🎉 We are proud to share that we have reached a special milestone: The Cyber Weerbaarheidscentrum Brainport (CWB) has been a valued customer of us for four years now! 🙏

In these four years, our cybersecurity specialist Matthijs Nelissen has perfected a portal on which threat information and cybersecurity articles with best practices are posted. Cyber4Z also provided support for all common technical issues. Arissa D'Fonseca, Yu-Mei Liebregt, Rob van den Heuvel, Thierry-Paul van der Vliet and Morrison Toussaint were also able to help our customer fantastically with all kinds of matters. As a result, Cyber4Z contributes to increasing resilience in the Brainport region and beyond because the CWB focuses on the national high-tech manufacturing industry!

We are extremely grateful for the trust that CWB has placed in us and we look forward to continuing this pleasant collaboration for many years to come.

October is known in Europe as Cybersecurity Month. This month is all about increasing awareness of cybersecurity and how individuals, organizations and governments can protect themselves against cyber threats.

At a time when cyber attacks and data leaks are common, awareness is the first step against these threats. This month, all kinds of activities on the subject of cybersecurity are being organized under the name Alert Online. For example, you can use a tool to check a website or URL or you can attend a workshop on the maturity of data protection within your organization.

Cyber4Z: Eye on Cybersecurity

Cyber4Z also actively contributes to increasing cybersecurity awareness. As a leading company in the field of cybersecurity services, Cyber4Z offers a wide range of solutions that help organizations protect themselves against cyber attacks and data breaches. We offer various services, including:

1. Assesments
2. Certifications
3. Security Awareness Tranining
4. CISO as a service
5. GDPR compliance in one day

More information about the above services and additional services can be found on our website under the heading 'Portfolio'.

This day was founded by IEC (International Electrotechnical Commission), International Telecommunication Union and ISO (International Organization for Standardization).

These are all organizations that are involved in standardization of, for example, pen testing or Information Security Management Systems (ISMS). We can't really celebrate this day, but it is a good time to think about your certification process and how we can support you: Our Services.

On 'International Coffee Day' we combine our passion for cybersecurity with our love for sustainability.

We like to treat ourselves to a cup of sustainable coffee in our Cyber4Z mugs while we think about the digital security of tomorrow. If you are interested in a fascinating conversation about cybersecurity, we would like to invite you to drop by for a cup of coffee.

We are proud to announce that our security consultant Emirhan Sarikaya will be giving a presentation at the first edition of the Tech Know Fest on September 28, 2023, organized by The.NextGen.

During the presentation he explains how he discovered a security hole in the Jira environment of the RIVM and how malicious parties can also do this and abuse it. He also provides trips and tricks to increase the security of organizations against similar attacks and the mitigating factors are discussed. We look forward to an inspiring presentation at Tech Know Fest!

In a recent cybersecurity incident Airbus fell victim to a cyberattack originating from a Turkish Airlines employee’s compromised account. What led to the account's compromise? The use of pirated software by the employee. This event once again demonstrates the importance of using safe software and maintaining supply chain security in the linked digital environment of today.

The cyberattack on Airbus highlights the rising worry over the use of unauthorized or illegal use of software. The employee of Turkish Airlines unintentionally introduced weaknesses by using the hacked software, giving the so-called hacker 'USDoD' a way inside Airbus.

The Challenge of Supply Chain Security

Beyond the compromised software issue, the Airbus hack reveals the vulnerability of supply chains. Businesses rely on intricate networks of partners and suppliers, which leaves them open to assaults through these interrelated channels. Cybercriminals increasingly exploit these vulnerabilities to gain access to valuable targets, as seen in this case.

To address this, organizations must adopt a comprehensive approach to cybersecurity that includes supply chain security measures. It is not enough to just protect your network; you must also make sure that your supply chain partners follow strict security guidelines. If your company needs help with this, feel free to reach out to us because we can help with both secure software use and supply chain security.

On today's Throwback Thursday we are going back to the hackersconference DEF CON in Las Vegas this summer.

