The 5 basic principles have their 2 year aniversary

It has been 2 years since the creation of the 5 basic principles of business cyber resilience in the Netherlands. These principles were also the first publication of the then newly founded Digital Trust Center by the Dutch Ministry of Economic Affairs and Climate Policy. To reflect on the principles, three questions are posed on three founders of the principles.

 

The 5 basic principles of business resilience are:

  1. Make an inventory of vulnerabilities: be aware of what needs protecting;

  2. Apply safe settings: f.i. change default passwords and settings in soft and hardware;

  3. Execute updates: make sure hard and software are up-to-date;

  4. Limit access: allow users and systems only access to what they need;

  5. Avoid viruses and other malware: apply technical and organizational measures to defend against infections.

 

2 years down the road: the principles are obsolete now?

Michel Verhagen (DTC): "Unfortunately, we see that they are still relevant for businesses in The Netherlands. Recent incidents emphasize the importance of installing updates when they come available. This proves that in the here and now, they are still relevant in improving cyber resilience of businesses."

Martin Vliem (Microsoft): "At Microsoft we treat them as the basic level of hygiene that any business should adhere to. Unfortunately we see in many security incidents that the root cause lies in the lack of cyber hygiene. But the principles are also relevant when using cloud services. Cloud computing helps organizations, as the cloud provider takes over several security tasks. But, customers still need to take care of things like configuration and identity & access control. That is why we have developed information and instructions that align to these hygiene measures."

Remco Ruiter (Dutch Payment Association): "For us the cyber security of Dutch businesses is very important. Financial transactions are for the majority conducted digitally. If any business is not on par with its’ cyber security, these transactions are not conducted safe and secure. That can disturb business. In that sense I consider the principles as an important level of basic hygiene for all businesses in The Netherlands."

 

So the principles are still valid and no change is needed?

Martin: "Regardless the size of a company the principles are relevant. But our focus should be motivating SME’s to take action. That does not mean just acquiring security defense technologies. The focus on resilience and effectively increasing the cost-of-attack is key. Therefore, a valuable addition to the principles would be business continuity. That would give SME’s a chance of recovering after a cyber incident."

Michel: "We believe that with these principles any business will increase resilience. We are happy to see that the principles are chosen by the Dutch Center for Criminal Prevention (CCV) to form the base level of measures in their new cyber risk model for SME’s. In my opinion, the extended use of the principles is adding value to them."

Remco: "The digital world is changing fast. The emergence of crime-as-a-service has lowered the threshold to conduct crime. This makes humans more important in cyber security. People still fall for CEO, invoice fraud, identity theft and phishing e-mails. So, raising awareness becomes more and more important! The principles should accommodate these developments and evolve accordingly."
 

Where do the principles stand in 2 years?

Remco: "They are still the basic hygiene in 2 years, while GDPR and compliance are no longer things only big companies should adhere to. The Dutch Payment Association will participate in the further development of the principles. That is because we believe that cyber resilience will improve trust in the market and digital payments and transactions."

Martin: "Key will be to find how to motivate end-users to start with applying cyber hygiene. New cyber incidents are like a deck of cards: with every shuffle a new card gets attention. That incident driven approach is not working. That is why Microsoft contributes to initiatives like certification and basic hygiene. I hope that in 2 years, the majority of SME’s use the principles as the standard for digital hygiene."

Michel: "The DTC and the principles are here to stay. The challenge is to get business in the Netherlands to be aware of the principles and to take action. That is why we developed an online self-scan of cyber resilience to provide businesses practical insight on where they stand in accordance to the principles. The report of this self-scan gives practical advice on where to start."

Biography

 Michel Verhagen is the program manager of the Digital Trust Center. With a long history in government is now managing the team that stands for improving the digital resilience of 1.8 mln Dutch companies.
Martin Vliem works at Microsoft as the National Security Officer. He has a focus on ‘Trusted Cloud’: cyber security, privacy and compliance. Dedicated to address GDPR as a top priority for any organization.
Remco Ruiter works at the Dutch Payment Association as Liaison Officer. With a broad experience in both private as public organizations focusing now on the safety and security of digital payments.
Jeroen Kasbergen wrote this article and works as a Cyber Security Advisor at the Digital Trust Center. He specializes in translating ‘cyber’ to understandable and actionable matter for Dutch businesses.
To the 5 basic principles of business resilience (in Dutch)