Every organization must be prepared for unexpected attacks, warns the National Coordinator for Counterterrorism and Security (NCTV), who published the Cybersecurity Assessment of the Netherlands (CSBN) 2023 early this month. The CSBN reflects the trends, incidents, threats, and challenges in cybersecurity within our national security.

There is a mismatch between the increasing threat and the development of resilience. Reducing this remains a task, according to the report’s authors. While threats continue to grow, digital resilience is not yet up to par everywhere. This cyber resilience gap is partly explained by the fact that basic measures are still not adequately implemented. These include using MFA and creating and testing backups. Implementing security measures is often seen as a cost and applied reactively.

Cybercrime is an attractive revenue model. This is certainly true of encrypting files and threatening to publish captured information. The professionalization and commercialization of criminal tools and services is increasing, with the result that even technically less skilled criminals can easily carry out attacks. Due to the interconnectedness of our digital ecosystem, virtually every organization is a potential target – accidental or otherwise.

Operational technology plays a central role in controlling, monitoring, and managing physical processes within organizations. Its security is crucial, but it faces major challenges. The industrial Internet of Things (IIoT) also plays an increasingly important role and, as a result, is also vulnerable.

Almost all organizations are in some way part of a larger ecosystem, on which it is difficult to get a handle on dependencies and vulnerabilities. But these do form a substantial part of digital risks.

Although organizations can do a lot about digital resilience, cyber incidents can still occur, and damage is not always preventable. However, the insurability of digital risks is under pressure, which can exclude organizations with elevated risk profiles or increase premiums. As a result, even financially sound organizations can go down because of the damage they suffer from cyber incidents.

The EU is increasing digital security requirements with new laws and regulations. For example, the NIS2 directive defines which companies must meet which mandatory security requirements. This directive will bring more organizations under the scope of the Network and Information Systems Security Act (Wbni) than at present. The NIS2 directive has implications on requirements for risk management, the use of encryption, an obligation for handling data breaches and reporting cybersecurity incidents.

NIS2 chain partner organizations will also face the effects of implementation. The NIS2 Directive will be implemented in the Netherlands through the Wbni in 2024.