Half of Dutch organizations indicate that they have been the victim of a successful cyber attack

In addition, 60 percent of these companies estimate the risk of becoming a victim of a cyber attack again to be high. This is evident from the Human Risk Review 2023, the annual survey by SoSafe, the platform for security awareness and training.

In addition, the research shows that Dutch companies pay ransom more often than other European companies. Almost 46 percent of Dutch companies have already paid a ransom to cybercriminals. With this, Dutch companies pay ransom more often than companies from other European countries such as Germany (45 percent), the United Kingdom (38 percent) and France (30 percent).

The research provides an overview of current cyber threats and security culture within companies based on responses from more than 1,000 IT security managers in Europe, several interviews with experts and more than 8.4 million data points from the SoSafe security awareness platform.

Professionalization of cybercrime

The results reflect the strong professionalization of cybercrime and the efficiency of the approach in which new innovations are generated at lightning speed. Geopolitical conflicts, the emergence of new technologies, digitization and social changes have led to an enormous increase in the attack surface for cybercriminals. This is also confirmed by the IT security managers within Dutch companies: Most of them agree that the geopolitical situation (72 percent), hybrid working (71 percent), and artificial intelligence (73 percent) in particular exacerbate the cyber threat.

Phishing remains a fixture – with new innovations of emotional manipulation
The vast majority (79 percent) of respondents stated that they see phishing and the emotional manipulation of people as a security risk. SoSafe’s own data confirms that this is a real risk, showing that one in three people clicks on malicious links or attachments in phishing emails. Subject lines such as “Vehicle damage” and “Team invitation” were the most tempting to open, click, and even enter personal information on a website.

Employees appear to be particularly sensitive to social engineering techniques that evoke strong emotions, such as pressure (24 percent), authority (28 percent), or financial appeals (18 percent). These percentages are slightly higher than in the 2021 study.

Malware and the chain

Other successful attack methods included malware (39 percent) and ransomware (23 percent). But attacks via the supply chain are also becoming more common. These supply chain attacks are also seen as a threat by many Dutch respondents (73 percent). The organizations of 19 percent of the respondents have already been the victim of such a supply chain attack. It is therefore not surprising that 81 percent of Dutch respondents believe that their own security depends on the security standards of their partners.

High security awareness

The attention paid to security awareness is reflected in the investment plans of the surveyed Dutch companies: 46 percent of the companies that have already been attacked estimate that investments in security awareness measures will increase over the next eighteen months. While two in three companies say they have a high level of security awareness, creating a security culture is a priority for 87 percent. Top management’s focus on IT security has also increased in more than half of companies (51 percent).

“The rise of professionalized cybercrime is a reality we cannot ignore. With the increasing number of crises and conflicts in our society, there is ongoing uncertainty, fear and stress, which plays into the hands of cybercriminals,” said Dr. Niklas Hellemann, CEO and founder of SoSafe. “Phishing remains the most successful attack strategy in this regard, as it can be customized to victims’ personal information and uses technological advances such as artificial intelligence. It is therefore critical that companies invest in the human factor of information security and support employees in internalizing safe behaviors over the long term. Together we can take on the fight against cybercrime.”

For more information, see the Human Risk Review 2023.