One-third of companies (35%) do not have a password policy and almost half (45%) do not use multi-factor authentication
More than 50 per cent do not regularly train their employees on cyber topics such as spam or phishing
- Companies in the Netherlands lack basic cybersecurity measures, this is one of the key points of the current Kaspersky survey 'Incident Response for prevention - Companies in the Netherlands rely heavily on their cyber resilience, but is it justified?'.While even simple steps can increase the level of security in the organisation, as many as 35 per cent admit to not using a password policy, while 28 per cent do not make backups and 45 per cent do not use multi-factor authentication.
According to the Central Bureau of Statistics (CBS), 20 per cent of companies with more than 250 employees will have had an ICT security incident due to an external attack by 2022. Moreover, the way cybercriminals gain network access is becoming increasingly complex in the Netherlands. Only basic measures such as multi-factor authentication, for example, are no longer sufficient. Decision-makers should therefore be aware that a preventive cybersecurity strategy is no longer negotiable for sustainable cyber protection. Yet the results show how security measures are falling short at some companies in the Netherlands.
Basic security measures? Not necessary.
Besides the fact that the survey shows that many companies lack basic security measures, such as password policies and backups, it also shows that 50 per cent of companies in the Netherlands do not regularly train their employees on topics such as spam or phishing - the classic gateways for cybercriminals to access data. And this is despite the fact that the days of poorly written spam and phishing e-mails full of spelling mistakes are long gone. These days, they are barely distinguishable from genuine messages.
Yet only 60 per cent of companies use anti-phishing software to protect against them. Moreover, only one in three companies (33 per cent) has a patch management policy, while application and operating system security vulnerabilities are among the most common attack vectors in companies.
These security best practices are the backbone of any security strategy and can be used as a preventive measure to improve defences. However, the casual approach exposes Dutch organisations to the potential infiltration of cybercriminals, who can exploit vulnerabilities and spread ransomware and malware throughout the supply chain. If these measures are not in place, companies become an easy target for criminals and this is all the more worrying as respondents have too much confidence in their security team.
"Just under half of respondents think they can detect an attack within an hour. This is incredibly naive. Especially considering the protection measures most respondents take," said Jornt van der Wiel, Senior Security Researcher, Global Research and Analysis Team at Kaspersky. "State-sponsored groups and sophisticated criminal groups are so successful because they are not detected. State-sponsored groups in particular can sit on networks for months or even years before they are finally detected, which is often based on luck rather than preventive measures and tight security."