"Security is about the continuity of your business"
Today saw the start of KPN Security’s 3-day event NLSecure[ID]. The event was opened by the outgoing Minister of Justice & Security, Ferd Grapperhaus. He endorsed fully the objective of this meeting for the entire IT community: Working together to make the Netherlands more secure. For three days, various security experts and top speakers from home and abroad are sharing their knowledge with almost 2,000 participants. That sharing is crucial in terms of enhancing digital resilience in the Netherlands. So this is the ideal time to talk with KPN Security director Marcel van Oirschot about the current status of digital security in the Netherlands.
The world has changed enormously since March last year, what impact has COVID-19 had on cybercrime?
“Cybercrime is a structural game of cat and mouse and 2020 was an extremely interesting year for criminals. COVID-19 forced society to speed up the push for digitalization. It became even clearer to everyone that we all rely on digital connections 24/7 – from the local baker to large organizations. Cybercriminals have known this for a long time and were able last year to make optimum use of the situation. Their strategy is to use means such as phishing e-mails to mislead as many people as possible about a major topic of current interest. The Euro 2020 Football Championships and the Olympic Games are among such topics. They didn’t go ahead, but instead there was an even more important topic that criminals could use: COVID-19. In combination with the exponential growth in the numbers of people who were active online, a huge attack surface was created. And that is precisely what cybercriminals are looking for. The bigger the attack surface, the greater the chances of success. That is an essential part of their earnings model. A cybercriminal is never out of work!”
Where in particular did companies go wrong?
“One reason was that in no time at all masses of people started working in the cloud. That shift couldn’t be controlled because suddenly almost everybody had to work from home. Many companies had to arrange this very quickly, so makeshift solutions were sometimes chosen. That’s very worrying. Now is the time for companies to organize their infrastructure and security more structurally and more professionally. They have to set up the basics properly, otherwise they are asking for trouble. Most security incidents occur simply because the basics were not right.”
“Now is the time for companies to organize their infrastructure and security more structurally and more professionally.”Marcel van Oirschot, directeur KPN Security
What do you understand by security basics?
“There are three pillars: people, process and technology. People means awareness and behavior. Knowing what it is you’re clicking on. Should you send things via a secure e-mail program or an app? For example, family doctors could mutually agree to e-mail patient data only via a secure platform such as KPN Zorg Messenger. But if that is not strictly enforced, it is hard in practice to resist the ease and speed of an app. Process relates principally to a clear policy for matters such as passwords, back-ups and patch management. And that leads us naturally to the third pillar, technology. After all, a process works only if you have the right technology available.”
You hear very little about incidents even though we know that many occur. Why is that?
“People think that it’s quiet at the moment in the world of cybercrime. The opposite is true. It’s just that it isn’t publicized. Companies are apparently ashamed to be a victim of cybercrime. I understand that it isn’t nice when it happens to you, but you don’t have to be ashamed. Absolutely everyone is a potential victim. That’s why I would like a lot more to be made public, such as the hack at the University of Maastricht. We can all learn from it; each time it’s a wake-up call for a few organizations to get their security basics in order.”
Awareness is an especially important issue. What is KPN’s role in it?
“Making people and businesses aware of the urgency of security cannot happen overnight. Entrepreneurs already have a lot on their mind, so we are engaging with them – and not just about security. The continuity of their business is at stake here. We put ourselves in their shoes and think about how and with what means we can keep their business running. We do that as a reliable partner, a large and stable Dutch company to which businesses can entrust their data with confidence. Awareness will also be a recurring theme in the next three days at NLSecure[ID]. As a security community we have a common goal: to make the Netherlands more secure. Knowledge sharing is crucial in enhancing digital resilience. It all begins with awareness.”
“Entrepreneurs already have a lot on their mind, so we are engaging with them – and not just about security. The continuity of their business is at stake here. We put ourselves in their shoes and think about how and with what means we can keep their business running.”Marcel van Oirschot, directeur KPN Security
Finally, do you have something to give the reader food for thought?
“Definitely. I didn’t devise it myself but it’s so very true: There is no excuse for not getting your security basics in order. Private and commercial. You can no longer get away with saying you didn’t know security is important. The subject has been in the press often enough. So, always be aware of your vulnerability and the impact if things go wrong. Prevention is better than cure.”