Our privacy consultant Andra-Elena Albisoru loved the privacy village. "I loved it because you could see that all the changes the US speakers were asking for, are rules that have been in place in Europe for years. It gives a bit of faith in the data protection policies and laws are we have here." There is ofcourse a reason that the US doesn't have the same privacy rules right now. "Mostly the government still wants to have control over the data 'for national security' reasons. But I think it is a policy issue that the states do not get along when it comes to harmonizing the rules. It can't be done at a federal level,' Andra explains. 'California has the best rules on data protection, but I think it takes a lot of time and resources to get 50 other states to agree on doing the same."

It is critical for businesses to comply with the world's strictest privacy and security law, the GDPR (General Data Protection Regulation). At Cyber4Z we understand how important this is, and we can help you do this in an efficient way. Our privacy expert will visit you on location for a day, after which we will deliver a comprehensive improvement report and the necessary documents within a week.

Our exclusive program, called 'Privacy in 1 day', includes several components including a thorough check of GDPR compliance within your organization, as well as a check, improvement or implementation of a privacy statement on your website.

With our complete service, including the assessment, implementation and available templates, we offer this package for only €2,200. Don't wait any longer and ensure your company is GDPR compliant and protects your customer and data privacy with the help of Cyber4Z. Contact us today and you will soon be GDPR compliant!

With Cyber4Z and the Neoforce team we attended DEF CON 2023 in Las Vegas!

Attending this conference in such a special place was a tremendous experience. The things we have seen and heard have given us inspiration and insights that we can apply in our work. We cannot rule out that we will visit this conference again!

At Cyber4Z we regularly do team building and improving competences outside the work field. Last month we did this in extreme form by participating in The GymForce Challenge.

During this challenge in the form of a kind of 'Kamp van Koningsbrugge', we stepped out of our comfort zone by going over an obstacle course together and walking through the Biesbosch polder with packs. With this challenge we have improved our cooperation within the team and we have learned more about who we are and what we can do. It was certainly an event that we will talk about for a long time to come.

Below our co-owner and warrior Matthijs Nelissen in the Biesbosch polder.

Hackers can wreak havoc on businesses, so it's understandable that businesses go to great lengths to avoid being hacked. That is why there are several bug bounty programs and online forums that invite ethical hackers to find bugs in company security. One of these ethical hackers is Emirhan Sarikaya from Cyber4Z: “It is mainly sitting behind the computer a lot.”

The life of a bug bounty hunter may not be as sensational as you might expect. Emirhan is a member of various hacker forums such as HackerOne and Bugcrowd where hackers are invited by companies to find vulnerabilities in their security. “It's mostly sitting at the computer and looking for possible bugs or vulnerabilities,” Emirhan explains. He gives the example of examining a search bar on a website. "When I open a website, I look at how that site can be searched. For example, is it using a database? Then I look at how I can crash that database to find a bug," Emirhan added. As soon as he has found a bug, Emirhan reports this on a hacker forum or uses a so-called Coordinated Vulnerability Disclosure (CVD), in which agreements are made between the reporter and the organization concerned.

Emirhan spends his free time researching bugs. "I do this as a hobby because I find cybersecurity interesting and I find it fascinating how everything works. The rewards you get are also a good incentive for this work." But Emirhan is not only shown to be passionate, he is also extremely skilled. "A recent success story is that I discovered a vulnerability in a live chat of an online casino that allowed malicious parties to take control of anyone who was gambling at the time. This was of course a serious vulnerability, which also paid off. In general, companies are happy when we report a bug, because they can fix it before malicious people take advantage of it, so I want to give companies the following message: don't be afraid to sign up with a hacker platform to get checked for bugs. This way you prevent a lot of suffering for your customers."

Our co-owner Mathe Grippeling was recently interviewed by Centraal Beheer about our absenteeism insurance with the insurer. He says about this: "I think absenteeism insurance is an important insurance if you have employees". You can read the full interview here .

Today we celebrate Social Media Day. On such days, it is especially important to prioritize your online safety and be aware of security measures you can take to better secure your social media. Below are some tips:

1. 𝟭. Use strong passwords: As always, it is important to use unique and complex passwords for all of your social media profiles. Avoid reuse and use two-factor authentication where possible.
2. 𝟮. Be alert for phishing: Be careful when opening suspicious links or sharing personal information through messages.
3. 𝟯. Check privacy settings:Regularly check the privacy settings of your social media profiles and limit the visibility of your personal data.
4. 𝟰. Stay up to date: Make sure your apps are up to date, as updates often include important security patches that protect you from known vulnerabilities.

