Digital resilience continues to be crucial, but you don’t have to be Fort Knox

The threat posed by cyber attacks is no longer hypothetical. Organisations are increasingly falling victim to cyber criminals and state actors. Is the Netherlands equipped to deal with these digital dangers? What steps should a conference organisation take to minimise the damage?

“Cyber security is no longer only a technical matter. It affects everyone,” says Marcel Spruit, lecturer in Information Security at The Hague ­University of Applied Sciences. He has been researching digital resilience for governments, vital infrastructure and companies for 20 years.

Spruit sees that his field is getting increasingly more attention. “It’s structurally higher on the agenda than it was 10 years ago, also due to visible incidents and political tensions. But there is still a world to win, especially with smaller organi­sations.”

According to the report Cyber Security Assessment Netherlands 2024 (CSAN 2024), the digital threat against the Netherlands is significant and diverse. Most attacks come from state actors such as Russia and China or from cyber criminals who use ransomware (demanding a ransom in exchange for decryption) or steal data, which can cause major damage.

Ransomware impacted at least 178 Dutch organi­sations in 2023. However, since not all victims report incidents and customers are also affected, their actual number is much higher.

The weakest link is people

According to Robert Molenaar at Hoffmann, a company that tests digital resilience, the biggest risk is often people’s behaviour, not just technology. “Some 80% of attacks start with phishing (fraudulently sending e-mails or other messages to induce individuals to reveal personal information such as passwords or credit card numbers).

Someone clicks on a link, which triggers a chain of events. If you’re lucky, it’ll only be spam. However, if a hacker gets access to sensitive data or systems, things can quickly become unmanageable.”

Hoffmann works with behavioural psychologists and others to understand why people continue to behave unsafely despite warnings. “You can tell users 20 times not to click on suspicious links, but the 21st time it happens anyway. Then the problem is somewhere else.”

 

Article continues after text block

---

Cybersecurity for the NATO Summit 2025

The NATO Summit 2025 will be held at the World Forum in The Hague on 24 and 25 June. In addition to the strict security of government leaders and other dignitaries, the conference centre also boasts high-quality security for its digital infrastructure.

World Forum The Hague is the world’s first congress centre to install Trulifi by Signify, a technology that provides a secure, reliable, and high-speed wireless connection using light instead of radio waves. The venue’s network remains strictly confined to physical space, preventing unauthorised users from accessing the network from outside. Trulifi provides additional security thanks to custom encryption and specific access keys.

In addition, the venue has a highly secure Wi-Fi network that is continuously being adapted and monitored to comply with the latest security standards and to protect customers from potential data breaches and cyber attacks.

Event Risk Profile

Since June 2023, World Forum The Hague has been working with NineID as a security platform. NineID ensures that all necessary information, such as training, safety checks, permits, identity documents, and certificates of visitors, contrac­tors and employees, is collected before they even visit the venue. Once a person is verified and checked, they can access the building using ­biometric facial authentication, QR code scanning or mobile phone authentication.

For every event, World Forum draws up an event risk profile in which potential risks are inventoried, including digital threats. Based on this, recommendations are made to protect visitors and organisers against cyber and physical threats.

The convention centre also has an on-site crisis management team that can respond immediately to security incidents, including digital attacks. This team works closely with local authorities such as police and emergency services.

---

 

The nervous system of society

In CSAN 2024, the NCTV (National Coordinator for Security and Counterterrorism) referred to digital processes as the nervous system of socie­ty. If these processes are disrupted, it impacts the organisation and often other parts of the digital ecosystem. This was the case in July 2024, when a bug in CrowdStrike’s software caused hospitals, airports and government services to shut down worldwide. In the Netherlands, operations had to be postponed, and air traffic via Eindhoven came to a complete standstill.

“Such incidents highlight the importance of digital resilience, especially now that many organi­sations rely on a few large cloud suppliers. That is an area of vulnerability. If something goes wrong there, you feel it everywhere right away,” says Spruit.

 

 

 

The event industry continues 
to believe that it's not an
interesting target, but it's
precisely this attitude
that makes them vulnerable

Robert Molenaar

 

The conference sector is also vulnerable

Both experts emphasise that conference ­sector organisations need to remain vigilant. When processing the personal data of visitors, suppliers and staff, organisations use many forms of commu­nication, including emails, open networks and last-minute changes that carry additional risks.

“The event industry continues to believe that it’s not an interesting target,” says Molenaar. “But it’s precisely this attitude that makes them vulne­rable. They have customer data, ticket information and bank account numbers. In a sector where the time pressure is high, there is little room to think carefully about suspicious e-mails.”

