The KB is a versatile organization: the national library not only has a very large book repository but also houses a massive physical collection. Additionally, the KB offers various services, such as Delpher, which contains over 2 million Dutch newspapers and magazines available online.
These all require their own form of protection, notes crisis management advisor Milou Dekker. ‘We must, among other things, comply with the cyber security law. This includes making clear agreements about who has access to what information. You also need to have clarity about who does what when something goes wrong.’
How does a cyberattack simulation work?
Ideally, you don’t dwell too long on the worst-case scenario. Yet libraries are occasionally attacked. For example, the British Library was hacked a few years ago, resulting in lost files. ‘We try to arm ourselves against such situations,’ Dekker explains. ‘We do this, for instance, by training our employees as thoroughly as possible. All KB employees receive awareness training, which teaches them to recognize phishing emails. Additionally, we have a dedicated team that knows what to do when a problem arises.’
How can you best prepare for such a problem? One way is through a simulation exercise: a sort of role-play where you act out what happens when faced with a digital threat. ‘One part initiates the problem, for example, by calling the department with an alarming message. Then we observe how employees respond to it.’
This role-play is carefully thought out beforehand, Dekker emphasizes. ‘First of all, it must be a realistic scenario: there must be a chance that this problem could occur in reality. It also needs to align with what you want to train, for example, whether employees escalate the issue properly when the problem becomes apparent. Furthermore, it must have a high impact: the problem should have significant consequences. And, of course, the problem shouldn’t be too easy to solve.’
How do you keep colleagues engaged in cybersecurity?
Developing such a scenario is often already a very good exercise, Dekker observes. ‘Not everyone is focused on all risks every day. Thinking about them makes you aware of what could potentially go wrong.’
Employees often find such exercises quite nerve-wracking, Dekker knows from experience. ‘That’s why we try to make it enjoyable too, for example, by including jokes in the scenario. Additionally, it’s important to create a safe environment: it’s okay to make mistakes; you learn from them.’
Her department recently acted out a scenario where someone with malicious intent gained access to the network and important systems. ‘Such a person is often not necessarily looking for information but for money,’ Dekker explains. ‘They often threaten to expose valuable data if you don’t pay a ransom. In such moments, you look for ways to contain the problem. For example, how do we ensure our services to customers remain operational?’
Why should you repeat cyber training?
Unfortunately, this scenario is becoming increasingly common, Dekker notes. ‘All businesses need to protect themselves against it. On the other hand, by doing so, we collectively raise the standard: the more resilient we make ourselves, the harder we need to work together to keep that standard high.’
Training like this needs to be repeated frequently: practicing once or twice a year is essential to keep measures fresh in memory. Teams determine what’s important to train, whether related to ICT or marketing and communication. ‘It doesn’t have to be complicated,’ Dekker emphasizes. ‘You can use the experience of other institutions, and the government offers various standard exercises. You can also conduct a crisis exercise through the National Cyber Security Centre (NCSC) or the English National Cyber Security Centre. And simply brainstorming a scenario together can be extremely helpful. Consider it a creative exercise – and cultural institutions often have no shortage of creativity.’
Cyber scenarios for cultural institutions
For each type of cultural institution, the threat of a cyberattack lies in a different area. You could consider the following scenarios.
Theater: theaters collect a lot of data from their visitors and thus possess a great deal of privacy-sensitive information. What do you do when a data breach comes to light?
Museums: museums often house valuable objects. What do you do when someone gains control over your security systems?
Festivals: what happens when your cash register system suddenly stops working or your website goes down? It’s important to act quickly in such situations.
What makes a good scenario?
Want to create your own scenario? Consider the following criteria.
Choose a realistic scenario. Practice with a situation that could realistically occur in your organization.
Define your goal. What do you want to test? Focus on communication, decision-making, or technical knowledge.
Ensure impact. The scenario should have consequences; otherwise, people learn less.
Don’t make it too easy. A good exercise requires thought and collaboration.
Create a safe atmosphere. Ensure an open environment where everyone can learn.
Involve different teams. Cyber incidents often affect multiple departments simultaneously.
Evaluate together. Discuss what went well and what could be improved afterwards.
Which parties can you hire?
There are many different parties that can help you with a cyber crisis exercise. Consider Northwave, Fox-IT, Berenschot, and Bureau Veritas. You can often choose between a cheaper standard exercise and a larger, fully simulated exercise with a custom scenario.
Getting started with cyber resilience
- Organize at least one cyber crisis exercise per year.
- Involve different departments in the exercise.
- Choose a realistic scenario that suits your organization.
- Evaluate afterwards what went well and what could be improved.
- Use existing exercise scenarios from organizations like the NCSC.
Work on a secure digital foundation during our online workshop!
Cyberattacks are increasingly common in the cultural sector. Organizations face phishing, ransomware, and data breaches. During our online workshop 'Cybersecurity in the cultural sector,' you’ll work through four clear steps to develop an action plan for a secure digital work environment. You’ll receive immediately applicable tools and take the first steps toward a digitally resilient organization.
More articles per topic
