monticellllo - stock.adobe.com

Dutch critical infrastructure at risk despite high leadership confidence

Stark paradox in Dutch cyber security landscape has business leaders expressing high confidence in their IT infrastructure as cyber attacks rise

While Dutch business leaders are highly confident in their IT infrastructure, recent incidents and statistics paint a more concerning picture of the country’s critical infrastructure vulnerability. 

According to Kyndryl’s Readiness report 2024, 91% of Dutch business leaders believe their IT infrastructure is top-tier, exceeding the global average of 90%. However, only 36% feel prepared to manage future risks, highlighting a significant disconnect between perceived and actual security readiness. 

“The IT Readiness report 2024 reveals a significant gap between confidence in current capabilities and actual future readiness, which serves as a clear call to action,” said Rob Bravenboer, managing director of Kyndryl Netherlands, in the report. “From my conversations with customers, it’s clear that while companies are aware of the risks of cyber attacks and regulatory requirements, many are still in the early stages of taking proactive measures to address these threats.” 

This disconnect becomes even more concerning when considering that cyber security tops the list of concerns among Dutch business leaders, with 55% expressing worry about cyber attacks, yet only 25% feeling adequately prepared to address them.

Furthermore, 94% of these leaders indicate that technological modernisation is a high priority for their companies. However, Kyndryl’s data shows that 54% of business-critical IT infrastructure is either outdated or will be obsolete soon, increasing vulnerability and creating obstacles to modernisation. 

Critical infrastructure exposed 

Recent investigations have unveiled alarming vulnerabilities in critical infrastructure in the Netherlands. An investigation by RTL News revealed that tens of thousands of traffic lights across the Netherlands are susceptible to remote hacking. This situation cannot be fully remedied until at least 2030. The vulnerability was discovered by 29-year-old ethical hacker Alwin Peppels, who found a way to manipulate traffic lights remotely through their connection systems with emergency services. 

“This is a dangerous vulnerability that exposes a fundamental problem in our digitised society – many of our systems were built in an era when the digital world wasn’t hostile,” said cyber security expert Dave Maasland at ESET in the RTL News report. “In these times of geopolitical unrest and tension, these systems suddenly surface. This time it’s traffic lights; next time, it could be a lock or dyke.” 

The rising number of attacks in the Netherlands calls for organisations across all sectors to examine their cyber security solutions and prioritise cyber security critically
Zahier Madhar, Check Point

The traffic light vulnerability exemplifies a broader issue within critical infrastructure security – one that KnowBe4 has extensively documented in its Global infrastructure report 2024. Martin Krämer, security awareness advocate at KnowBe4, emphasised the scale of the threat: “The Global infrastructure report 2024 paints a disturbing picture, with over 420 million attacks on critical infrastructure registered between January 2023 and January 2024 – averaging 13 attacks per second – a 30% increase from the previous year.” 

These findings align with Check Point Software Technologies’ latest statistics for the third quarter of 2024. According to Check Point’s research, Dutch organisations faced an average of 865 weekly cyber attacks – a staggering 69% increase. The healthcare sector proved particularly vulnerable, experiencing an average of 2,881 attacks weekly, followed by the consultancy sector, with 1,542 weekly attacks, and government/military institutions, with 1,000 attacks per organisation per week. 

The attack vectors are diverse. Check Point’s analysis revealed that 61% of all vulnerabilities in the Netherlands involve “information disclosure”, potentially exposing sensitive data to unauthorised users. Most malicious files (58%) are transmitted via web channels, while 42% arrive by email, demonstrating the multifaceted nature of these threats. 

KnowBe4’s research highlights a concerning trend – the increasing use of cyber attacks as a weapon by geopolitical adversaries such as Russia and China to cause societal disruption. “These cyber attacks are not just about gathering information but aim to gain control over systems to cause disruption,” said Krämer. “In light of these threats, it’s crucial that the Netherlands and other countries continue investing in digital innovation and its security.” 

When examining specific concerns, the contrast between leadership confidence and operational reality becomes even more pronounced. The Kyndryl report reveals that while 94% of Dutch executives prioritise technological modernisation, 54% of business-critical IT infrastructure is either outdated or approaching obsolescence, increasing vulnerability and creating modernisation obstacles. 

Beyond the previously mentioned cyber security concerns, Dutch business leaders face additional operational challenges. The skills gap presents a significant hurdle, with 67% of leaders worried about skill shortages, while just 37% believe their systems can effectively respond to this challenge. 

Building cyber resilience 

KnowBe4’s Krämer emphasises the need for a comprehensive approach. “Besides contributing to technical solutions, cultivating a strong security culture within organisations managing critical infrastructure plays a key role. Regular security training and awareness programmes can help increase resilience against cyber attacks,” he said.

Combining technological and human-focused security measures, this holistic approach is essential for improving overall cyber resilience and protecting critical infrastructure against evolving threats. 

Cultivating a strong security culture within organisations managing critical infrastructure plays a key role. Regular security training and awareness programmes can help increase resilience against cyber attacks
Martin Krämer, KnowBe4

Organisations are taking steps to address these challenges, with the Kyndryl report highlighting that Dutch business leaders are focusing on three main areas: investing in employee training and development programmes (48%); upgrading IT infrastructure (40%); and strengthening regulatory compliance (33%). 

“The rising number of attacks in the Netherlands calls for organisations across all sectors to examine their cyber security solutions and prioritise cyber security critically,” warned Zahier Madhar, security engineer expert at Check Point. “The impact of a cyber attack can be incredibly far-reaching and causes more serious disruptions to daily operations than ever before.” 

As the Netherlands continues to grapple with these challenges, the gap between perceived security and actual vulnerability needs to be addressed urgently. The traffic light vulnerability, while concerning, represents just one of many potential weak points in the nation’s critical infrastructure. From water management systems and energy networks to transportation and healthcare, the increasing digitisation of vital services creates new attack surfaces for malicious actors.  

With cyber threats evolving and intensifying at an unprecedented rate – as evidenced by Check Point’s reporting of a 69% increase in attacks – the confidence of Dutch business leaders must be matched by concrete action to strengthen critical infrastructure security. 

Read more on Web application security