PostNL is the largest mail order and delivery organisation in the Netherlands, also operating in Belgium and Luxemburg. It has made mail and parcels accessible for over 220 years, growing to become one of the largest private employers in the Netherlands. Over the years, the organisation has grown through expansions, mergers and acquisitions, making its attack surface rather complex.
Gunther Cleijn, Cyber Security Officer explains how he and his team work to ensure the security and daily productivity of the organisation.
Gunther, can you tell something about yourself and PostNL?
Sure! My name is Gunther Cleijn. After a career in the Royal Dutch Army, I turned back to 'civil live' in 2008. Since then, I've been working for several organisations in roles that where focused on securing digital assets. I’ve been working at PostNL as Cyber Security Officer for almost four years now. Within PostNL, I'm responsible for the security of the digital assets in our IT and OT domain.
PostNL is comprised out of different Business Units. Each BU has their own IT department and IT Director, but all report to the CIO. In total, we have approximately 10,000 staff and between 35,000 and 40,000 colleagues delivering mail and parcels.
I run a very knowledgeable team of full-time and part-time specialists and experts. Together, we take care of the digital risk profile throughout the organisation. We support our colleagues in daily practices by helping them solve complicated security issues. In addition, we act as an advisor for PostNL's Senior Management.
What was the biggest security challenge when you joined PostNL?
To get where we are today, PostNL has had various mergers and acquisitions. Different services and processes have been successfully tied together to create the company we are now, including the digital infrastructures, Operational Technology, and other aspects. Consequently, we are connected to a vast number of external suppliers and third parties.
On top of that, we also provide cross-border solutions, were we route parcels across the world. All of this results in a largely decentralised structure and a huge digital network. The challenge from a security perspective is to keep track of 'what’s happening' in such an environment.
"With the amount of data we were handling ,
we had to manage on exceptions"
To answer this question, I set out to accurately map our attack surface and then created a reporting structure for all we could see happening with a potential impact on PostNL. So, we did an assessment over all our entities a few years ago to determine our security maturity level. One of the aspects we were focussing on was attack surface management in its entirety. At the end of this manual exercise we compared our output to the results from Cybersprint’s platform. The conclusion: there really were quite a lot more assets than we thought we had.
What did you do to tackle that challenge?
"This is what it comes down to: no matter what third party or domain we are linked to, it can all be traced back to PostNL. That is what we had to map.
"The best approach to manage our attack surface was to automate what we were doing by hand. With the amount of data we were handling on a daily basis, we had to manage on exceptions. Whenever the automated solution detects an issue, that is when you can follow-up by hand. I wanted to focus on the actions we had to take based on the data the platform delivered, and develop my security strategy accordingly to move forward even faster. With the automated solution, we are able to see and understand how big our attack surface actually is, and act proactively to any risk to our brand."
What did you find most helpful?
"With regards to the first outcomes of the platform, it wasn’t like there were any shocking results. We knew there were more assets to find, we just needed the right solution to find them without having to specify where to look. Before, we had more of a gut feeling. Now, we know for sure.
"The strength of the platform is in the combination of many different sources, tools, plugins, etc. and the way they all work together to identify and visualise the necessary insights. Theoretically, we could have gained access to those sources ourselves as well, but that would not have been cost-efficient at all. It would only have cost us time, impeding our own productivity. With Cybersprint’s platform, we had all desired tools in one place and were able to give our security programme a big boost. The platform has quickly become a vital component of the intelligence system we have today.
"With the automated solution, we are able to see and understand how big our attack surface actually is."
"More importantly, though, I am most pleased with the feeling of trust and peace of mind the solution brings. It really helps to have a professional cybersecurity company lend an eye to monitor the big bad internet with you.
"In addition, I know I can always reach out to my contact in Cybersprint for some tips and tricks when I get a question from somewhere in the business. Now, I’m able to confidently say what is happening in our attack surface, and present the data to back it up."