firewalls, password protocols, a sysadmin monitoring the servers, and more, criminals used automated brute-forcing to hack the randomised, 10-character password in mere hours. The criminals didn't ask for ransom, they just destroyed everything. 

"We didn't know what to do. How can you stop that? So we pulled the plug. At first, I though it would cost us a few weeks and roughly 60,000 euro to get back on track." 

However, when they restarted the servers, the situation was much more grim. "We lost 85-90% of all our files," Xander said. "The estimated quarter million euros in damages hurt, but we could handle that. The worst part was what it did to everyone in the organisation, their lives at home, the trust from customers... It's many times as bad and lasts much longer." 


Training for a cage fight

Since 2017, Xander has transformed the negative experiences from the attack into a new start of his business, as his network and business opportunities were still strong. He now shares his story with other entrepreneurs, helping to prevent them from a similar fate. 

Pepijn responds by saying that "we learn plenty from our own mistakes, but not from the mistakes of others. You can't expect to beat a cage fighter when you've trained with a punching bag a few times. It doesn't prepare you for that mentality. You have to train as they fight." 

Dave adds from his experience that organisations dealing with a cyber-attack lose too much time with mapping their environment and detecting the affected systems before they can start proper incident response. "Before all else," he concludes, "understand what you have to protect."

Watch the panel discussion  (Dutch only)

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us