Cyber security in a changing landscape


Cyber security in a changing landscape

A Deloitte perspective by Frank Groenewegen

Not a week goes by without some sort of cyber attack on a Dutch organisation. In this blog, Deloitte expert and partner Frank Groenewegen shares his take on the current and future cyber security landscape, based on our 2021 report “Cyber security in the Netherlands: a responsibility we share”. What are the most substantial cyber threats? Why are cyber threats increasing? And how should you prepare and respond?

What are the most substantial threats?

According to our survey, 40% of our respondents state that “data leakage” is their number 1 digital threat. Attacks like these pose an immediate threat to your business continuity. Actually, my personal ranking would be different. In my list, the number one digital threat would be a ransomware attack, with criminals stealing and encrypting data and demanding huge ransoms to restore them. Second on my list would be an attack from a nation state. Spies today are not only breaking into government entities to steal classified information. They also attack corporates to steal confidential (customer) data and intellectual property, or even destroy a corporate’s network and bring its business to a halt. I share the worries of 50% of the surveyed organisations with regard to managing cyber risks introduced by third parties. Hopefully, the SolarWinds incident has opened our eyes once again and brought the whole third-party risk discussion back on the table. It’s a good idea to offer suppliers help with improving their cyber security, but it’s impossible to fully control what’s happening outside your own organisation. A zero-trust approach remains best if that’s possible, besides having mature detect and respond capabilities.

Why cyber threats are increasing

Respondents are right in perceiving an increasing proliferation of threats. Criminals can earn far more with hacking in cyber space than burgling homes and businesses in the physical world – and the risk of getting caught is far lower. But I don’t believe digital threats are becoming more sophisticated overall. Some attacks are very clever and sophisticated, and I enjoy analysing and responding to them. In most cases, though, there’s no need for sophistication, since easy hacks are still effective and lucrative. In my view, it’s organisations themselves that are becoming more complex. They create, change and upgrade their infrastructure repeatedly with new systems, interconnections and patches. Meanwhile, they lack a clear overview of their systems, their patch level, or of what accounts have access to what data. Attackers only need to find one vulnerability or mistake to gain access, and in a labyrinth like this, it’s not hard to find one. Once a hack takes place, the time it takes for organisations to detect it is still too long. In recent cases the victims had no idea until they were tipped by a cyber security company or a law enforcement agency.

Focus on the basics first

So rather than preparing for future threats like quantum computing, organisations would do well to focus on the basics first. And organise regular cyber “fire drills”, with ethical hackers, not only to keep staff aware but also to test and improve their digital resilience. Even when the basics are mature for the risk profile and risk appetite that an organisation has defined, sooner or later every organisation will experience a cyber security breach. So, it’s also smart to think about your response. My advice is not to dwell on fear of reputational damage, but to share information and lessons learned. The sooner society knows about a cyber threat, the easier it is to eliminate it. The aviation industry sets a great example in this respect: after a crash or a near-crash, all the information is immediately shared, and an independent institution will start an investigation. That’s the mindset that will make cyber space a safer place.

About the Dutch cyber security survey report

Recently, Deloitte Netherlands launched “Cyber security in the Netherlands: a responsibility we share”, a report based on a survey with 544 respondents (CxO executives, including CEOs, CISOs, CSOs, CTOs, CIOs, 70%), and IT professionals (30%). The report dives into several questions, such as: where are Dutch organisations currently when it comes to cyber security? What do CISOs worry about? How do they envision the future? How do they feel about making the Dutch digital ecosystem more secure? Part of the survey is dedicated to the perspectives of Deloitte’s experts, including the writer of this blog: Frank Groenewegen.

About Frank Groenewegen

Frank Groenewegen is a partner at Deloitte Cyber Risk Services. He has over 15 years of experience in the field of cyber. From a position of Chief Security Expert at his previous employer he recently joined Deloitte. He is a well-known media presence who is frequently invited to discuss various cyber security topics.

Did you find this useful?