How the province of Gelderland helps 42 municipalities become cyber resilient

Raising the cyber resilience of Gelderland municipalities

Cybercrime is a growing challenge, also for Dutch municipalities. The province of Gelderland wanted to help municipalities in the province raise their cyber resilience. They did so in partnership with Secura. The project called Troy was a great success. 'Beforehand it was difficult to estimate how many municipalities would participate, so we are very happy that 42 municipalities signed up. This shows that the interest on this subject is enormous,' says project leader Marjolein Zeeman of the province of Gelderland.

What is project Troje?

'Project Troy is a cyberchallenge in the province of Gelderland,' says Marjolein Zeeman. She works as a project leader for resilience at the Province of Gelderland and supervises projects to fight criminal subversion in the province. 'The main goal was to raise awareness about cybercrime. We can see, like everyone else, that cybercrime is increasing enormously. We wanted to do something about that.'

Baseline measurement as a basis

The challenge, which ran until the end of 2023, consisted of two parts, Zeeman explains: 'We offered the municipalities that wanted to participate - participation was voluntary - a baseline measurement. In six areas, their current level of cyber resilience was tested. Municipalities were then given recommendations on what could be improved based on what was found.' These baseline measurements were conducted by Secura.

Floris Duvekot of Secura explains what was measured: 'We measured, for example, the state of technical and process security. But also how the employees of the municipality dealt with security. During one of the measurements, one of our ethical social engineers tried to break into the participating municipalities. This allowed us to test the physical security of the town hall and the awareness of employees.' The three municipalities who had top scores on security won a red teaming assessment - or actually a red cell, a compact version of red teaming, Zeeman says. 'Those municipalities - Aalten, Arnhem and Doesburg - were completely vetted by Secura.'

Huge need

Beforehand, Zeeman did not know how many municipalities would sign up for the challenge: "Gelderland has 51 municipalities. But whether 1 municipality or 51 municipalities would participate was unknown in advance.' That made the preparation and bidding for the project challenging. 'We never expected that 42 municipalities would sign up: that's more than 80% of the municipalities in Gelderland. That indicates that the need in this area is enormous. We are very pleased that we have been able to help so many municipalities take a step towards increasing their cyber resilience.'

Point of contact: CISOs

Zeeman and her team chose to approach the CISOs of municipalities in Gelderland as the point of contact for the project. 'They feel the urgency of this issue like no other. They can also best communicate this to the rest of the organization.' Inviting all the CISOs of the municipalities personally was an intensive job, but we managed: 'In the end, we spoke to all the CISOs 1-on-1 to answer questions. They were also present at the kick-off meeting. So a great side effect of this project was the formation of a network of CISOs from municipalities in Gelderland.'

Cooperation with Secura

After Zeeman and her team had approached all the municipalities in Gelderland, municipalities had signed up, and all the safeguard documents and processing agreements had been arranged, Secura took over the implementation of the project. 'I enjoyed working with Secura very much,' says Zeeman. 'The team handled it well.'

Project leader Floris Duvekot of Secura says of the collaboration, 'Because the province supervised the start of the project and had done so much preliminary work, the municipalities had enough time to apply. This also gave us time to properly prepare the baseline measurements. By discussing progress with the province on a monthly basis, the cooperation was very transparent. What was unique about this project was that the province had no access to the findings of the baseline measurements. Their role was completely facilitative. I greatly appreciated the mutual trust in this collaboration.'

Do's en don'ts

Zeeman receives many questions from other provinces and organizations about this project. 'I usually say: just go ahead and do it. We have seen that there is a tremendous need for sharing knowledge on this subject.' Zeeman advises:

• Invest in personal contact with CISOs and others involved. 'This takes time, but is well worth the investment. Do not forget to include the board as well, to make the subject really resonate with this group.'
• Take plenty of time. 'This is really necessary with such a large project. We spent a year between starting and closing the bid. Implementation took over a year after that.'

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.