CAPSLOCKS DAY WAS CREATED BY SOFTWARE DEVELOPER DEREK ARNOLD TO REMIND PEOPLE THAT NOT EVERYTHING NEEDS TO BE TYPED IN CAPS!! BUT DO NOT USE CAPS LOCK WHEN LOGGING IN, BECAUSE YOUR PASSWORD WILL NO LONGER WORK.

Emirhan Sarikaya will join us on 1 July. He would like to introduce himself:

"My name is Emirhan Sarikaya, a 21-year-old cybersecurity specialist with a passion for Web application pen testing, API testing and discovering vulnerabilities in cloud solutions, such as AWS, GCP and IBM Cloud. In addition, I am also very interested in exploring AD & AAD. My expertise includes a wide range of complex technical skills and in-depth knowledge of security mechanisms. With a keen eye for detail and an unparalleled dedication to finding vulnerabilities, I am determined to protect systems and data from potential cyberthreats. I have built myself learned these skills over the years, so I consider myself an autodidact in this field."

Welcome again, Emirhan!

Calvin Hendriks will join us on 1 July. He would like to introduce himself:

"My name is Calvin Hendriks and I will soon be joining Cyber4Z as a Security Consultant. Over the past 3 years I have fulfilled various roles as a consultant. From SecDevOps to Mystery Guest visits and Phishing campaigns. During this time I also developed a passion for pen testing and ethical hacking. At Cyber4Z I get the opportunity to further develop myself in this area. I am therefore very much looking forward to taking on new challenges together to make the IT environment of customers a bit safer."

Welcome again, Calvin!

Supplier management starts with selecting suppliers and making agreements with them. It is important to work on this because bad agreements can have major consequences, because it is not clear who is responsible for it. Our security consultant Yu-Mei Liebregt tells us exactly what it means and what risks are associated with this topic. “How dependent do you want to be on your supplier?”

As already mentioned, supplier management starts with choosing suppliers. “You have to identify which potential suppliers are within range and meet certain criteria. Think of quality, security, price, reliability,” according to Yu-Mei. After choosing the supplier(s), the real work starts. “You have to discuss what the supplier is responsible for and then document this clearly. Then think about what you as a customer want in terms of response times or uptime. If this is not clearly defined and contractually concluded, this can have consequences if a problem arises between the parties where it is not clear where the responsibility lies.”

Monitoring and evaluation

Suppliers should then be monitored and evaluated to ensure expectations are the same on both sides. “You want to keep a grip on your suppliers by monitoring their performance. Set predetermined objectives and criteria for the supplier and also record these in the contract,” says Yu-Mei. “That way you won't be faced with any surprises afterwards.” In addition, monitoring and evaluation also includes identifying new shortcomings, evaluating possible incidents at the supplier and taking measures to prevent or reduce negative effects (mitigate) when necessary. “You can't have every situation on paper in theory. Sometimes it is also good to see what happens in practice, evaluate this and adjust or expand the agreements on paper. It is a continuous process, in which relationship management with the supplier also plays a role,” says Yu-Mei.

Risks

However, there are also risks in supplier management. “You want to work securely and you also want to pass that on to your suppliers. Your supplier probably has data from your company such as personal data or confidential information that you would like to have protected.” That is why it is important that your supplier also takes security measures to protect your data.

“Another risk that comes with this is: how dependent do you want to be on your supplier? If the supplier has an incident that prevents them from delivering, what consequences will this have for the provision of your own services? Think about this in advance when hiring a new supplier and make good agreements in this area as well,” advises Yu-Mei. Business continuity plays a major role in this. Another measure to mitigate this risk is to have alternative suppliers or work with multiple suppliers.

In addition, Cyber4Z can help with effective and safe supplier management by checking contracts and performing tests at the supplier if desired. For more information, please contact us via the contact button at the top right of this website.

