Recent studies by Grant Thornton and Crayon reveal that both the technical and human aspects of cyber resilience are lacking. Dutch organizations are increasingly becoming victims of digital attacks, while both policies and personnel are often still not ready to respond adequately.
One in four companies affected by serious cyber attack
According to the International Business Report by Grant Thornton, nearly a quarter of Dutch organizations faced a cyber attack with significant impact in 2024. Another 39% reported attacks with limited damage. Particularly concerning is that 20% of companies do not conduct any monitoring and thus do not know if they have ever been attacked. In 13% of cases, there is hardly any attention for cyber resilience.
While 64% of medium-sized companies claim to have a comprehensive cybersecurity policy, 28% still work with basic measures and a quarter primarily reacts ad hoc to incidents. Smaller companies, in particular, represent a vulnerable link: their limited capacity increases the likelihood of successful attacks and thus the risk of chain incidents affecting larger parties indirectly.
'The threat is acknowledged, but many organizations still struggle with an approach that truly fits their structure,' says Migiel de Wit-Beets, partner Cyber Risk at Grant Thornton Netherlands. 'Time to wake up.'
Employee is the weakest link and the key to cyber resilience
In addition to the lack of technical readiness, research by Crayon shows that the human factor is also severely lacking. While 83% of employees believe they can recognize phishing, nearly a third admits to not reporting suspicions to IT or a supervisor. Moreover, only 41% of employees know what to do in the event of a real cyber attack. The rest are in the dark — or rely on colleagues.
This poses a direct threat, states Michiel van Egmond of Crayon: 'Employees are the first line of defense. But those who do not know how to act waste precious minutes. That is exactly when cybercriminals strike.'
Despite a high sense of responsibility - 62% feel responsible for digital safety - there is often a lack of concrete action perspectives. The combination of overestimation, underestimation of risks, and lack of training makes organizations vulnerable to, for example, ransomware, where systems are held hostage and only become accessible again after payment.
Why policy alone is not enough
Policy is necessary, but insufficient. Grant Thornton emphasizes that cyber resilience is a combination of technology, processes, and human behavior. It requires involvement from all levels in the organization — from management to operational teams. Without this integrated approach, organizations will continue to lag behind the facts.
Crayon points to the importance of recurring training and realistic simulations:
'Awareness training, clear incident protocols, and phishing exercises ensure that employees not only pay attention but also dare to act and know how to do so.'
What can organizations do now?
The urgency to act is great - and the solutions are often simpler than expected. Concrete steps to increase resilience include:
- Implement an integrated cybersecurity policy, tailored to the structure and risks of the organization.
- Ensure active monitoring to detect attacks early.
- Train employees structurally, not only in recognition but also in behavior during incidents.
- Simulate scenarios, such as phishing attacks, to gain insight into team responses.
- Embed cyber resilience in the governance structure, with attention at the highest level.
Cybersecurity requires action
The digital threat is real and is increasing in both frequency and complexity. At the same time, many companies are falling short, even when they have policies on paper. Only when policy and human behavior come together does true cyber resilience emerge.
