Professor of Cyber-Resilient Organisations
‘Cyber resilience requires a comprehensive approach’
Rick van der Kleij, professor of Cyber-Resilient Organisations
Research shows that organisations looking to reinforce their cybersecurity tend to invest most of their budget in technical measures. Sounds reasonable enough, right? Not if you ask Rick van der Kleij, who argues for a less one-sided focus. In January 2024, Van der Kleij was appointed professor of the newly established Cyber-Resilient Organisations research group. “To optimise their cyber resilience, organisations should also look at their digital work processes, as well as the role of humans. With my research group, I want to help formulate a comprehensive response to a digital threat that just keeps growing.”
Van der Kleij was recruited to head up the newest research group at Avans University of Applied Sciences’ Centre of Expertise for a Safe & Resilient Society. The Cyber-Resilient Organisations research group aims to address the needs of smaller organisations for up-to-date, evidence-based insights on how to improve their cyber resilience. It’s a mission that is in good hands with Van der Kleij, who has been working on this topic at TNO for years. “The number of annual victims of cybercrime in the Netherlands was 2.2 million in 2022, according to CBS. Compare that to the number of bicycle thefts, which is around 700,000,” he says. “Recent research also shows that almost half of all Dutch organisations have experienced a cyberattack in the last three years. So there’s a clear sense of urgency.”
Bridging two gaps
According to Van der Kleij, global cybercrime is evolving at lightning speed, propelled by all kinds of technological innovations. But most organisations are still very slow to respond to these developments. It’s a difficult gap to bridge: after all, the defenders are always going to lag behind the attackers. “Criminals use online platforms where smart technical experts offer their services anonymously,” Van der Kleij explains. “These platforms are hosted all over the world, making them very difficult to tackle. It’s an ‘industry’ that’s becoming increasingly professional, and it’s even being used by rogue governments for economic espionage or to destabilise political situations, with all the risks that entails. The budgets are huge, making it difficult for entrepreneurs to protect themselves against these forces. That’s why I think our research is so important.”
The weakest link
A second gap Van der Kleij wants to close is the one between organisations: the distance between the frontrunners and stragglers in cyber resilience is widening. “Unfortunately, there are still lots of entrepreneurs who lack sufficient knowledge, resources or motivation to optimise their resilience,” notes Van der Kleij. “I see it as my mission to help that group in particular. Because the stragglers also pose a risk to their partners, as cybercriminals are increasingly targeting the weakest links in supply chains. That’s how a small supplier with poor security can inadvertently provide access to a larger organisation, causing damage that could lead to social disruption. So we have to get those organisations on board that are choosing not to invest in their cyber resilience.”
Comprehensive approach
Asked for his views on the best way to strengthen organisations’ digital resilience, Van der Kleij stresses that investing in technology alone is not a solution. “At the moment, 85% of all investment goes into technology, 14% goes into improving work processes and only 1% is spent on training and education – that’s not a balanced distribution at all,” he points out. “We especially need to pay more attention to the impact of work processes and the role of humans. The attack on internet bank Bunq in 2023, in which a bank employee received a deepfake video that made it seem like the CEO was asking him to transfer money, failed because the bank had robust processes in place and because an employee became suspicious. People need to be alert and know what to look out for. That’s crucial.”
User-friendliness
Van der Kleij also thinks the user-friendliness of digital security measures deserves more attention: “Security and ease of use tend to be at odds with each other. But if safe working processes are too much of a hassle, people will start circumventing the rules, rendering all your investments in security measures pointless. So instead of relying on complicated passwords that have to be changed all the time, you could opt for access control using fingerprint or facial recognition. That’s how you make digital safety easy.”
Van der Kleij’s research will focus on this comprehensive perspective. “How do we incentivise organisations to act, what kind of obstacles are they dealing with? What’s the impact of specific interventions? Do they offer comprehensive solutions? These are the kinds of questions I want to explore together with the education sector, local governments and industry.” Despite the major threat posed by cybercrime, Van der Kleij is optimistic about our ability to protect ourselves. “There’s more and more active international cooperation between governments to track down cybercrime networks, and the Netherlands is contributing to these efforts as well. New European legislation has also made it mandatory for companies to better secure their products and processes, which has been a real catalyst. Companies are increasingly opting for security by design when developing digital tools, which means that security is already included in the design phase. AI also offers huge opportunities – autonomous systems could be used to provide automated protection, for example. These developments are truly fascinating. I’m very happy with the opportunity I’ve been given at Avans, and I hope to be able to create synergies with the other research groups at the Centre of Expertise for a Safe & Resilient Society.”