The Netherlands is in the middle of a serious cyber security crisis. Academic research shows that a staggering 66% of Dutch businesses aren’t prepared to handle cyber threats.
Rick van der Kleij, a psychologist and professor focused on Cyber Resilient Organisations at Avans University, argues that our traditional methods for tackling cyber risks just aren’t working anymore. He believes many organizations think they’re safe, but that’s more of an illusion than reality. Despite pouring money into cyber security, incidents are happening more frequently and causing greater damage.
In his recent lecture, “Now that security is no more,” he called for a fresh approach. He highlights what he calls “the great digital dilemma”—how can businesses remain connected while ensuring security? With one of Europe’s most advanced digital infrastructures, this is a complex challenge.
Recent research shows one in five companies faced cyber crime last year, and the numbers are climbing, especially among small and medium enterprises (SMEs). For the first time, SMEs are getting hit harder than larger firms. Yet, many businesses are overly confident about their cyber defenses. While larger organizations recognize their vulnerabilities, SMEs often underestimate the risks, which puts them in the crosshairs of cyber criminals.
Van der Kleij makes an important distinction: traditional cyber security focuses purely on preventing attacks, while cyber resilience acknowledges that incidents will happen. It’s about how to react, recover, and learn from those events. Unfortunately, most organizations only concentrate on prevention; many SMEs might have firewalls but lack proper incident response plans.
Take Uber, for instance. After a significant hack in 2016, they improved their technical defenses but were still compromised in 2022 due to human errors tied to social engineering. Van der Kleij argues that the focus on technology alone often overlooks critical human factors. When budgets are tight, 85% often goes to tech, leaving just a sliver for addressing human vulnerabilities. Yet, phishing attacks, which exploit human psychology, affect most companies.
He pushes back against the idea that humans are the weak link. Instead, he argues the real issues lie deeper within system designs. Organizations often demand complex password systems from their employees, leading to risky workarounds. Instead of continuing this frustrating cycle, we should be designing systems that make secure behavior easier.
So why aren’t SMEs investing in cyber resilience despite the risks? Van der Kleij believes it has more to do with mindset than size. Many entrepreneurs feel invulnerable, thinking they’re too small to be targeted. Even after an attack, they often don’t change their approach. The challenge lies in reaching those who need help the most. Current resources are underutilized; it’s mainly larger companies that seek out government support, leaving smaller businesses behind.
Van der Kleij emphasizes the importance of partnerships in building cyber resilience. Working together can enhance security. Research indicates that many incidents involve suppliers or partners, which is why large companies are pushing for higher security standards among their collaborators.
European regulations are adding to the pressure. New directives aim to expand coverage for cyber security, yet only a small fraction of companies are ready for these changes. Alarmingly, many SMEs aren’t taking steps to prepare for threats like ransomware, which are becoming more common.
Current research at Avans University focuses on identifying what holds businesses back from investing in cyber resilience. By understanding these barriers, we can tailor interventions to help.
Van der Kleij’s core message stands clear: every organization will face a cyber incident eventually. It’s not whether it will happen but when—and how prepared you’ll be when it does. The time for a new approach in the Netherlands is now.