On April 23, we celebrate the Day of the English Language and the birthday of the greatest writer in English literature, William Shakespeare. It's a day to reflect on the power of language and communication in our lives and in our work.

As a cybersecurity company, we understand at Cyber4Z how important it is to communicate effectively and understand what's being said, especially when it comes to protecting sensitive information and preventing cyber attacks. A good command of the English language is therefore crucial in our field. Let's take a moment today to reflect on the influence of language in our daily lives and how we can use it to convey our message even more effectively. And let's not forget to raise a toast to the man who gave us and the world so many beautiful words: Happy Birthday, Shakespeare!

Supplier management is the process by which companies manage their relationships with suppliers and other external parties to ensure the efficiency, quality and safety of their products and services. Unfortunately, we often see that the process between the two parties does not go well: there is a lack of clarity about who has what responsibilities and who should carry them out. We will discuss this with our IT auditor and security consultant Rob van den Heuvel. "Discuss with suppliers about what can be improved."

Effective supplier management requires an in-depth understanding of the relationships between companies and their suppliers, as well as an in-depth understanding of the risks and challenges associated with working with external parties. “We see that customers rely more and more on their suppliers, for example in managing servers, back-up and redundancy measures. But also a bit of office & network management,” says Rob. This means that a supplier has an important role in guaranteeing the (information) security for the customer. It does not mean that you as a customer are no longer responsible for the underlying risk and the measures taken for it (purchasing services from a supplier). “But we often see conflicts or shortcomings arise because there is a lack of clarity about what the responsibilities of the customer are and what is the responsibility of the supplier. Nowadays you see that instructing and monitoring suppliers is becoming increasingly important, especially because this is now also reflected in, for example, standards frameworks such as ISO27001.”

How do I instruct and monitor IT suppliers?

It is important to be aware of agreements and to maintain regular contact with suppliers. These conversations must be conducted on the basis of measurable performance indicators. Outsourcing IT also involves risks. It is important to identify these risks and then determine which risks need to be reduced with mitigating measures. One of these measures is to be aware of agreements with suppliers and to maintain regular contact with them. For example, the High Tech Campus became fell victim to a hack at the access card supplier.

SMART SLA

In addition, it is good to have a Service Level Agreement (SLA) with a supplier in which concrete measurable (SMART) agreements have been made about the quality and availability of the service and the way in which information security is guaranteed.

Cyber4Z can support supplier management. “We can support supplier management by, for example, visiting suppliers and checking whether they comply with the agreements in the contracts. In addition, supplier management is also explicitly included in the ISO 27001 implementation and the associated audits.” This means that Cyber4Z can also help to better organize the supplier management process. “We map out the most critical suppliers and set up a process for periodically assessing the service and level of information security at these external suppliers.”

In short, supplier management is an essential process for companies that want to optimize their products and services and have chosen to rely on external suppliers. Supplier management aims to reduce the risks of outsourcing to external relations. By setting clear expectations and standards, monitoring performance and implementing proactive risk management, companies can better manage their supplier relationships and improve their overall efficiency and safety.

In the modern world, web applications have become indispensable for performing various tasks. Be it online banking, online shopping or social media, we rely on web applications to make our daily lives easier. However, it is important to take the security of our web applications seriously to protect our data and personal information from cyber threats. Here are 10 practical tips to make your web application more secure:

1. Use a strong password policy. Using a strong and unique password is one of the most important ways to protect your web application from unauthorized access. Make sure you change your passwords regularly and use two-step verification.
2. Make use of encryption. Encryption ensures that data exchanged between the user and the server is encrypted and cannot be read by malicious parties. Always use strong encryption protocols such as SSL or TLS to secure communication between the user and the server.
3. Validate the entry. Validating the user's input is important to ensure that only valid and secure data is processed by the web application. This prevents attackers from injecting malicious code into the web application.
4. Restrict access. Restricting access to certain parts of your web application based on users' roles and permissions is an effective way to prevent unauthorized users from accessing sensitive information.
5. Secure your server. Make sure your server is protected against attacks and unauthorized access. Regularly install updates and patches to close security vulnerabilities.
6. Use secure sessions. Use secure sessions to verify users' identities and encrypt their session information. This prevents attackers from hijacking sessions and accessing the web application.
7. Limit the number of error messages. Limiting the number of error messages displayed on your web application prevents attackers from gathering information about the security of your web application.
8. Keep your software up to date. Make sure you regularly install updates to the software used in your web application to fix security vulnerabilities.
9. Conduct regular security audits. Perform regular security audits to test and improve the security of your web application.

