third Cyber Security Assessment Netherlands - NCSC

5 Resilience: measures
This chapter focuses on the measures aspect of vulnerability
and outlines the most important developments
in the area of measures over the recent period designed
to strengthen the digital resilience of individuals, organisations
and society. The descriptions are based on open
sources and information provided by various parties.
5.1 National Cyber Security Strategy
One important source of measures in the area of the resilience of
the whole of Dutch society against cyber threats is the National Cyber
Security Strategy that will be revised in 2013. The activities described
in the first strategy have largely been implemented. [70]
The government’s ambition with the upcoming National Cyber
Security Strategy, with public and private commitment, is to outline
the vision with respect to growth, security and freedom for the
Netherlands. The strategy will also include an action programme
focused on resilience enhancement. An EU strategy and EU directive
for network and information security are being developed in
parallel. These will need to guarantee a high level of cyber security
in the EU. The Netherlands is one of the countries in the EU that has
already implemented the proposed EU measures or has them at the
planning stage.
5.2 Awareness
Raising and maintaining awareness of the risks in the digital world
and the perspective for action are crucial for cyber security.
Without awareness at every level (from administrators to employees
and consumers), other measures will quickly become less effective.
Partnership for Cyber Resilience
Increased awareness is expressed in the signing of the World
Economic Forum’s principles of international Partnership
for Cyber Resilience by a growing number of Dutch companies
[58: WEF 2012]
. In the past year, these included companies such
as TNO, KPN, Alliander, Schiphol Group, Unilever and Port
of Rotterdam.
local authorities, provinces, water boards, ministries and the
organisations that carry out work for them. [75]
»
Core assessment » 5 Resilience: measures
On the one hand, citizens are being given greater responsibility for
security than they can deliver. On the other hand, surveys show that
Dutch citizens have a relatively high level of trust in the security of
the IT infrastructure and the government’s role in this. [76] This trust
is one of the contributing factors to the high use of the internet and
services such as online shopping and banking.
From a European perspective, the Dutch are very savvy frequent
users and an above-average number of them claim to be reasonably
to well informed about the risks of cyber crime (54 per cent). [77] The
relatively limited number, from an international perspective, of
infections confirms the trust that Dutch citizens as end-users have
in their own resilience. [78]
Status of cyber security awareness in the Netherlands.
In November 2012, a survey by Motivaction on digital security
awareness among governments, vital sectors, (other) companies
and consumers was published.
[27: Motivaction 2012]
More than 80 per cent of all respondents claimed to know what
information is confidential and around two thirds said they
know what to do in the case of an incident. However six out
of ten employees admit to having sent sensitive information
through an insecure medium.
The report further concluded that there were noticeable
differences between the different groups. Vital sectors have the
best-embedded cyber security policy, followed by the government,
according to the report. However employees in the
government and local authorities have the greatest sense
of personal responsibility. The digital security policy is least
strongly safeguarded in local authorities. Local authority
officials give the lowest report mark for cyber security to the
organisation, to colleagues and to themselves.
Finally, Dutch consumers have a limited understanding of the
term cyber security, although they are aware of phishing as
a phenomenon, partly thanks to the intensive NVB campaigns.
Consumers believe that the biggest risk is of their personal
information being shared unwantedly through the internet.
»»»»»
Last year saw various international and national campaigns imple -
m ented, including Cyber Security Month (October 2012, ENISA),
Alert Online [71] (November 2012, coordination NCTV), the secure
banking campaign ‘Bank details and log-in codes. Keep them
secret’ [72] (NVB), Safer Internet Day February 2013 (DigiBewust) [73] ,
protect your company [74] (for SMEs, Netherlands IT) and setting up
of the taskforce Administration and Information Security in Services
in February 2013. The aim of this taskforce is to increase awareness
of information security and its management by administrators in
70 Letters to the House of Representatives concerning Progress of the National Cyber Security
Strategy, Second Chamber Documents 26 643 (e.g. no. 202, July 2012).
71 http://www.nctv.nl/pp/alertonline/
72 http://www.veiligbankieren.nl/nl/
73 http://www.saferinternetday.nl/
74 http://beschermjebedrijf.nl/
75 Meeting year 2012-2013, Chamber Document 26643, no 269.
76 TNO 2013; Capgemini, Trends in Security 2013, based on research by TNS/NIPO. These figures
are from before the series of DDoS attacks in April 2013. The effect of these is not yet known.
77 European Commission, Special Eurobarometer 390 Cyber Security, 2012.
78 Microsoft Security Intelligence Report, Volume 13, 2012.
37