Last year, over 130 organisations participated simultaneously in the Government-wide Cyber Exercise. Former participant Remco Rekoert, Chief Information Security Officer (CISO) at Beverwijk Municipality, reflects on the exercise, shares key lessons, and offers tips.
Rekoert says: “For smaller municipalities such as Beverwijk, participating in the Government-wide Cyber Exercise is extremely educational. We couldn’t organise such a crisis scenario ourselves. In 2020, we participated for the first time with hardly any emergency plans in place. A crisis team was formed, and we documented clear roles and responsibilities for responding to cyber attacks. The exercise also pressures us to keep our documentation and processes in check. I believe it’s crucial that every municipality or organisation should practise to identify areas of improvement.”
Key learnings
During the 2023 Government-wide Cyber Exercise, the fictional municipality of Rommeldam faced a vulnerability in its IT systems. Did Beverwijk manage to make the right calls under pressure? Rekoert shares: “It went well, but the exercise highlighted various internal areas for improvement, such as note-taking and the importance of making quick decisions. It also forces you to confront your own weaknesses. For instance, I need to assert myself more so others don’t overshadow me. There was also some confusion over ICT abbreviations. It’s important that everyone understands what is being said, especially in a crisis. I notice that we improve each year. The first year was chaotic. We talked a lot, and everything was disorganised. Now, we operate with structure and are much better prepared. However, compared to the national level seen in the studio, we still have some way to go.”
Risk awareness
The exercise also provides an opportunity to see how different departments collaborate. The CISO gives this example: “We had some confusion over who was responsible for communicating sensitive information. Practising these situations helps you understand who you’re dealing with since our communications advisor and the ICT department usually do not work together. I think the exercise participants have gained a better awareness of how serious cyber threats are and how quickly things can escalate. But people outside our crisis team don’t notice this. This year, we’re trying to organise something to make our exercise accessible to more colleagues. This will help increase risk awareness throughout the organisation.”
Tips for new participants
Beverwijk Municipality will participate again this year. Rekoert offers tips to other participants: “We always have someone taking notes during the exercise and an observer who writes down his findings. Don’t hesitate to provide honest feedback afterwards, even to senior officials. Constructive criticism helps everyone learn and improve. Also, consider beforehand what you want to get out of it. For instance, in the upcoming exercise, we will give our communications advisor time to draft a press release. This should be done realistically, so we can subsequently have a discussion about it. Remember, the beauty of such an exercise is that nothing can go wrong, regardless of your results. The outcome is always positive thanks to the lessons learned.”
Join in
The Ministry of the Interior and Kingdom Relations (BZK) is organising the sixth Government-wide Cyber Exercise on 4 November 2024. Government organisations can participate simultaneously with a special toolkit. The team of participating organisations will face the same challenges as the crisis team in the studio. For more information, visit the Government-wide Cyber Programme website, where you can also find a masterclass and a range of interesting webinars.