In conclusion: It is important to take the security of your web applications seriously. Do you need help with this? Please feel free to contact us at [email protected].

Get ready to join CISOs, security executives, practitioners, and experts for3 hours packed with 10 hands-on thought-provoking sessions to gain:

• Know-how on identifying, assessing, and managing threat exposure to reduce security risk and maximize cyber readiness
• Latest trends and best practices in cybersecurity from professionals who are setting the standards globally
• Practical perspectives on exposure management from hackers turned researchers, and security leaders and analysts
• CPE credits

Got excited? Claim your spot here: https://xposure2reg.pentera.io/?utm_source=partner&utm_medium=Cyber4Z%20B.V&source=partner&medium=Cyber4Z%20B.V

On every second Tuesday in February, the whole world celebrates Safer Internet Day. This is an annual campaign to raise awareness and provide education on how to be safer online. The aim is to bring children, young people, parents, teachers, police and industry together to make the online world a safer place for everyone.

In a world where more and more activities are taking place online, it is more important than ever to be aware of the dangers of the internet. Children and young people are particularly vulnerable and can become victims of cyberbullying, sexual exploitation, identity theft and other online dangers. Safer Internet Day is therefore supported worldwide by governments, non-profit organizations, industry and the media. In the past, Cyber4Z gave a presentation at the Eckartcollege high school about cybersecurity and how important it is to start early.

Safe online behaviour

Safer Internet Day aims to help children and young people understand how to behave more safely online. This includes limiting sharing of personal information, refusing to meet strangers you've met online, and always being alert to online threats.

Talk about it

Parents, teachers and other adults can also help by talking about online safety and making sure children and young people are aware of the dangers of the internet. This also means that adults need to be aware of the online activities of children and young people and always be on the lookout for any sign of cyberbullying or other online dangers.

In summary, Safer Internet Day is an important campaign to improve the online safety of children and young people. By raising awareness and providing education, we hope to create a safer online world for everyone. Let's work together for a safer internet for all children and young people.

In 2023 we have big plans: we are going to the largest and annual hacker convention DEF CON in Las Vegas, Nevada from August 10 to August 13. Here we hope to learn new things and gain new experiences within our field. We are already looking forward to it!

In case you have been on any social media platform in the past week, most probably you have come across pictures produces by the new mobile application, Lensa AI. This is a photo-editing app available for IOS and Android users, where uploaded selfies are transformed into avatars. The app allows the user to retouch their photos, change the background, or modify it to fit into different time period art currents.

Nevertheless, as nicely as it sounds, this app does not come without any privacy concerns, which may easily be overlooked by the common smartphone user, eager to jump on this trend as well. Therefore, we thought it would bring a benefit to explain these concerns in a simple manner, and warning potential users of the security risks they expose themselves when using the mobile application.

When reading the documentation of the Lensa app, several red flags may be noticed. While it is stated in section 5 of their privacy policy that the pictures collected from users are not used for other purposes than for applying the relevant filters, in the Terms of Use of the application it states that by using the app, you grand ‘a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable, sub-licensable license to use, reproduce, modify, distribute, create derivative works of your User Content’, for advertising, commercial purposes, as well as for training of the AI. Moreover, in order to use this app, a 1 use fee needs to be paid, and in return you receive 50 edited imagines, based on the photos that you have uploaded. However, the tool used for these edits is a tool developed by Prisma Labs, which owns the Lensa app too. In essence, when using this app, you are offering a company free training for their AI, which helps them further develop and improve their product, as well as creating free advertisement for them. All that, in return for 50 edited avatars.

