She set down her cup of coffee as she processed the message. ” Are we really prepared?” she asked herself, reflecting on the mountain of procedures and protocols her team had rolled out.
For Pauline’s sake, let’s hope so. 🤞
Every Dutch municipality can be scrutinized by the Court of Auditors. After an in-depth analysis of a dozen audit reports from recent years, in this article we highlight the most common weaknesses in information security and privacy within Dutch municipalities. We also provide tips on how your congregation can prepare for such a survey.
Analysis court reports
In recent years, courts of auditors in the Netherlands have paid increasing attention to information security and privacy. Intriguingly, a striking trend emerges from these reports, painting a clear picture of what is going well and where improvements are needed.
An accountability study – What to expect?
The process for conducting an audit report on information security and privacy varies. Court reports are prepared both internally by the Court of Audit itself and externally by hired specialists or organizations (such as: Hoffmann, Secura, PBLQ, KPMG, etc.), depending on the needs and capabilities of the Court of Audit.
Every study begins by establishing the objectives and scope. Although each court of auditors or external party formulates it in its own way, the primary purpose of an investigation is to evaluate the efficiency and effectiveness of information security within the municipality. This is often assessed based on several sub-questions, including: the municipality’s information security goals and policies, compliance with legislation, accountability of measures, continuity of information systems, availability of adequate resources, quality of digital and physical security infrastructure, and risk management. It also assesses the degree of accessibility of systems to unauthorized persons.
It further analyzes whether officials and employees are sufficiently aware of information security and privacy risks and rules and whether they act in accordance with these rules. Ongoing information security development projects within the municipality are also examined.
It is important to note that each research question and scope will vary depending on the specific needs and context of the municipality in question.
What is going well?
After carefully studying a series of court reports, certain repeating trends emerge. First, let’s look at what does go well within Dutch municipalities.
Up-to-date policies: In general, municipalities appear to have current and robust information security policies, coupled with often equally thoughtful privacy policies. To support this, most municipalities have also streamlined and optimized processes and protocols. For example, the IB&P research report by the organization Hoffmann on the Municipality of Helmond indicates the following: “The municipality has an adequate information security policy and it has made a start toward practical and operational operation in practice.” This trend also emerges in the following report: “The study shows that the information security policy and the organization around information security at the municipalities are basically in order. Most related parties have established an information security policy that is periodically updated.” (The Court of Audit Commission (RKC) Wassenaar, Voorschoten, Oegstgeest and Leidschendam-Voorburg (WVOLV, 2021)
Technical Security: Municipalities also appear to be generally compliant with technical standards for information security. This means that they have implemented systems and technologies designed to protect sensitive information from threats. “In general, it can be said that the municipality has secured processes and information systems in accordance with the applicable standards frameworks (specifically the BIO)” according to the Audit Committee of the Municipality of Hardenberg (2022).
Proactive planning and improvement: Municipalities are also taking proactive steps to improve their information security. This is reflected in the development of annual plans and improvement plans, as well as concrete intentions to improve and strengthen security measures. “Where improvements are possible in taking security measures, the municipality has generally secured them in annual and improvement plans, in ongoing actions or in concrete intentions.” (Court Committee Hardenberg, 2022)
Where are there still gains to be made?
Although the first impression seems positive, regarding the assurance of information security and privacy within Dutch municipalities, reality presents a more complex picture. There is still considerable room for improvement, especially in the areas of awareness and implementation.
Most of the reports reveal a lack of awareness about information security and privacy among employees. “Employees often do not know how to handle information securely and are unaware of the risks of cyber-attacks.” (Court of Audit Nijmegen, 2020) Many municipalities recognize that increasing employee awareness and training is an ongoing concern. This involves not only awareness of information security and privacy policies, but also practices and behaviors that support those policies. This is also evident in the Utrecht Court of Audit study (2021): “The mail-phishing test shows that a significant proportion of employees (16-19%) are not always aware of information security. Also, employees do not always seem to know how to handle security problems and incidents.” So municipalities are mostly aware of this, as the Doetinchem Court of Audit report (2023) shows: “The municipality has indicated that it is mainly people who cause security incidents, not technology. This is why the municipality has been working to raise employee awareness. An awareness campaign was conducted and employees were trained.”
So how is it that Dutch municipalities underperform in this area, despite the fact that most of them are aware of it and have an awareness program in place?
What goes wrong?
Digging through the reports reveals several underlying reasons:
- Insufficient top-down assurance of Information Security & Privacy (IB&P): Policies and guidelines do not always permeate the shop floor.
- Insufficient (effective) policy communication: Employees are often insufficiently aware of behavioral guidelines.
- Unclear division of duties and responsibilities: This leads to confusion and ambiguity about the roles and responsibilities of employees.
- Insufficient awareness: Employees often lack understanding of the severity and scope of cyber attacks.
- Insufficient visibility of safe actions: It is often unclear how safe employees act in practice.
- Low digital skills: Technological developments place new demands on employees’ skills.
A crucial nuance is needed in interpreting these findings. In fact, the reports also highlight frequent staff shortages that place an additional burden on current employees, often resulting in insufficient attention to the human side of information security and privacy, both within the IB&P department and on the shop floor. In addition, many of these studies were conducted during the corona period, a time when a rapid transition to working from home was necessary. These changed working conditions brought new risks and challenges that put further pressure on information security and privacy.
Nevertheless, the continuing trend remains an urgent issue. It is a problem that must be addressed quickly and adequately if our municipalities are to be robust and resilient in the digital landscape, personal data remain adequately protected, and citizens can confidently use municipal services.
Well prepared for an upcoming court inquiry?
Do you feel fully prepared yet? Great, nice work! If uncertainties remain, our Approach to Digital Intuition may be able to help. This integrated approach is aimed at achieving a profound cultural and behavioral change within your organization. Through behavioral measurement, interactive learning concepts, leadership coaching and targeted communication actions, together we strive for sustainable change and awareness.
We offer customized solutions to fit your organization’s culture, ambitions and current level of resilience. Whether you want to take charge of the change programs yourself with our guidance, or be completely relieved by our team of experienced consultants, we are here to help.
If you want to brainstorm or have questions about an (upcoming) computing research project, contact Evert, our senior cyber consultant!
