“The thief used to have a koben, now a laptop”

Organizations should not invest more, but smarter to limit the risk of cyber attacks. This is the argument from Sander Zeijlemaker, CEO of the Disem Institute. He received his doctorate on this subject at Radboud University in March. “Organizations need to understand that setting up cybersecurity is a dynamic process.”

Organizations affected by cybercrime: the topic is on the agenda. Billions of euros in damage suffer every year. It is a world where the attacker is constantly evolving and innovating his approach, but organizations are still not doing enough. “Cybersecurity is an issue where you make a decision today to be safe tomorrow,” says Zeijlemaker. “Administrators who have to make choices in this regard are supported by all sorts of standards, frameworks and comparisons with other organizations. After each incident, with yourself or with other organizations, new measures are devised to prevent it in the future. Many organizations base their investments in cybersecurity on past problems. But it’s a pretty static approach. You have to look to the future. “

System dynamics

In his research, where the first efforts were already conducted in 2015, Zeijlemaker looked at an approach based on system dynamics. “In cybersecurity, this approach is hardly used. It is an approach that first identifies all factors, including their coherence, that play a role in making strategic decisions in the field of cybersecurity. This includes the development of the attacker, the behavior of the employees and the effectiveness of measures. This information, together with all relevant data, is used to create computer-aided simulation models. “

Not everyday food

According to Zeijlemaker, there are big differences between organizations in how far they are with cybersecurity. “Some organizations are quite advanced in assessing risks, but I dare say that the majority do not look ahead and take the appropriate steps. There are also organizations that have not yet implemented a good security strategy at all. The dangers are obvious. If you as an SME organization are hit by a major cyber attack, there is a sixty percent chance that you will not survive the next six months. ”

“If you think you are done after installing detection software, you are mistaken.”

Adjust continuously

“Organizations need to understand that setting up cybersecurity is a dynamic process,” Zeijlemaker continues. “If you think you’re done after installing detection software on your regular software, you’re wrong. An organization is constantly changing. Every time you have new laptops, you need to reinstall the software. If you have new servers, “or if you change networks, you need to go through the steps again. Security measures need to be adapted to the changes in the organization and the attacker. That awareness needs to grow.”

“Organizations understand that if a new employee starts working, he or she needs a login with rights to be able to work. But what I see much less is that if the employee makes a career in an organization and he or she gets new rights, the old rights are taken away. That employee can do so much, even things that no longer belong to the position. If an attacker gains control of that account, they can also access those files. “

Creates commitment

The CEO of the Disem Institute believes that cybersecurity should become a standard part of business operations. “I remember an organization where they wanted to make their employees aware that the email they receive also includes email from attackers. They had set up a help desk and they said: if you have an email mail that you are in doubt about whether it is genuine, do not open the e-mail and forward it. This helpdesk had the means to check whether the record was genuine or not. “If you then give back what things stand out to you in these emails, it starts to come alive. You create involvement.”

Cyber ​​security costs money

That it costs money to set up cybersecurity is, according to Zeijlemaker, not an argument for not doing so. “Of course it costs money if you have to rig it, but if you do not do it, it can also cost a lot. In a ransomware attack, the attacker often demands a few percent of your revenue. If you are actually affected by this attack, it will often take you a month to resolve it. During that month, you have trouble serving your customers, which then may go away. As a result, you get compensation claims because you are unable to fulfill current contracts. Attackers also make a copy of critical data, which they then leak. It costs money, but it is also a cost of doing business. In a digital world, you have many advantages if you can do your job quickly, but it must be safe. ”

Sander Zeijlemaker: “Cyber ​​security is an issue where you make a decision today to be safe tomorrow.”

False sense of security

The game between the attacker and the organization is endless. ‘The insidious thing is that the attacker is sometimes away for a while. This can give a false sense of security. This is also known as a detection trap. If you do not see anything, it is not there and you do not have to act on it. But that is a misunderstanding. As an organization, there is always a risk that the attacker will return. ”

Security guarantee?

According to Zeijlemaker, it is also an illusion to think that an organization will never be affected by, for example, a cyber or ransomware attack. “As a society, we are going to digitize more and more, and so is the attacker. The thief previously had a koben, now a laptop. You can make systems one hundred percent secure, but then it is almost impossible to do business. Then it is impossible to work together. ”

Ask questions

There is still a whole world to be gained in cybersecurity in organizations. “The willingness to invest in cybersecurity is linked to the willingness to understand it. The first steps do not have to be difficult. Ask yourself a number of questions as a driver. Do we as an organization know what our digital footprint is? Do you know what to protect? If you do not know, you can implement a lot of measures, but if you forget a few computers that belong to your organization, you already have a springboard for an attacker. “

Follow Executive Finance on LinkedIn!

Leave a Comment