Lastly, there is a social concern which condemns the implication of artificial intelligence in face recognition practices, as it creates high risks of IP theft, as well as identity theft. The boundaries of ownership for the usage of this application are still ambiguous, leaving room for too much interpretation with regards to whom may use the images after they have been created. If you have already used the application and you are worried that your data may not be used in an ethical way, you may send an e-mail to [email protected] and you may ask for your collected data to be deleted. Additionally, if your pictures are used in advertising, you may send an e-mail to [email protected] and you may revoke that permission. It is important to create and maintain a secure and ethical environment on the internet, especially when it comes to our facial data.

3 out of 5 Dutch people use the same password for multiple online services. Also in organizations in the Netherlands the password policy is not always in order and a variation of Welcome with a special character and a year number is often used.

On 'Change your Password Day' it is extra important to be aware of your password. We can help with this by introducing a password policy as part of the ISO 27002 implementation. Want to know more? Contact us at [email protected].

The new ISO 27001 standard was introduced at the beginning of October. This means that companies need to be compliant with improved and new standards, but what exactly does this mean for them? At Cyber4Z we are busy with the process of providing our current and new customers with appropriate advice.

It is new for many organizations that the ISO 27001 standard is being updated, making it unclear what exactly they should do. At Cyber4Z, we can remove this ambiguity by making a GAP analysis between the current state of the ISMS 2013 and ISO standard 27001 2022. This then produces a clear list of tasks that need to be done, so that the gap can be closed. For our new customers we immediately implement according to the new ISO 27001 2022 standard, to ensure that they are also compliant.

In this way we give our customers a pleasant and secure feeling. Interested in becoming ISO 27001 compliant? Please contact us at [email protected].

In addition to internet.nl, the Digital Trust Center (DTC) also uses the security.txt file to find contact details in response to vulnerabilities they receive.

Adding this record ensures that found vulnerabilities can reach you. How to add the security.txt record to your external servers is described here: https://www.digitaltrustcenter.nl/securitytxt. You will also find a video that explains security.txt in one and a half minutes in Dutch.

Yesterday we hosted our Ransomware Ready webinar with Matthijs Nelissen, Anders Larsson and Hardeep Singh. Using the Pentera automated validation platform, Hardeep took us step by step through a ransomware attack and how to validate this.

Thanks to Anders for the introduction and Hardeep for the great demo!

For anyone interested, it is possible to view the recording on Youtube.

Taking information security to a higher level: that's what it's all about during the ISO 27001 certification process. Cyber4Z can help with the process by performing certain activities (such as a risk assessment or a stakeholder analysis). Our security consultant Morrison Toussaint tells us more about it.

When a company wants to be certified for ISO 27001, it is important that the processes and procedures stated in the standard are implemented. “This concerns, for example, risk assessments, a stakeholder analysis or a management review. These are all activities that should contribute to a higher level of information security. I make these myself at companies, so I'm not just working on support during the audit for ISO 27001,” says Morrison. But how exactly does such a process start? “I start with a gap analysis. This is basically a questionnaire in which the aim is to find out what a company still has to do to meet the requirements as set in ISO 27001. This then results in action points that I will tackle and implement together with the organization."

In addition to the work for ISO 27001, he is also involved in other ISO standards. “There are also other standards such as ISO 9001 on quality management, ISO 22301 on business continuity management and 31000 on risk management. Those are also frameworks that we implement again.”

Getting acquainted

To start with an ISO 27001 it is important to get acquainted with a company. “I always start with a conversation about the company. For example, I ask about the organizational structure, whether IT is outsourced and how many people work there, so that I get an idea of ​​the organization. With all the information I can make a gap analysis which is the first step to achieve certification.”

This is followed by a stakeholder analysis, in which all stakeholders are mapped. “For example, it becomes clear that a company outsources it's IT activities to an IT administrator. I can talk to the IT manager, because sometimes a contract has to be adjusted in order to comply with the ISO standard.” Because of these conversations, it can sometimes take longer before an ISO process is completed. “But it's also because we don't just deliver documents to organizations, but we actually help implement things. This can be, for example, the implementation of mitigating measures, which are identified during the risk analysis.”