Molenaar explains that events have been targeted in the past, such as in 2024, when the data of millions of Ticketmaster users was stolen in a breach. “That shows that things can really go wrong in this industry as well.”

What should you do?

What can organisations do to better protect themselves? “Start with the basics. Make sure you know what you have and what it’s worth. Make sure your systems are up-to-date and that you have access to them properly and safely. Make regular backups. It sounds simple, but many organisations don’t have a backup routine," Spruit explains clearly.

The National Cyber Security Centre (NCSC) and the Digital Trust Centre (DTC) have five basic principles that every organisation should follow: make an inventory of your business’ major compo­nents, segment your network, monitor your systems, practise with incidents and ­provide recovery options.

According to Molenaar, being aware of vulnera­bilities is also crucial. “You should always assume that your network has already been breached. We call this ‘assume breach’. This way, you automatically start looking at your security ­differently.”

 

 

You'd hope that 
organisations already
feel the urgency,
but sometimes
legislation is the
only thing that works
to raise awareness

Marco Spruit

 

Growing legal pressure

Vital sectors such as water companies, energy companies and telecoms have been subject to additional legislation for some time. ­However, the scope is now expanding rapidly. The European Union’s new NIS2 Directive (Network and Information Security Directive 2) intends to improve the cybersecurity and resilience of essential ­services in EU Member States, subjecting municipalities and some commercial sectors to stricter cyber security requirements. “Many organisations have only just begun working on this. People are suddenly panicking because they have to set up everything.”

Spruit thinks it’s a shame that some people only take cyber security seriously when it’s required by law. “It’s actually sad that we need a law. You’d hope that organisations already feel the urgency. But sometimes legislation is the only thing that works to raise awareness.”

SMEs are lagging behind

Yet the biggest gap is still in SMEs, both experts stress. “Most organisations don’t have an IT department. Hired specialists or even owners usually maintain digital infrastructure,” says Molenaar. “There’s not enough knowledge and definitely no time or budget to work on security structurally.

The Netherlands has about 400,000 small businesses. If they are hit, we may not immediately notice it in national security. But they are links in the chain, and with such weak links, you can still hit a larger organisation,” Spruit adds.

 

It is crucial that
the conference 
sector is alert 
to its chain 
dependency

Robert Molenaar

 

Conferences are quite vulnerable

It is critical for the conference sector to be vigilant of this chain dependency. Many organi­sers work with external parties for ticketing, communication and databases. “If one of those links is unsafe, then you’re also vulnerable as an organiser,” warns Molenaar. The danger is real, as recent DDoS attacks on cultural and political institutions have shown. 

In October 2023, hacktivists plagued the ­Center for Information and Documentation Israel for days. Governments are also increasingly being targeted. For instance, a cyber attack on a ­Ministry of Defence network in 2024 paralysed the emergency services’ communication and dis­rupted air traffic, among others.

“Events may not be of vital interest in the strictest sense, but cancelling them can have a social impact, such as chaos, image damage and financial claims. If a city or government organises such a meeting, it may also fall under the new legislation,” says Spruit.

Consider cybersecurity a business risk

The main message from both experts is don’t see cybersecurity as an IT issue but as a business interest. “It’s like fire safety: you hope it never happens, but you have to be ready for it,” explains Spruit.

According to Molenaar, it helps to normalise the conversation about this. “Boards have to ask themselves: what happens if we’re down for three days? What will it cost? What will that do to our image? These questions are much more concrete than wondering whether the firewall is up-to-date.”

The good news is that those who have taken care of the basics are already a lot less vulnerable. “You don’t have to be Fort Knox, but it should be difficult for hackers since most of them look for easy targets,” says Molenaar.

 

---

ISO 27001

ISO 27001 is an international standard for information security that sets out a framework for establishing, implementing, managing and continually improving an Information Security Management System (ISMS).

The standard describes how organisations can set up their information security in a process-based way to identify, manage and reduce risks.

The ISMS is the core of ISO 27001. This system helps organisations secure sensitive information through policies, processes and controls that align with their business goals.

An important part of the standard is the performance of a risk analysis. Organisations identify potential threats and take measures to minimise the likelihood and impact of these risks.

Conference locations

The Dutch conference sector has three companies that are ISO 27001 certified. The Koninklijke Jaarbeurs in Utrecht was one of the first conference centres in Europe to be certified ISO 27001. Onemeeting, a booking platform that manages meeting centres, is also certified. Esprit ICT, a provider of hybrid meeting systems, is the third company with ISO 27001 certification.