Companies and institutions can protect themselves against cyber attacks with “5 basic principles of digital resilience,” sets the National Cyber Security Center (NCSC) His website. “With relatively simple steps you often make your organization a lot more digitally more resilient,” said the NCSC.
But, Ronald van der Zon warns, coordinating adviser at the NCSC: “One hundred percent protection against cyber attacks is not only impossible, it is also undesirable.”
About twenty years ago, Van der Zon says, you could still see the IT landscape as a collection of castles with a drawbridge. Companies had their own security system, the system administrator set its boundaries on the basis of what was possible, and the rest of the company did not interfere much with it.
“In the present time that is completely different: from all sides, the IT needs are set from all sides. The need of the business is now central. Instead of a castle, the IT system now reminds of a shopping center where everyone walks in and out.” That requires a new approach to cyber protection. “
Decisions in security
“It is no longer possible to race from incident to incident and say: we will ensure that this can never prevent more,” he continues. “The discussion should be about what level you want to go with your security. Because security costs money, a lot of money, and also has other consequences. Safety measures can lead to collaboration becoming less efficient.
“If we as the Netherlands want to be entrepreneurial to be able to compete with the rest of the world, it is probably not desirable to strive for one hundred percent cyber safety. Entrepreneurship is accompanied by risks, the question is what risks you find acceptable.”
Whereas in the past the policy on cyber security was determined by imposing hard requirements, such as the use of strong passwords, the complex environment in which IT is nowadays, according to Van der Zon, asks for flexible risk management that is tailored to the circumstances. “You can say: everywhere in healthcare, to determine the identity of the person who logs in, we only have to work with two-factor authentication [waarbij naast een wachtwoord nog een tweede identificatiestap vereist is]. But on a first aid post where urgency is sometimes required, that can be too cumbersome and you have to come up with something else. ”
Security measures cost money, a lot of money, and can also lead to collaboration becoming less efficient
Digital resilience does not only consist of preventing cyber attacks and data breaches, Van der Zon emphasizes. Three other things are certainly so important: discovering infringements on the system, the right way to respond to it and repairing the damage sustained. “If it is not possible to prevent an attack, then a lot of attention is always paid to the first point: why could this not be prevented. But those three other points should give more attention. If there is a burglary in your system, but you know how to solve the problem within a few minutes, then you help to limit the risks.”
Concern
In addition to the NCSC, four specialized teams have been established that can provide assistance with cyber incidents: which for municipalities, water boards, educational and research institutions and healthcare.
Z-CERT, the expertise center for Cyber Security in Healthcare, has its “its” in Rijswijk in response to the recent Ransomware attack on the Clinical Diagnostics lab “Ten tips against ransomeware“Updated. These tips partly overlap those of the NCSC, but go a little further. There is, for example, about backups of important data: make” three copies of your data, on two different storage media and a copy offline “.
“Cyber resilience is not necessarily different for healthcare than for other sectors,” says Z-Cert director Wim Hafkamp. “But we have a very complex infrastructure in the Netherlands in which hospitals and other healthcare organizations have outsourced many tasks. Moreover, there has been a lot of digitized in recent years. This can lead to vulnerabilities. Because there are also sensitive personal data being at stake, the care of a popular target of cyber criminals. Directors have to realize that.”
Z-Cert sees that not all healthcare institutions have taken sufficient security measures. According to Hafkamp, for example, it often lacks the speed with which solutions for vulnerabilities are introduced in the software. “Your system must be set up in such a way that it can implement adjustments seven days a week, and 24 hours a day.”
Measures to train staff not to click on the suspect links in emails, Hafkamp also thinks it is important. “You have to keep practicing continuously. As a result, the chance that someone falls into the trap is getting smaller and smaller. But a criminal needs only one person who does kick in. That is why you are always a bit behind. It keeps paying attention to everyone, every day.”
When large cyber attacks become known, this often leads to a lot of publicity-“and hopefully that works for organizations as a wake-up call,” says Hafkamp. “I have a background of information security in the financial sector, and there you saw the same process: the rise of fraud via internet banking led to awareness and a stricter approach to the regulator. I expect that cyber security within healthcare will also be the case.”
We are in principle against payment of ransom. Then you maintain the system of criminals
Hafkamp does not want to comment on the recent theft of medical data from the Clinical Diagnostics lab and the question of whether ransom has been paid there. But in general, he says, “we are in principle against paying ransom. Because if criminals can earn money from it, then you maintain their system.”
Hafkamp does make a comment: “It can really be a dilemma. For example, if a large social disruption is created because an institution can no longer with its data. Or if there is a danger for patients. In such cases, I can imagine that an organization still pays ransom.”
Decline
Private companies for cyber security play an important role in both strengthening digital resilience and when responding when something goes wrong. Stefan van den Braak, account manager of the NFIR company, has seen a decrease in the number of cyber incidents in recent years. According to him, this is due to both greater awareness of the risks and to stronger security measures. But there is still a world to be won.
“Of all the incidents, 65 to 70 percent is caused by a human error, a weak password – something like ‘Welcome2025’ – or someone who has clicked on a phishing mail. It is important to practice with your entire team to prevent that.
“Because of the large affairs that occasionally come into publicity, you occasionally get more awareness, but that should become structural. For example, you should think about cyber safety for fifteen minutes every month. We have experienced that employees of companies do not even know where to report a phishing e -mail. Whether they are fooling to do that.” ”
The services of cyber security companies such as NFIR also include the use of so -called ‘ethical hackers’, which preventively look for the vulnerabilities in digital systems of clients. “Sometimes we get access to the account of one user and we see, for example, whether we can get to all data from there.” If that turns out to be the case, the client has probably taken an unnecessary risk. Something like that is easy to limit by restricting access to the system of such accounts.