Tag: Digital Trust Center

 Although the data from the CyberSafe Check does not come from a scientific study, the high response rate can provide insight into the behavior surrounding the execution of automatic updates in the various sectors. The CyberSafe Check tool had to be completed last year by, among others, small companies that wanted to use the My Cyber-resilient Business subsidy .

The recently published CBS Cybersecurity Monitor shows that companies that are more involved with ICT or have a major interest in securing their data, such as the ICT sector or the financial sector, generally take more basic measures than companies in sectors where this seems less important. The CBS Cybersecurity Monitor has not published any figures about companies' update policies after 2020.

Information and communications sector most often sets automatic updates

The 'information and communications' sector most often reports having automatic updates set up on all internet-connected devices. Nearly three-quarters (73%) of entrepreneurs in this sector have set up automatic updates. Entrepreneurs in the 'business services' and 'financial services' industries also score relatively high on this at 66%.

Agriculture, forestry and fishing sectors are the least likely to set automatic updates

Entrepreneurs in the 'agriculture, forestry and fishing' sector are the least likely to set up automatic updates. Just over half of this sector (55%) has done this, followed by the sectors 'real estate' (57%) and 'industry and energy' and 'trade, transport and catering' (both 58%).  
 

More than one in three small businesses do not have automatic updates set up on all their internet-connected devices (36%). This is evident from data from the CyberSafe Check tool of the Digital Trust Center (DTC). The CyberSafe Check has been completed more than 9,000 times by self-employed people and SMEs from various sectors.

The CyberSafe Check for self-employed persons and SMEs has been specially developed for smaller companies that do not yet have much knowledge and experience in the field of cybersecurity. Within 5 minutes, entrepreneurs know what they can do today to get started with the digital security of their company. At the end of the check, entrepreneurs download their own action list and get started with practical instructions and tips.

Update automatically

The CyberSafe Check inventories the extent to which self-employed people and SMEs take the basic measures necessary for the basis of their cyber security. One of the questions asked in the tool is: “Is automatic updating enabled on all internet-connected devices?” Software updates often contain important improvements and security updates for the user. Delaying the installation of security updates can make your device's security vulnerable.

Adversaries are actively looking for ways to penetrate through these types of security holes. The advice for self-employed people and small SMEs is therefore not to wait to update devices that are connected to the internet and to preferably set automatic update This includes not only your computer or smartphone, but also your printer, smart doorbell, routers and other smart devices that are connected to the internet.

Secure digital business

As an entrepreneur or security manager, would you like to receive notifications of serious cyber threats to companies in your mailbox? Then join the DTC Community .
To support entrepreneurs, there is also a wide range of cybersecurity information and a toolbox with cyber tools . Want to test whether you already have the basics in order? Take the CyberSafe Check for self-employed persons and SMEs or the Basic Cyber ​​Resilience Scan .

As of today - July 2, 2024 - the Internet consultation of the Cybersecurity Act is closed. The consultation period ran from May 21, 2024 to July 2, 2024. The bill is the conversion of the European Network and Information Security Directive (NIS2) directive into national legislation. This directive aims to strengthen digital and economic resilience against increasing threats.

In order to involve the largest possible group in the development of legislation, citizens, companies and institutions could make suggestions via internetconsultatie.nl for improving legislation and regulations. There were 111 public responses to the consultation.

Reactions received

After the consultation period has closed, a further assessment will be made as to whether – and how – the bills should be amended. The result of the consultation and its processing will in any case be stated in broad terms in a report on this website.

The ministries involved and the NCTV are currently also working together on the General Administrative Order; a form of subordinate legislation in which the law is elaborated in more detail. Among other things, the responses to the bills received via the internet consultation serve as input for what is further elaborated in the General Administrative Order. This applies to the Cybersecurity Act and the Critical Entities Resilience Act .

The Cybersecurity Act

The Cyber ​​Security Act is the national legislation arising from the European Network and Information Security Directive ( NIS2 Directive ). The aim of this bill is to strengthen digital and economic resilience against increasing threats. The law will apply to companies and organizations that are active in certain 'critical' sectors and have a certain size. The Cyber ​​Security Act replaces the Wbni.

The Cyber ​​Security Act is the successor to the so-called Network and Information Systems Security Act ( Wbni ) and contains a number of changes compared to the Wbni. First of all, the number of sectors and therefore the number of organizations that will fall under the law has been expanded. The bill also contains rules in the areas of duty of care (cybersecurity measures), reporting obligation (reporting incidents), and monitoring compliance.

Who does the Cybersecurity Act apply to?

Wondering whether your company must comply with this new law? Do the quick checks. Who does the NIS2 apply to? or go through NIS2 Self-Assessment Tool to find out.

Prepare yourself in advance

A resilient digital Netherlands is always important. Now and in the future. There are many measures that organizations can take now, even before they are required to do so by law.

