Dutch Businesses Lag Behind in Cyber Resilience as Threats Escalate
The Netherlands is facing a growing cyber security crisis, with a staggering 66% of Dutch businesses lacking adequate cyber resilience, according to academic research. The country's advanced digital infrastructure and openness make it an attractive target for cyber criminals, who are increasingly targeting smaller enterprises.
A Paradigm Shift Needed
According to Rick van der Kleij, a psychologist and professor in Cyber Resilient Organisations at Avans University of Applied Sciences, traditional approaches have failed, and a paradigm shift is urgently needed. "We need to stop thinking in terms of cyber security," he says. "It's a model that has demonstrably failed." Despite years of investment in cyber security measures, the frequency and impact of incidents continue to increase rapidly across Dutch businesses.
The Great Digital Dilemma
Van der Kleij describes the central challenge as balancing openness and security in a country with one of Europe's most advanced digital infrastructures. "How can entrepreneurs remain open and connected without having to completely lock down their businesses?" he asks. The statistics are stark: 66% of Dutch businesses are inadequately prepared for cyber threats, while recent ABN Amro research confirms the crisis, with one in five businesses suffering cyber crime damage last year.
Perception Gap Persists
Van der Kleij identifies 'the overconfident' - Dutch businesses believing their cyber security is adequate when it isn’t. While SME attack rates soar, their risk perception remains static, whereas large organisations show marked awareness increases (from 41% to 64%). This creates a "waterbed effect" - as large companies strengthen defences, cyber criminals shift to less-prepared SMEs which are paradoxically reducing cyber security investments.
Cyber Resilience: A Distinction from Cyber Security
Van der Kleij emphasizes a crucial distinction: while cyber security focuses on preventing incidents, cyber resilience acknowledges that incidents will happen. "It's about having the capacity to react appropriately, recover from incidents, and learn from what went wrong to emerge stronger," he says. This requires four capabilities - prepare, respond, recover, and adapt - yet most Dutch organisations focus only on preparation.
The Limits of Technology
Van der Kleij challenges the persistent myth that humans are cyber security’s weakest link. "People are often blamed when things go wrong, but the actual vulnerabilities typically lie elsewhere in the system, often in the design itself," he says. The misdirection is reflected in spending: 85% of cyber security investments go toward technology, 14% toward processes, and just 1% toward the human component. Yet phishing - which succeeds through psychological manipulation rather than sophisticated technology - affects 71% of Dutch businesses.
Van der Kleij believes it's about reaching the smaller enterprises that need help most. "We have vouchers, we have arrangements where entrepreneurs can get help at a significantly reduced fee from cyber security professionals, but uptake remains negligible," he says. "It's always the same parties who come to the government’s door - the large companies who are already mature. The small ones, we just can’t seem to reach them."
Van der Kleij sees "relational capital" - resources generated through partnerships - as key to enhancing Dutch cyber resilience. "You can become more cyber resilient by establishing partnerships," he says, pointing to government-encouraged initiatives like Information Sharing and Analysis Centers.
The question isn’t whether your organisation will face a cyber incident, but when – and how effectively you’ll respond. Cyber resilience encompasses cyber security while adding crucial capabilities for response, recovery, and adaptation. It’s time for a new paradigm in the Netherlands.