Cybersecurity management and strategy

Start by understanding what information and systems are most critical to your business operations.

• What are your business activities? For example, if you run a design firm, your intellectual property (designs, concepts) is important. If you run an e-commerce store, customer data and payment information are vital.
• What information do you rely on daily? This includes customer databases, financial records, operational data, and contact information.
• Where is this information stored and how is it accessed? Is it on local servers, cloud platforms, or employee devices? Who has access to this information? Do they all need to have access?

Create an inventory of your critical data and systems. And classify confidentiality, availability, and reliability of the information from high to low. Understand their value to your business and the impact if they were compromised or unavailable.

Once you know what is valuable, assess the potential threats and vulnerabilities.

• What are the consequences if you lose access to critical data? Could it disturb your business operations, damage your reputation, or lead to financial losses?
• What if sensitive customer data is exposed? This could result in fines, lawsuits, and losing the customer’s trust.
• Consider common threats: Phishing scams, malware, ransomware, insider threats, and human error.

Do not just think about external attacks. Consider internal risks and human behaviour as well. For example, accidental data deletion by an employee or a disgruntled former staff member.

Read more about identifying cyber risks.

Cybersecurity is a shared responsibility. Even in a small business, awareness and clearly defined roles are part of your strategy.

• How do responsibilities extend to employees? Everyone who handles information plays a role in protecting it.
• Do employees know their responsibilities? How to protect and store sensitive information? How to recognise a threat and how to respond?
• What are the roles of third-party providers? Do you outsource IT or use cloud services? Ensure their security practices align with your needs.

Consider appointing a cybersecurity lead to coordinate your strategy. Regularly discuss cybersecurity during team meetings to keep it top-of-mind. Encouraging safe behaviour is important for the prevention of incidents.

Preventing a cyber incident is an ongoing process. Threats evolve, and so should your strategy. What you can do:

• Automate backups of critical data and regularly verify their integrity.
• Set up password and email security policies for your employees.
• Appoint someone to implement timely software updates, security patches, a firewall and virus scanner. Many breaches exploit known vulnerabilities.
• Establish clear onboarding and offboarding processes for staff, including managing their access to systems and information.
• Encourage employees to report suspicious activity or errors. Your staff are your first line of defence.
• Keep your incident response plan up-to-date, and regularly review and test it.

A cyber incident can still occur. An incident response plan minimizes damage and makes recovery quicker and easier.

• What are your essential operations that must continue? Identify critical systems and data needed to keep your business running.
• How will you limit the impact of an incident? This involves having robust backups, clear communication protocols, and predefined steps for containment.
• Who do you contact in an emergency? Have a list of IT support, legal counsel, insurance providers, and relevant authorities ready.

Reporting is mandatory

Report any cybercrime incident to the police. You must also report all data breaches to the Dutch Data Protection Authority (AP) within 72 hours, using the data leak reporting desk (Meldloket Datalekken, in Dutch).