The measures that organizations must take based on their duty of care take time and attention. That is why the Digital Trust Center advises organizations not to wait until legislation is introduced, but to make preparations in advance. View the NIS2 starting point with 10 measures that…

The Central Bureau of Statistics (CBS) has released the Cybersecurity Monitor . Here, CBS reports on the cyber resilience of companies and households in the Netherlands. The Cybersecurity Monitor is partly made at the request of the Ministry of Economic Affairs and Climate (EZK). Below, the Digital Trust Center (DTC) zooms in on a selection of the most important findings for the Dutch business community, from self-employed entrepreneurs to large companies in the healthcare, financial services, hospitality, ICT and industry sectors.

The conclusion we can draw is that smaller companies are less cyber resilient than large companies. Small companies take less action than large companies on all requested (basic) measures, which makes them vulnerable to cyber incidents. But there is also good news: the number of cyber incidents experienced by the business community is once again lower than the year before. This also applies to the number of ransomware attacks.

Cybersecurity measures

Larger companies are taking more measures against cyber threats

A company's cyber resilience level increases as more measures are taken. This year, for the first time, we are seeing a slight decrease in the number of companies with two or more employees that are taking half or more of the requested cybersecurity measures.

Statistics Netherlands shows that each measure is taken more often by larger companies than by smaller companies. This shows that the 'difficulty' of a measure has a clear effect on the degree of use, especially in smaller companies. For example, the difference in the use of a Virtual Private Network (VPN) between micro companies (2-10 employees) and large companies (250+ employees) appears to be enormous: 25% compared to 81%. This trend also continues when looking at self-employed people, who score slightly lower than micro companies.

ICT security measures taken per company size. Source: CBS tables

The ICT sector and healthcare score well on cybersecurity measures

Companies that are more involved with ICT or that have a major interest in securing their data, such as the ICT sector or healthcare, score better in the field of cybersecurity than sectors where this seems less important.

ICT security measures taken per sector with 2 or more employees. Source: CBS tables

Cybersecurity incidents

The number of ICT security incidents is decreasing

The total number of ICT security incidents with both internal and external causes has decreased. This downward trend applies to all company sizes and has started since 2020. For example, in 2016, almost 40% of the largest companies had an ICT security incident due to an external attack, while in 2022 this was only 18%.

ICT security incidents with an internal cause (a) or an external attack (b) per size class. Light-colored part: incidents with costs. Source: CBS tables

Larger companies are more likely to be victims

Large companies consistently experience more incidents than small companies over the years. This applies to both internal incidents and incidents resulting from an external attack. There may be several causes for this pattern. In the event of internal incidents, such as failure of ICT systems due to hardware or software failures, large companies often have a larger and more complex ICT infrastructure.

The number of companies with ICT security incidents is decreasing, this decrease is visible for companies of all company sizes. Of these incidents, a third appear to be associated with costs, this applies to both incidents with an internal and external cause. In 2022, these costs were in most cases less than 1% of company turnover.

Ransomware attacks are declining

The 2022 survey shows that the number of companies that have fallen victim to a ransomware attack has decreased. In percentage terms, larger companies suffer more from ransomware attacks than large companies. There is an increase in the number of ransomware attacks in the IT sector and among self-employed entrepreneurs.

Percentage of companies that have suffered a ransomware attack by company size. Source: CBS tables

Of all companies with 2 or more employees that suffered a ransomware attack, 37% called in a cybersecurity company. A smaller share (18%) went to the police. This percentage decreases as we zoom in on smaller companies.

Secure digital business

As an entrepreneur or security manager, would you like to receive notifications of serious cyber threats to companies in your mailbox? Then join the DTC Community .
To support entrepreneurs, there is also a wide range of cybersecurity information and a toolbox with cyber tools . Want to test whether you already have the basics in order? Take the CyberSafe Check for self-employed persons and SMEs or the Basic Cyber ​​Resilience Scan .

Today, Minister of Economic Affairs and Climate Policy Micky Adriaansens announced that the Strengthening Cyber ​​Resilience subsidy scheme will be reopened from 2 September 2024. Through this subsidy scheme, the Digital Trust Center (DTC) encourages public-private partnerships to take action to improve the cybersecurity of sectors, regions and chains. This year, for the first time, the subsidy scheme will also be open to the Caribbean Netherlands.

Joining forces on cyber resilience

The aim of the subsidy scheme is to create networks in which members can put their knowledge and skills in the field of cyber resilience to good use. In a cyber resilience network, entrepreneurs enter into long-term collaboration with other organizations to step up cyber resilience, within and between non-vital industries, sectors and regions.

In 2024, a total sum of 600,000 euros is available for the best project plans developed to improve cyber resilience among companies. The maximum funding per project is 150,000 euros. The Netherlands Enterprise Agency (RVO) is responsible for implementing this subsidy scheme.

Since it was first launched in 2018, the scheme has awarded grants to 37 collaborative projects. Learn more about the projects that received a subsidy in 2023 or in previous years .

Submit your project

Do you have a good idea or plan for improving the cyber resilience of companies in your industry, sector or region? If so, your project may be eligible for the 2024 Strengthening Cyber ​​Resilience subsidy scheme. More information on the application process and conditions will soon be available on the Netherlands Enterprise Agency website .

Plans can be submitted to the Netherlands Enterprise Agency from 2 September to 14 October 2024.