One hack after another: 'Current way of securing broken'
According to this expert, there will be no end to all cyber attacks if organizations stick with the current approach.
Published on January 30, 2025
Our DATA+ expert, Elcke Vels, explores AI, cyber security, and Dutch innovation. Her "What if..." column imagines bold scenarios beyond the norm.
The police, DigiD, and recently the Eindhoven University of Technology (TU/e) and other educational and healthcare institutions; one organization after another is becoming the target of a cyber attack. According to Ruben van Vreeland, co-founder of cybersecurity company Securely, this will not end for a long time if organizations stick to the current approach. “If you want to tackle the problem properly,” he argues, ”then we have to stop pointing a scapegoat.” Time for social innovation in the IT world.
Most recently, the TU/e took its entire digital network offline after a cyberattack that rendered all of the university's digital infrastructure inaccessible. Hackers turned out to have the login credentials of at least one employee and one student and managed to break into the online environment. The result? The university was forced to close its doors for a week. Unfortunately, this is not an isolated event.
Van Vreeland has long known that cybercrime is an increasing threat. He has been warning companies about the consequences for years. He started programming at the age of nine, and by 14 he was active as an ethical hacker. Over the years, he helped companies such as eBay, and LinkedIn, by testing their systems and reporting vulnerabilities.
'The old paradigm doesn't work anymore'
Such giants, as well as mainstream SMEs, charities, and government agencies in the Netherlands, are continuously targeted by cybercriminals. This is no surprise to Van Vreeland. “After all, companies and organizations are still tackling security the old-fashioned way.”
Here's the thing: In the old world, the IT world was static. People worked in the office, and IT people could put a solid wall around their systems. They knew exactly where and when someone was working and what software they were using. It was relatively easy to cast processes in concrete.
But the world is changing rapidly. As an example, Van Vreeland cites one of his clients operating in the financial sector. “They adjust their software daily to improve the experience for consumers. Or take TU/e, which is constantly updating its systems to provide students with the best functionality. Because with every adjustment the windows are in a different place, and the cameras are always misaligned. Criminals always find a way to break in that way.”
'Here comes the scapegoat again'
Too often, those truly responsible for a security breach remain out of harm's way. Van Vreeland recalls a notable situation: “Securely discovered a security breach. After no action was taken for six months, we shared the findings about the company on LinkedIn. It later turned out that the head of security changed jobs every year.” Instead of fixing the problem, the company assigned a scapegoat whom they fired. They did not fix the actual leak. “We see this pattern more often; it doesn't fix the problem.”
Countering cyber attacks effectively
So how should it be done? “By making everyone who has important knowledge co-responsible.” A good example is the municipality of The Hague. Its security team recently automatically blocked a municipality Web page because of the word “enforcement.” The code language “having” is also used in cyber attacks. As a result, the website was blocked for all citizens.
However, an employee familiar with the importance of the page to citizens saw that this blocking was unjustified. “Enforcement” had a legitimate meaning here and was essential to the content of the page. Instead of blindly following the security protocol, the employee contacted the security team and explained the proper context. Based on this, the block was lifted. According to Van Vreeland, this incident shows why product owner knowledge is important: “The experience and knowledge of employees who work with the systems daily are crucial to effectively apply security measures without compromising the functionality of the website.”
The municipality of Utrecht, which Van Vreeland's company works with, also applies employee knowledge to its digital system. Often security teams need to learn a thing or two about communication. “Instead of general alert notifications, such as 'you're downloading Skype, this could be a Russian ransomware attack,' we make the notifications context-specific.” For example, if an employee regularly uses Skype, there is no cause for concern. For an employee who normally never uses Skype, on the other hand, this is an alarm signal.
Whether TU/e innovates by giving employees more responsibility in its IT system remains to be seen. “But I hope we will encounter this approach in more and more companies and agencies."
Finally, Van Vreeland emphasizes that the shift of responsibility is only one of the necessary measures. “European standards such as ISO are already in place, and the NIS2 directive can be added to that, should the government choose to do so.” It is still unclear whether these regulations will also apply to education. “But the attack on TU/e shows that this would be a wise choice.”
A cybercriminal poses as your partner and steals money: this is social engineering
In the Cracked by Jordens series, we look at the cyber security of consumers and businesses in the Netherlands. Today we cover social engineering.