Digital dilemma  

Van der Kleij describes “the great digital dilemma” of balancing openness and security in a country with one of Europe’s most advanced digital infrastructures. “How can entrepreneurs remain open and connected without having to completely lock down their businesses?” he asks. 

The statistics are stark. Van der Kleij’s study found that 66% of Dutch businesses are inadequately prepared for cyber threats. Recent ABN Amro research confirms the crisis: one in five businesses suffered cyber crime damage last year, rising to nearly 30% among large companies. For the first time, SMEs (80%) are more frequently targeted than large corporations (75%), marking a significant shift in cyber criminal strategy. 

Despite the numbers, a perception gap persists. Van der Kleij identifies ‘the overconfident’ – Dutch businesses believing their cyber security is adequate when it isn’t. While SME attack rates soar, their risk perception remains static, whereas large organisations show marked awareness increases (from 41% to 64%). This creates a “waterbed effect” – as large companies strengthen defences, cyber criminals shift to less-prepared SMEs which are paradoxically reducing cyber security investments. 

From cyber security to cyber resilience 

Van der Kleij emphasises a crucial distinction: while cyber security focuses on preventing incidents, cyber resilience acknowledges that incidents will happen. “It’s about having the capacity to react appropriately, recover from incidents, and learn from what went wrong to emerge stronger,” he says. 

This requires four capabilities – prepare, respond, recover and adapt – yet most Dutch organisations focus only on preparation. The ABN Amro findings confirm this: many SMEs have firewalls but lack intrusion detection or incident response plans. Large companies take a more balanced approach, combining technology with training, response capabilities and insurance. 

Uber’s experience illustrates the weakness of purely technical approaches. After a 2016 hack, they implemented two-factor authentication – yet were hacked again in 2022 by an 18-year-old using WhatsApp social engineering.

“This shows that investing only in technology without addressing human factors creates fundamental weakness, which is particularly relevant for Dutch businesses that prioritise technological solutions,” van der Kleij adds. 

Human factor 

Van der Kleij challenges the persistent myth that humans are cyber security’s weakest link. “People are often blamed when things go wrong, but the actual vulnerabilities typically lie elsewhere in the system, often in the design itself,” he says. 

The misdirection is reflected in spending: 85% of cyber security investments go toward technology, 14% toward processes and just 1% toward the human component. Yet the ABN Amro research shows phishing – which succeeds through psychological manipulation rather than sophisticated technology – affects 71% of Dutch businesses. 

“We’ve known for decades that people aren’t equipped to remember complex passwords across dozens of accounts, yet we continue demanding this and then express surprise when they create workarounds,” van der Kleij says.

“Rather than blaming users, we should design systems that make secure behaviour easier. In the Netherlands, we need more human awareness in security teams, not more security awareness training for end users.” 

Failing to act  

Why do so many Dutch SMEs fail to invest in cyber resilience despite evident risks? Van der Kleij believes it’s about behaviour, not business size. “It’s not primarily about size or industry – it’s about behaviour and beliefs,” he says. 

Common limiting beliefs among Dutch entrepreneurs include “I’m too small to be a target” or “I don’t have confidential information”. Remarkably, even suffering a cyber attack doesn’t change this mindset. “Studies show that when businesses are hacked, it doesn’t automatically lead them to better secure their operations afterward,” van der Kleij says. 

The challenge is reaching those who need help most. “We have vouchers, we have arrangements where entrepreneurs can get help at a significantly reduced fee from cyber security professionals, but uptake remains negligible,” van der Kleij says. “It’s always the same parties who come to the government’s door – the large companies who are already mature. The small ones, we just can’t seem to reach them.” 

Van der Kleij sees “relational capital” – resources generated through partnerships – as key to enhancing Dutch cyber resilience. “You can become more cyber resilient by establishing partnerships,” he says, pointing to government-encouraged initiatives like Information Sharing and Analysis Centers.  

The ABN Amro research reveals why collaboration matters: 39% of large companies experienced cyber incidents originating with suppliers or partners, compared with 25% of smaller firms. This supply chain vulnerability drives major Dutch organisations to demand higher standards from partners through initiatives such as Big Helps Small. 

European regulations reinforce this trend. The new NIS2 directive will expand coverage from hundreds to several thousand Dutch companies, yet only 11% have adequately prepared. Among SMEs, approximately half have done little preparation – despite Dutch police warnings about increasingly frequent ransomware attacks where criminals threaten to release stolen data publicly. 

Van der Kleij’s current research at Avans University focuses on identifying barriers to cyber resilience investment through focus groups with Dutch entrepreneurs. “When we understand these barriers – which are more likely motivational than knowledge-related – we can design targeted interventions,” he says. 

Van der Kleij’s message is stark: “The question isn’t whether your organisation will face a cyber incident, but when – and how effectively you’ll respond. Cyber resilience encompasses cyber security while adding crucial capabilities for response, recovery and adaptation. It’s time for a new paradigm in the Netherlands.”