The common interest of cyber security is clear. A company wants to keep business operations going; the AIVD uses cyber security to keep the gates closed for attackers who disrupt Dutch society.
Both the BV Netherlands and the AIVD are increasingly busy with this. On the one hand, there are criminals who commit computer trespassing out of self-interest. But also think of foreign powers. It's the national dimension to the publication of the NBV. That's the National Bureau of Connection Security.
Cyber criminals really aren't just looking for money. Does your company possess technology, distinctive knowledge or vital infrastructure? Then cyber security deserves the full attention of everyone, at every level.
Think in risks
We assume for a moment that the knowledge has already penetrated the boardroom. But what about awareness in other business units? It is the guiding idea of the first principle Risk Thinking.
Making policy on cyber security does not mean that the entire enterprise has to be under a crippling blanket of security measures.
You may be able to prevent such an attack, but in the meantime you are killing your turnover because of a rigid policy. And it doesn't get any more fun in the workplace itself that way. Effective cyber security is therefore not one size fits all. It's customization.
Not a fence for everything
The NBV therefore recommends making a balanced assessment of the risks. Crown jewels are locked up; in other places an acceptable residual risk is sufficient.
To stay in the metaphor: you estimate that risk by making a treasure map. Before attackers do. What do the crown jewels look like? And how is the route?
The answers to these questions are the homework for the organization. You can only protect sensitive knowledge and resources if you as an organization also know which data that is. Therefore, identify them for the entire organization and treat them as such.
Cyber security before it's too late
The second principle of the NBV is called Assume Breach and prevents talk afterwards. It answers the question 'what if?'
Suppose a cyber attack succeeds, what plans are there to limit the consequences? Running around in panic won't help, but the impact and duration will shorten.
Which colleague can you call day and night, once it is hit? Who directs that person? And because no company manages everything in-house: which external parties should be aligned? What are they going to work on?
In such a situation, a backup is a valuable process accelerator. If you are forced to start from scratch again, you start by using such a backup.
The obvious point of action is therefore that a backup must be available. And preferably as current as possible.
Cybersecurity
Cyber Security starts with overview and control.
Cyber Security. You don't get read about it. But with reading alone, your corporate network remains a target for hackers, phishing, and ransomware.
Keep working on your cyber security
The third principle is simple, clear and perhaps the most difficult: continuously improving your cyber security. Government services are now talking about two types of societies: the physical and the digital.
The digital facilitates the physical and makes work and daily life more pleasant and easier. Provided that you keep malicious people out.
The digital society is getting bigger and therefore more complex. And therefore more vulnerable. Malicious ones carry out more attacks and they constantly change their approach.
The approach in 5 bullets
- Use security from reputable suppliers
- Pay attention to professional configuration
- Maintain the software and hardware continuously
- Make sure the tasks are embedded in the organization
- Performed by well-trained IT professionals with the right attitude, who continuously point out the need for cyber security to other colleagues.
