<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website

Mapping a complex attack surface - PostNL Use Case

by Sebastiaan Bosman Use case 8 Dec 2020

PostNL is the largest mail order and delivery organisation in the Netherlands, also operating in Belgium and Luxemburg. It has made mail and parcels accessible for over 220 years, growing to become one of the largest private employers in the Netherlands. Over the years, the organisation has grown through expansions, mergers and acquisitions, making its attack surface rather complex.

Gunther Cleijn, Cyber Security Officer explains how he and his team work to ensure the security and daily productivity of the organisation. 

Gunther, can you tell something about yourself and PostNL?

Gunther Cleijn

Sure! My name is Gunther Cleijn. After a career in the Royal Dutch Army, I turned back to 'civil live' in 2008. Since then, I've been working for several organisations in roles that where focused on securing digital assets. I’ve been working at PostNL as Cyber Security Officer for almost four years now. Within PostNL, I'm responsible for the security of the digital assets in our IT and OT domain.

PostNL is comprised out of different Business Units. Each BU has their own IT department and IT Director, but all report to the CIO. In total, we have approximately 10,000 staff and between 35,000 and 40,000 colleagues delivering mail and parcels.

I run a very knowledgeable team of full-time and part-time specialists and experts. Together, we take care of the digital risk profile throughout the organisation. We support our colleagues in daily practices by helping them solve complicated security issues. In addition, we act as an advisor for PostNL's Senior Management.

What was the biggest security challenge when you joined PostNL?

To get where we are today, PostNL has had various mergers and acquisitions. Different services and processes have been successfully tied together to create the company we are now, including the digital infrastructures, Operational Technology, and other aspects. Consequently, we are connected to a vast number of external suppliers and third parties.

On top of that, we also provide cross-border solutions, were we route parcels across the world. All of this results in a largely decentralised structure and a huge digital network. The challenge from a security perspective is to keep track of 'what’s happening' in such an environment.

"With the amount of data we were handling ,
we had to manage on exceptions"

To answer this question, I set out to accurately map our attack surface and then created a reporting structure for all we could see happening with a potential impact on PostNL. So, we did an assessment over all our entities a few years ago to determine our security maturity level. One of the aspects we were focussing on was attack surface management in its entirety. At the end of this manual exercise we compared our output to the results from Cybersprint’s platform. The conclusion: there really were quite a lot more assets than we thought we had.

What did you do to tackle that challenge?

"This is what it comes down to: no matter what third party or domain we are linked to, it can all be traced back to PostNL. That is what we had to map.

"The best approach to manage our attack surface was to automate what we were doing by hand. With the amount of data we were handling on a daily basis, we had to manage on exceptions. Whenever the automated solution detects an issue, that is when you can follow-up by hand. I wanted to focus on the actions we had to take based on the data the platform delivered, and develop my security strategy accordingly to move forward even faster. With the automated solution, we are able to see and understand how big our attack surface actually is, and act proactively to any risk to our brand."

What did you find most helpful?

"With regards to the first outcomes of the platform, it wasn’t like there were any shocking results. We knew there were more assets to find, we just needed the right solution to find them without having to specify where to look. Before, we had more of a gut feeling. Now, we know for sure.

"The strength of the platform is in the combination of many different sources, tools, plugins, etc. and the way they all work together to identify and visualise the necessary insights. Theoretically, we could have gained access to those sources ourselves as well, but that would not have been cost-efficient at all. It would only have cost us time, impeding our own productivity. With Cybersprint’s platform, we had all desired tools in one place and were able to give our security programme a big boost. The platform has quickly become a vital component of the intelligence system we have today.

"With the automated solution, we are able to see and understand how big our attack surface actually is."

"More importantly, though, I am most pleased with the feeling of trust and peace of mind the solution brings. It really helps to have a professional cybersecurity company lend an eye to monitor the big bad internet with you.

"In addition, I know I can always reach out to my contact in Cybersprint for some tips and tricks when I get a question from somewhere in the business. Now, I’m able to confidently say what is happening in our attack surface, and present the data to back it up."

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us