Blog: Cybersecurity month October: Keep your colleagues alert

Digital technology and networks (cyber) offer a very attractive way for malicious actors to put pressure on almost any organisation. After all, from a protected location, the whole world can be reached. Moreover, many systems are vulnerable, due to poor security of the technology itself, incorrect implementation, overdue maintenance, inattentive use or a combination of these. In addition, detecting and bringing these malicious actors to justice is extremely complicated.

The motives of malicious actors can mostly be grouped under the headings of 'demanding attention' or 'exerting pressure'. Drawing attention, for example, is about demonstrating the actor's skill, or his ideological goal. Exerting pressure often involves obtaining money or getting the attacked organisation to change its behaviour. To exert pressure, for example, ransomware is deployed, a denial-of-service attack is carried out or (threatened with) sabotage. And even if your organisation is not the target of an attack, it can still become a victim, for example because an attack is deployed in an untargeted way, or because a chain partner is affected by the attack and unavailable. In short: every organisation is a potential victim of cyber misfortune and should prepare accordingly.

What to do.
There are many tools outlining how to approach cybersecurity, from standardised ISO standards and NIST frameworks to lists of basics. They roughly boil down to the following:

• Know what you need to protect: what are malicious actors potentially after and what knowledge and systems are crucial for your organisation to continue to exist. In other words, what are your assets to protect?
• Make a plan to protect these assets from cyber threats. Outline measures you should take, and in what order. A roadmap. Keep in mind that this will not be a static plan, threats evolve and your plan should take that into account: cybersecurity is an arms race!
• Keep an eye on your assets. Know what is normal behaviour in your organisation and its digital systems, make sure you spot deviant behaviour quickly and can assess whether it is harmful behaviour or not.
• Make sure there is a plan for when something does happen that disrupts normal operations. How will you act then, which parties do you need and how do you reach them? Practice this also with the colleagues involved.
• Evaluate incidents and learn from them, adjusting systems, responsibilities and processes if necessary.

Who is next up?
We all are. Everyone who works with digital technology has a role, even if only to alert experts in case of deviant behaviour. Directors and internal supervisors also have clear roles, including around ensuring cyber security policies, culture and investment. It is important that roles are defined and that everyone knows clearly what role(s) they have. Only then can you be in control.

This blog is a summary of a more extensive article written primarily for directors. Share it with them and so give cybersecurity month a push in your organisation too!

I wish you a safe and resilient month!

Ronald Verbeek
Director
CIO Platform Nederland