How the province of Gelderland helps 42 municipalities become cyber resilient

Lessons Learned from the Awareness Project "Troy".

> News & Events > Province of Gelderland helps municipalities become resilient against cybercrime

Raising the cyber resilience of Gelderland municipalities

Cybercrime is a growing challenge, also for Dutch municipalities. The province of Gelderland wanted to help municipalities in the province raise their cyber resilience. They did so in partnership with Secura. The project called Troy was a great success. 'Beforehand it was difficult to estimate how many municipalities would participate, so we are very happy that 42 municipalities signed up. This shows that the interest on this subject is enormous,' says project leader Marjolein Zeeman of the province of Gelderland.

What is project Troje?

'Project Troy is a cyberchallenge in the province of Gelderland,' says Marjolein Zeeman. She works as a project leader for resilience at the Province of Gelderland and supervises projects to fight criminal subversion in the province. 'The main goal was to raise awareness about cybercrime. We can see, like everyone else, that cybercrime is increasing enormously. We wanted to do something about that.'

Baseline measurement as a basis

The challenge, which ran until the end of 2023, consisted of two parts, Zeeman explains: 'We offered the municipalities that wanted to participate - participation was voluntary - a baseline measurement. In six areas, their current level of cyber resilience was tested. Municipalities were then given recommendations on what could be improved based on what was found.' These baseline measurements were conducted by Secura.

Floris Duvekot of Secura explains what was measured: 'We measured, for example, the state of technical and process security. But also how the employees of the municipality dealt with security. During one of the measurements, one of our ethical social engineers tried to break into the participating municipalities. This allowed us to test the physical security of the town hall and the awareness of employees.' The three municipalities who had top scores on security won a red teaming assessment - or actually a red cell, a compact version of red teaming, Zeeman says. 'Those municipalities - Aalten, Arnhem and Doesburg - were completely vetted by Secura.'
Marjolein Zeeman

Marjolein Zeeman

Projectleader Troje

Provincie Gelderland

We never expected 42 municipalities to sign up. That shows that the need on this subject is enormous.

Huge need

Beforehand, Zeeman did not know how many municipalities would sign up for the challenge: "Gelderland has 51 municipalities. But whether 1 municipality or 51 municipalities would participate was unknown in advance.' That made the preparation and bidding for the project challenging. 'We never expected that 42 municipalities would sign up: that's more than 80% of the municipalities in Gelderland. That indicates that the need in this area is enormous. We are very pleased that we have been able to help so many municipalities take a step towards increasing their cyber resilience.'

Point of contact: CISOs

Zeeman and her team chose to approach the CISOs of municipalities in Gelderland as the point of contact for the project. 'They feel the urgency of this issue like no other. They can also best communicate this to the rest of the organization.' Inviting all the CISOs of the municipalities personally was an intensive job, but we managed: 'In the end, we spoke to all the CISOs 1-on-1 to answer questions. They were also present at the kick-off meeting. So a great side effect of this project was the formation of a network of CISOs from municipalities in Gelderland.'

Floris Duvekot

Floris Duvekot

Manager Awareness and Behavior

Secura

I greatly appreciated the mutual trust between the Province of Gelderland and Secura in this partnership.

Cooperation with Secura

After Zeeman and her team had approached all the municipalities in Gelderland, municipalities had signed up, and all the safeguard documents and processing agreements had been arranged, Secura took over the implementation of the project. 'I enjoyed working with Secura very much,' says Zeeman. 'The team handled it well.'

Project leader Floris Duvekot of Secura says of the collaboration, 'Because the province supervised the start of the project and had done so much preliminary work, the municipalities had enough time to apply. This also gave us time to properly prepare the baseline measurements. By discussing progress with the province on a monthly basis, the cooperation was very transparent. What was unique about this project was that the province had no access to the findings of the baseline measurements. Their role was completely facilitative. I greatly appreciated the mutual trust in this collaboration.'

Do's en don'ts

Zeeman receives many questions from other provinces and organizations about this project. 'I usually say: just go ahead and do it. We have seen that there is a tremendous need for sharing knowledge on this subject.' Zeeman advises:

  • Invest in personal contact with CISOs and others involved. 'This takes time, but is well worth the investment. Do not forget to include the board as well, to make the subject really resonate with this group.'
  • Take plenty of time. 'This is really necessary with such a large project. We spent a year between starting and closing the bid. Implementation took over a year after that.'

Contact me

Do you want to know how we can help you raise your cyber resilience? Fill out the form below and we will contact you within one business day.

USP

Why choose Secura | Bureau Veritas

At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.

Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.