Although Dutch companies are taking their IT security more and more seriously and getting it in order, criminals and other attackers are developing faster. The growing threat combined with the relatively slow development of resilience worries the government.
This is what the National Coordinator for Security and Counterterrorism (NCTV) says together with the National Cyber Security Center in a new version of the annual report Cyber Security Assessment Netherlands. Among other things, the enormously increased reliance on cloud services poses a risk because attackers (usually the state) try to abuse this by disrupting these services.
According to the report, cybercrime is industrially scalable, but unfortunately that is not the case with resilience. This has resulted in an asymmetrical battle. ‘Serious cybercriminals and their service providers are primarily financially motivated and aim for maximum benefits, while gratefully making use of the opportunities offered by the digital domain. They greatly scale up their processes and systems by working together effectively and by continuously innovating when it comes to automation. ‘
“On the side of cyber security and cybercrime, achieving scalability in the technical sense is not the problem. It is already happening where possible. It is primarily the organizational aspects (cooperation) and the legal aspects (information exchange) that have the biggest bottlenecks and growing pains. ‘
Hoarding of vulnerabilities
The threats are growing internationally, partly because countries have been hoarding so-called zero-days – undetected vulnerabilities in software that they keep in reserve to carry out an attack against which there is as yet no protection – for years. The use of zero-day exploitation of state actors against Dutch targets is illustrative of the structural and advanced state digital threat to Dutch economic and political security interests.
But criminals’ attempts to blackmail or shut down businesses remain a problem. ‘Cyber incidents have an impact not only on direct victims, but also on chains of suppliers, customers and citizens using the services of the organizations concerned.’ The organizations point to the tendency for criminals to target suppliers in order to influence companies or entire chains. In addition, attackers are increasingly targeting the ‘triple’ extortion: ransom demands to decrypt systems, threaten to publish data if the ransom is not paid, and ransom demands against customers, suppliers and partners in the organization concerned.
Also read: What to do if your files are held hostage by ransomware
Although the resilience of Dutch companies is increasing, IT security is still inadequate. According to a survey conducted by the insurance company Aon last year, the majority of Dutch companies do not take sufficient measures to increase the security of their systems. And the auditing firm BDO would like the attention to IT security to be reflected in the upcoming update of the Corporate Governance Code.
The level of development of IT security in Dutch companies still leaves much to be desired, the report states. ‘According to the Dutch Security Council (OVV), the gap between the size of the threat and digital dependence is on the one hand and society’s resilience to it on the other. Reports from the Cyber Security Council (CSR) and the OVV also point to fragmented incident control, inadequate supervision and inadequate information sharing. ‘