A positive trend

In recent years, information security has become an increasingly important topic due to cyber incidents that reach the media amongst other things. “In recent years you have seen that a company wants to be ISO 27001 certified because one of their customers asks for it. Now you see that these companies also expect their suppliers to have an ISO 27001 certificate. It is actually a snowball effect where one implementation leads to multiple implementations at other companies. That is a positive trend, because that way you ensure that the entire chain becomes safer.” That is why Cyber4Z is receiving more and more requests to help with ISO processes.

In short: Cyber4Z not only supports during the ISO audits, but also helps with the entire process around it. Want to know more? Send us an email at [email protected].

Recently, Omroep Brabant worte an article about Cyber4Z concerning a cyberattack on a dental organization. This article was written by Dit artikel is geschreven doorSven de Laet. It was also discussed in a broadcast of Brabant Nieuws on Thursday 11 August (fragment starts at 4:10).

Dental organization Colosseum Dental paid a ransom of about 2 million euros to end a cyber attack. Sounds intense, but it is increasingly common for companies to go overboard. This is also what Rob Mellegers of the Eindhoven company Cyber4Z sees. He regularly negotiates with hackers. "Unfortunately, it is a growth market."

Mellegers does not know exactly who he is talking to. But he regularly has conversations with hackers, who want ransom. "Companies approach us when they are attacked. How do they know that they have been hacked? You soon find out that you can no longer use programs."

At such a moment, Mellegers and his colleagues spring into action. That communication often runs smoothly. "You will be sent a link, which will take you to a secure portal. Sometimes you can just talk to each other, as if through a kind of crypto telephone."

Mellegers' task is clear. "Make agreements with the hackers on behalf of the hacked company. Sometimes there is room for negotiation. They are very open about that. Those criminals also know exactly what they can ask of you. They have looked up your turnover for a long time, so they can also estimate whether haggling is really necessary."

But isn't it strange to chat with such a hacker? "Somehow, because you know that they have done something that is not right. But I am mainly busy limiting the damage for my client. The conversations are often very friendly. They are nice to me, I to them. It is best to make agreements, for example about paying in installments, so that you know that they actually return data."

Because that's the risk: will the hackers give that data back? "It is of course possible that they sell the data or make it public. But in general it is much more useful for them to be reliable. If they do not deliver once, everyone will know immediately. Then it makes no sense for the next hacked company to pay."

Paying is happening more and more often. "Also because the measures at companies are getting better and better. Hackers are therefore able to steal less data, which means that it also involves smaller amounts." And while ransom transfers are strongly discouraged, Mellegers can imagine paying it. "A company is the only one able to assess the impact, damage and consequences if that data ends up on the street."

Incidentally, it is not the case that companies transfer the ransom quickly to avoid negative publicity. "The moment you are hacked, you are simply obliged to report it to the Dutch Data Protection Authority."

It doesn't look like Mellegers' agenda is getting emptier any time soon. "Unfortunately, hacking is a growth market. Am I not doing my job properly? Well, you are never completely safe. It is and remains the fault of the hackers themselves."

Harrie van den Boomen joined Cyber4Z as an accountmanager on July 18. He will mainly focus on acquiring customers for our subsidiary Neoforce. Welcome Harrie!

At our new location we have a bigger office with more workplaces. We also have our own meetingroom where we can meet with our cliënts. We can't wait to work at our new office!

Each staff member may donate €100 per year to a social cause in the name of Cyber4Z. Think of a sports association, a good cause or someone who is committed to a good cause. The following charities have received a contribution in recent years: Justdiggit, Giro 555 for Ukraine, Trees for all, Ronald McDonald Huis, Leev in collaboration with the Pay it Forward foundation, Veldhoven Zoo, Zevenhoek Foundation, the Sterk voor Dieren foundation and Goodwill.

Use our cars

We are also concerned with the environment and how we can reduce our emissions. For example, half of our fleet is electric with brands such as Kia, Jaguar, MG and Tesla. However, we don't stop there. We also use our cars for various charities. In 2018 people were picked up and brought home after a Christmas dinner for lonely people, in 2021 one of our Teslas was used to transport ICU nursus to and from work for free and in 2022 people were brought home in a Tesla with a contribution of €1,000 has been realized for Ukraine.

What is exactly a DRP?

