From left to right: Aart Jochem, Bart Pieters, Jos Rippe. (Image: René de Gilde)
Earlier this year, the policy for a mandatory basic digital resilience training was established. The government deals extensively with sensitive and confidential information. Citizens and businesses must be able to trust that this information is handled with care. It is therefore vital that all government employees undergo the training.
The development of its contents is currently in development. Aart Jochem, Chief Information Security Officer (CISO) of the Government, Bart Pieters, Information Security and Privacy Advisor, and Jos Rippe, Project Manager for Digital Resilience, are improving digital resilience. They share insights about the training and its significance.
Understanding digital resilience
Pieters explains, “Digital resilience is about using digital processes and provisions without disruption. This means preventing disruptions wherever possible and ensuring quick recovery if something does go wrong. To achieve this, we apply the PPT Framework: People, Process, Technology. The basic digital resilience training focuses on employees (‘People’) to ensure they are aware of risks and have the knowledge to manage them effectively. ‘Process’: We aim for clarity and ease of implementation. Lastly, it’s crucial that organisations have the appropriate provisions (‘Technology’).”
Importance of training for employees
Pieters adds, “While we can manage and protect many aspects through technology and processes, to enhance digital resilience, employees must be able to recognise certain situations. Additionally, they must know how to handle them. For example, recognising a phishing email. When they know what to look for, they won’t click on it.” Jochem agrees, “Indeed. If employees identify and report such situations, organisations are much better equipped to nip leaks, attacks, or incidents in the bud. That’s why we really need employees. By taking the training annually, you prevent being the cause of a leak or incident. Or better yet, you might be the one who prevents one!”
“Cyber attacks occur daily and are becoming more sophisticated,” Jochem continues. Pieters points to Artificial Intelligence (AI) as an example: “AI is used to carry out increasingly refined attacks. Such developments pose risks, but they can also be utilised to protect organisations. These are developments we need to learn to manage because it’s not a question of if things will go wrong, but when.”
Rippe emphasises the importance of annual training: “These threats are accelerating, and new ones are emerging all the time. Based on such developments, we adjust the training to keep the knowledge current.”
Jochem highlights why it’s important for employees to take the training: “We want to make not only organisations but also employees more resilient. We see them as one of the pillars on which an organisation builds its digital resilience: employees are the strongest link! The training focuses on making the right choices to ensure that all information and data are well protected.” “And it starts with the manager,” Pieters notes. Rippe adds, “We see managers as a target group to be among the first to take the training to set a good example for the staff.”
Training structure
Pieters explains, “We are currently shaping the content. Together with a government-wide working group, we have established learning objectives and collected materials. We are also collaborating with an external party to ensure the training is well-structured.” Jochem mentions, “The government encompasses a wide range of tasks, roles, and people. The Ministry of Defence has different needs from the Ministry of Health, Welfare and Sport. There’s enough room to tailor the training to the specific needs of government organisations.”
Rippe says, “To assist organisations as effectively as possible, we are working on a reference set of questions and answers and an e-learning module. We utilise as much existing material as possible. The Digital Work Environment Conduct Guidelines (in Dutch, Gedragsregeling voor de digitale werkomgeving) serve as the foundation. Organisations can use the reference set and e-learning as a starting point to ensure appropriate training. They can also create their own e-learning and/or use the Learning Management System (LMS) of the Government Academy for Digitalisation and Information Government (RADIO).”
“Some organisations already have a basic digital resilience training. They should definitely continue with it and, if necessary, supplement their training based on the reference set or e-learning,” Pieters concludes.
Training schedule
Rippe notes, “The policy was established earlier this year, stating that organisations must have a basic digital resilience training within a year. We are currently updating the conduct guidelines. Based on this, we will develop the e-learning. We expect it to be ready in the third quarter. The aim is for 80% of all employees to have completed the training by the end of 2025.” Pieters adds that the target is every employee. Realistically, 80% is feasible due to staff turnover and temporary employees.
“Of course, we want the training to be available as soon as possible, but it also needs to function well and run smoothly. Accessibility is also important, to ensure everyone can participate,” Pieters emphasises.
What can employees do now to become more digitally resilient?
Jochem advises, “If you’re unsure about something, report it, even if you’re uncertain. It’s better to report too often than not enough.” Jochem shares that he knows of situations where employees feel embarrassed for causing an issue and fail to report it: “It’s vital to share to prevent consequences. So, the message to you is: Report it to the service desk to strengthen your own and your organisation’s digital resilience!”
If you have any questions about the basic digital resilience training, please email CISORijk@minbzk.nl.