An emergency caused by a cyber incident is more common than expected. What can you do as a company to make yourself more resilient? And how do you respond quickly and appropriately? We talked to Visma, which minimizes any impact with programs and initiatives.
Today’s attack frequency and the sophisticated nature of cyberattacks make it difficult to escape an incident. No matter how carefully a company acts, you cannot control everything. In this regard, good preparation is half the battle, recognizes Visma. On the initiative of CISO Cindy Wubben, the company participated in ISIDOOR. In this Dutch program by the National Cyber Security Center, parties examine how resilient they are to crises. A company is a fictitious victim, and learning how one reacts in practice is essential. The fictional crisis escalates daily, and participants are put to the maximum test.
Current state
The most recent ISIDOOR edition took place late last year. Participants went through the three-day main exercise. Lessons are drawn from that to test and implement key points further. The Government Crisis Management Committee continues to practice with input from the training. The data from that ISIDOOR IV edition has now been analyzed in detail.
Based on it, the government concludes that scaling up to the national crisis structure is primarily new and unfamiliar to organizations. This structure helps companies identify the roles and responsibilities of involved parties and where they can get help. There is also a greater need for familiarity with the Dutch Wbni criteria, the precursor to the Cybersecurity Act that governs NIS2. Overall, the precursor to NIS2 does not yet appear to have landed sufficiently.
Practice as the basis for defensibility
For a party like Visma, practicing is interesting, given the size and complexity of the organization. In the Netherlands alone, dozens of companies fall under Visma, operating largely independently and with thousands of employees. Can such a complex organization respond adequately during a crisis? In theory, by practicing, a crisis can be contained more quickly.
In addition to this approach, ISIDOOR has a second essential component for Visma: many government agencies, such as municipalities and security regions, participate. Those government agencies are also Visma customers and must continue to function in the event of a cyber incident to provide citizens with crucial services. When as many institutions in the chain participate as possible, the Netherlands as a whole becomes more resilient. Visma is eager to contribute to this.
Visma sees immediate leads after participating. It is important to inform customers properly during an incident, for example. Next year, Visma wants to participate again, with an extra focus on communication and practice with customers in the chain.
A solid foundation
For CISO Cindy Wubben, it made sense to participate in ISIDOOR. She is constantly working within Visma to raise the security level of the subsidiaries, but how resilient are they? From the Visma Security Program, there are initiatives for more robust security. The components of this program are critical for a software vendor like Visma, such as threat intelligence and bug bounty. The solutions become more secure by having the companies under the Visma umbrella apply these things to their software.
Tip: Visma to put emphasis on mature security
Ultimately, Visma’s additional resources for subsidiaries and employees are pretty broad. They also promise to strengthen the foundation for business continuity and crisis management. ISIDOOR is a good reality check, but quite a few steps have already been taken, for example, through the business continuity portal. Visma has included information to help companies and teams get started on ensuring continuity. This includes help setting up backups, for example, and a check that states how much data would be lost and up to what point that is acceptable. Visma has also included information on what a company should do if it is hit by ransomware. The corresponding actions can also be tested using the portal, whether automated or not. The portal should help create and implement the best possible business continuity plan.
Overarching this is another crisis management plan from Visma. That plan kicks in when the situation escalates, actually, precisely what is simulated at ISIDOOR. An incident can start small and escalate into a significant crisis that requires an organization-wide approach. Should this highest alert phase occur at Visma, the highest management of the Visma group will also come into action, in addition to security experts and the legal and communications departments. This was not yet the case during the ISIDOOR exercise, but Wubben thinks it would also be interesting to simulate that situation.
Sharper on the radar
However, compelling the Visma program has proven to be so far – the track record for publicly exploited vulnerabilities is small – there is always a need to prepare for worst-case scenarios properly. Wubben, therefore, wanted to get as many people as possible within Visma to participate in the ISIDOOR exercise. She gauged interest among subsidiaries, which showed that Genetics, Visma Circle, Nmbrs, Appical, Visma Verzuim, and Visma Software were interested. They had their security housekeeping in place for participation in ISIDOOR, something also required for the real-time exercise.
In total, some 60 Visma employees participated in ISIDOOR. In addition to the teams in the Visma companies, the global SOC team, cloud security department, incident response team, and communications department also practiced. Employees who typically resolve issues and communications staff from the six participating subsidiaries participated. Visma’s conclusion: things were well organized, but not everyone was aware of the structures at play and available resources. In a crisis, do you involve the right security expert, the legal knowledge, and the best communications resources? All these things are crucial in an emergency.
The key remains: practice, practice, practice
Wubben, therefore, hopes that Visma will be there with a larger group of employees and subsidiaries at the next edition of ISIDOOR at the end of next year. They can benefit from three days of crisis practice so they know where they stand and where areas for improvement lie. You can think you are prepared for a crisis, but does the plan work in practice? Are you using the right available resources and the right colleagues at all times? It could just happen that internal communication does not go well or that a communications colleague gets involved too late in an emergency. And you should always have a replacement responsible, even if the person responsible for a recovery step is on vacation or ill. Wubben advises thinking about such components as well.
In addition, ISIDOOR is a nice reality check. It remains important to keep practicing during each two-year edition. Depending on the schedule, an organization should test regularly. Wubben has this as a top priority on the agenda for this and the next quarter to get Visma companies to take business continuity seriously and ensure the plan is up-to-date. With the material from the business continuity portal, there are resources to do a kind of mini-ISIDOOR. They get to work on a hypothetical crisis supported by the global SOC. That team helps the companies get through the processes and complete the scenario successfully. And with that, they are prepared for a cyber crisis and the worst-case scenario.
Tip: NIS2: law lacks future-proof ideas, challenging ambitions and recovery