tiero - stock.adobe.com

Dutch SMEs’ cyber security is insufficient

Nowhere in the Netherlands is digitisation as big as it is in small and medium-sized enterprises, but the sector still has a lot to do in terms of cyber security

Between 80% and 90% of small and medium-sized enterprises (SMEs) in the Netherlands do not comply with the rules of the EU’s General Data Protection Regulation (GDPR), which comes into force this year and will be strictly audited by Dutch privacy watchdog AP from 25 May.

If companies do not comply with the regulation, they could be fined up to €20m or 4% of their turnover.

Christian Oudenbroek, director at Brand Compliance, said many SMEs in the Netherlands will fall short of GDPR compliance. “We have many SME companies from the Netherlands and Belgium as customers and, from discussions and meetings we have had in recent months, I would say 80-90% of them are not ready for it.”

SMEs make up 90% of the Netherlands’ business world and so largely determine the country’s economic activities. Research by Capgemini and insurance company Interpolis has shown that many entrepreneurs in the country score well in the areas of physical security, access to the corporate network and security of the website, but they lack vision and policy in the organisation of business processes.

Many companies do not recognise the urgency of cyber security until an incident occurs, the research suggested.

Meanwhile, the number of SME victims of cyber crime is quite high, according to the baseline measurement of the cyber security in SMEs research group at The Hague University of Applied Sciences.

Rutger Leukfeldt, head of the research group, said he was shocked by the figures. “Some 20% of companies have been the victim of cyber crime and 21% have experienced an attempted digital attack,” he said. “This means that it does not just happen occasionally, and the risk that a company faces is no longer negligible.”

The baseline measurement marks the start of an in-depth investigation into how much cyber security Dutch SMEs employ. “More and more business processes use digital systems, we as a society are ever more digital, so we can only expect the number of cyber crime victims to rise,” said Leukfeldt.

Read more about cyber security in the Netherlands

The research is pursuing four strands. First, the researchers want more insight into the nature and extent of the problem, and the baseline measurement is part of that.

A second study is focusing on mapping the risk factors that increase or decrease the chances of a company being attacked. “Maybe we find that certain personal or business characteristics imply a higher or lower risk of attack,” said Leukfeldt.

Third, the research group wants to increase the resilience of SMEs. “With the input of the other studies, we want SMEs to know how to handle an incident, so damage and impact can be limited,” he added.

Finally, the research will look at whether, and how, the fight against cyber crime can be improved.

Cyber crime in SMEs is not just the problem of entrepreneurs, said Leukfeldt. “It is a societal problem in which the government, police and other organisations and agencies need to be involved,” he pointed out.

This year, the Dutch government is setting up the Digital Trust Centre (DTC), in which it works with entrepreneurs on digital security.

At the DTC’s launch last September, Henk Kamp, former minister of economic affairs, said: “Cyber security is the basis for a promising digital economy where entrepreneurs minimise risks in their processes and consumers are assured of reliable services and products. The Netherlands has a successful ICT sector, but knowledge and investments in cyber security are still insufficient for companies in other sectors.

“With the establishment of a Digital Trust Centre in 2018, the government meets the desire of companies to help them with up-to-date information about risks and advice on digital security.”

CyberSafe Netherlands

The security market can also play a role in helping SMEs fight digital criminals. A number of Dutch security service providers have recently joined CyberSafe Netherlands, a body that aims to increase the digital resilience of Dutch organisations and to increase quality and transparency in the sector itself.

“This is a young and complex market,” said Petra Oldengarm, director at CyberSafe Netherlands. “Customers tell us they find it difficult to estimate how they should protect their company against cyber crime. One supplier says this, another says that. We want to ensure we give customers an insight into the right measures to secure their company.”

CyberSafe Netherlands wants to do this by, among other things, establishing quality marks and a code of conduct for the industry.

“I would like to see us develop a model in which organisations, and certainly SMEs, can see what risk profile they have when it comes to cyber crime. A model that simply shows that if you have a company that meets these criteria, you run this risk and that it calls for certain measures,” said Oldengarm.

So Dutch SMEs have a lot to do in cyber security. For example, The Hague University’s baseline measurement shows that organisations are mostly affected by malware (30%) and phishing (10%). It is also striking that SMEs assess the risk of another organisation falling victim to cyber crime (41%) much higher than the likelihood of they themselves (20%) suffering such an attack.

And although most companies have taken technical measures. such as a firewall and antivirus software, they often forget to test and keep these systems up to date.

But, according to Leukfeldt, one of the biggest problems is that it is difficult to make statements about “SMEs”. “The SME does not exist,” he said. “There are so many different types of companies and branches, and one is doing better than the other when it comes to cyber security.

“But because of this diversity, it is also very difficult to suggest one approach that works for everyone. That is why it is so important to view this as a societal problem and get together with several organisations to ensure that SMEs become resilient.”

Read more on IT risk management