Turbulent times, unforeseen effects
The NCTV (National Coordinator for Counterterrorism and Security) released it's Cyber security assessment Netherlands 2024, with the title: “Turbulent times, unforeseen effects”
The cybersecurity assessment for 2024 has three main findings:
- The digital threat to the Netherlands is huge and diverse. Cyber attacks mainly come from governments (state actors) and cyber criminals. Governments use cyber attacks as one of the components of their toolbox to protect their interests. Criminal groups act opportunistically and carry out attacks on a large scale. The failure of large-scale digital processes is therefore a threat;
- Digital risks require a comprehensive approach. Risks are dynamic and are influenced by many different factors. The high level of digitization in the Netherlands ensures that risks become interrelated;
- The safety of digital processes is and remains essential in our society. This is therefore inextricably linked to national security. The importance of digital safety competes with other interests. An important development is the anchoring of digital safety in new European and Dutch laws and regulations (such as NIS2, Cybersecurity Act and Cyber Resiliency Act).
Digital safety is a precondition for trust in digital processes
In addition to the three main findings, the report also has a number of other interesting points:
- Bad actors often choose the path of least resistance. They still go for attacks that provide relatively easy and fast access;
- Digital safety is a precondition for trust in digital processes. Trust is necessary for the use of digital processes. Only with confidence can organizations and individuals deal with the many uncertainties. The NIS2 quality mark can play a role in this. Suppliers to NIS2 organizations can thus demonstrate that they have implemented basic cybersecurity measures. For larger organizations, third party assurance reports such as a SOC2 can help;
- Ransomware is still widely used. Some actors focus on extracting data, and are threatening to publish it instead (or in addition to) encrypting data (double extortion);
- the shortage of cybersecurity experts has an impact on the digital resilience of the Netherlands;
- Smaller, non-essential organizations can be an attractive entrance for malicious parties to vital (essential or important) organizations;
- In 2023, 178 ransomware attacks were reported to the Data Protection Authority (AP). The list of victim organizations is exponentially larger;
- Z-CERT states that providers of healthcare institutions are affected more often than healthcare institutions themselves.
.png)