“In a DRP you take the steps you want and need to continue in the event of a disaster. Depending on the service, a DRP may differ. Basically, a DRP is about how to respond and reduce the impact of a disaster. This often concerns the infrastructure of your organization, i.e. the servers and laptops that may have been hacked.”

What's in a DRP?

“I use a template that contains elements that apply to each DRP, such as the composition of a crisis team, critical components, concrete recovery steps, crisis communication and contact details of the people involved. The rest of the content depends on the type of service and the size of the company. A company that offers software must take different measures than a company that makes machines, for example.”

What is the added value of a DRP?

“The added value is that you are prepared for a calamity. You have thought about critical parts and steps to take in advance. With such a plan you can actually respond as efficiently as possible to a calamity and you can limit the damage as much as possible. Think of financial damage or reputational damage. It is important that you test the plan every year and adjust it where necessary, so that you are always well prepared.”

Also ready for a DRP? Please contact us for the possibilities.

Do you often have to deal with the GDPR in your daily work?

“Actually, I think all of us have to deal with the GDPR in our daily online activities. Especially during the pandemic, we moved our social life online. We spend more and more of our time on different websites and online applications. With that, we have the pop-up cookies that appear on our screen. We always need to agree or consent. It is very broad, but the GDPR is always there.”

What is your opinion on the GDPR?

“I think the GDPR is actually the realization that the internet is becoming more and more important in our lives. I feel like it was understood that we need to be very careful with what we share online and with our data because it holds a lot of value. I think people are starting to realize the value, especially when you are a victim of a scam online. Then you realize how much you put out there and how important it is to protect it.”

Do you think the GDPR has improved cybersecurity in the last four years?

“Yes, I do think that because the GDPR is making it mandatory for more and more companies to respect. Before the GDPR we used to have a directive (Directive 95/46/EC) but that directive was not as clear and viewed as important as the GDPR is viewed now. With the GDPR, the rules aren’t new but the force to be compliant is.”

What is your vision for the future regarding the GDPR?

“I hope at least that more and more companies will be more compliant. Even though the GDPR has been around for four years, we need to understand that it required a very big change from companies and that it takes time to implement those changes. Right now, I think it’s important to help those companies to change and then look if new rules are needed. And I hope people will realize soon that things on the internet are never gone and that we need to be as careful with those things as we are with important physical things like a passport or ID-card.”

The Beroepenavond or Profession evening means that students at Eckartcollege can attend presentations by several different professionals and learn about them.

With his phone in his hand and a screen on the wall, Rob showed the class a few visible network vulnerabilities that you try to hack (ofcourse you should never do that without premission). According to Rob, the most important thing is to show that cybersecurity doesn't have to be complicated at all: "With the push of a button you already have insight into the security." Several students hung on his every word. " I was pleased to see that a large group of students is interested in the fields of ethical hacker and cybersecurity consultant. And that the students, who have to make a career choice, found it very interesting to see what I can do and how I do it." According to Rob, it is important to start with cybersecurity early. “The sooner you start, the sooner children can recognize dangers in their own behavior and that of others. That can come in handy later on.”

Developments in the field of cybersecurity are moving at lightning speed: almost every day new applications are available or new vulnerabilities are revealed. It's like a train that keeps going, that you want to sit on. By regularly organizing knowledge sessions, we ensure that we stay up-to-date and learn new things.

Would you also like to teach us something new? Please contact us at [email protected].

'Hello! My name is Bart and I am an eager to learn as a cybersecurity starter. I live in 's-Hertogenbosch with my girlfriend. When I'm not working, I like to exercise outside in the form of running or cycling. I have gained experience related to security during my training at the Royal Military Academy. My goal is to extend this experience with cybersecurity knowledge, so that I can help the customer solve their issues. 'Welcome Bart! We wish you lots of fun!

Today Ben Willems starts his first workday with us. He would like to introduce himself: I am a pragmatic security consultant with a strong technical background in software design, electronics engineering and computer science. My experience includes diverse set of projects on hardware-software co-design, such as safety-critical automotive software and secure embedded systems. Ultimately, my goal is to use my experience to address the technical challenges of our customers with custom security solutions.