Recently, David Knibbe, NN Group’s CEO of Netherlands Insurance, was interviewed by the Dutch Cyber Security Council magazine. Please read the English translation below.
Taking a stand for the safety of Small and Medium-sized Enterprises (SMEs)
The digitisation of our society is progressing at lightening speed. At the request of the Dutch Cyber Security Council, the CEO of PostNL, Herna Verhagen, has written a report that indicates that – in almost every sector of society – digital technology is the primary and most important means for processing and sending information, and for controlling processes. ‘It is a recognisable phenomenon; we see it reflected in Nationale-Nederlanden’s strategy. In summary: digital, personal and relevant. Before we develop a new service for customers, we ask the question if we can offer the new service digitally’, says David Knibbe CEO of Netherlands Insurance (‘Nationale-Nederlanden’) and Chairman of the Dutch Association of Insurers.
According to David Knibbe, a focus on digital security is extremely important for businesses. ‘Companies are becoming more information- and IT-driven. That means that top management should continue to address the protection of critical assets. In our case, the personal and financial data of our customers,’ he says. ‘Within NN, we have an over-arching security structure, which is implemented in every business unit. We have a Chief Information Security Officer, who is responsible for the overall security of NN Group. And there are local security teams, led by Business Information Security Officers, in every business unit.’
The right sparring partner
‘Centralised control and coordination are crucial for an effective approach,’ David continues. ‘That means that everyone – not just Boards of Directors and Supervisory Boards – must delve into security risks and must be aware of their responsibilities and liabilities. It applies to everyone within a company. After all, these are precisely the aspects that get plenty of media attention after a hack or a data leak. It also means that security officers should provide the top executives in their company with up-to-date information and relevant issues. For executives, these officers are useful advisors and sparring partners. Within Nationale-Nederlanden, we also use ongoing security scans and employ security guidelines that our businesses must meet in order to properly protect data. Think of encryption and supplementary digital surveillance. While in big companies, cyber security is often already well-established, most smaller companies still have some work to do.’
SMEs as an attractive target
The Cyber Security Council’s report suggests that in the Netherlands SMEs are less secure, and therefore an attractive target for cyber criminals. ‘Many entrepreneurs are not even aware that they’ve been attacked by hackers. Sometimes, hackers can be active within their systems for months, and may cause irreparable damage, before an entrepreneur finds out. It is therefore crucial that we better inform SMEs about cyber security. And by the way, it’s not enough to simply lay the responsibility for cyber-safe SMEs at the government’s feet. Even when extra funds are made available for that. Just look at the results of the most current cyber-security grants: despite the best of intentions, 2016 saw a record number of data leaks and cyber-crime activities. ‘More money’ is therefore not always the solution. There’s much more that should be done. All the key players must work together: commercial and non-commercial, multinationals to start-ups. Everyone can contribute from his or her own area of strength: whether that's knowledge or network or another strength. It’s all about working together.’
‘SMEs will benefit from security solutions that are tailored to their specific circumstances, and from targeted support in making the right choices from among the options available. Entrepreneurs are confronted with all kinds of changes in nearly every aspect of their business. They work hard, seven days a week, and sometimes they barely have time to check their own IT system. Often, they also don’t have the financial or human resources available to invest in security,’ David says. ‘In that respect, an SME entrepreneur’s world is very different from that of the CEO of an international organisation. The general guideline of spending 10% of the IT budget on security is likely not feasible for all entrepreneurs. For SMEs, support should be all about accessibility, affordability, and a positive image regarding security awareness. It’s not about intimidation, but rather about simple communication, clear language, and brief explanations – with examples and without jargon.’
‘Centralised control and coordination are crucial for an effective approach.’
Dutch Cyber Collective
In late November, stakeholders took the initiative to establish the Dutch Cyber Collective. It is an independent platform that aims to connect everyone who has an impact in the cyber world. In addition to Nationale-Nederlanden, companies such as Deloitte, ESET Netherlands, Fox-IT, Report Crime Anonymously, Threadbare Stone Cyber Security, and Safe Internet have all joined the collective. The Dutch Cyber Collective swiftly tracks new cyber attack methods, through the partners and directly through the SMEs themselves. Every hack is a lesson, and is used to protect other SMEs.
‘We know from experience that SMEs often don’t report cyber attacks. Perhaps because they’re afraid of reputation damage, or because they don’t want to publicise their weak levels of security,’ David says. ‘But because of that, no one can learn from the attacks, and cyber criminals can continue to exploit similar weaknesses among other SMEs. Incidentally, if so-called sensitive data is captured, this should always be reported to the Authority for Personal Data (AP). And, depending on the type of information, this must also be reported to the people whose information has been leaked. Of course, we hope that SMEs contact the cyber guard if they are hacked. This guard is part of the Dutch Cyber Collective. But obviously, we prefer to engage before-the-fact, and help SMEs become digitally safe(r).’
‘The Dutch Cyber Collective’s primary objective is to turn the current fragmented approach into a consolidated whole, and to make the Netherlands safer when it comes to cyber security. We’re therefore completely aligned with the Cyber Security Council report,’ David continues. ‘I am calling on all interested organisations and individuals to collaborate with the independent Dutch Cyber Collective. That’s how we can join forces to take a stand against cyber criminals. It goes without saying that the Cyber Collective is also keen to work with, or contribute to, other political or governmental initiatives. Cooperation, coordination and information – these are the keywords for making the Netherlands digitally safer in the short term.’