Text Anouk Bakker
Photo Josje Deekens

How can we work effectively and securely in the face of threats? Victor Flietstra and Daan Soons are working together to improve the Ministry of Foreign Affairs’ digital security. They’re trying to come up with practical solutions that are workable for staff. ‘Our aim is to make BZ more resilient, but with minimal inconvenience.’ 

Daan- 0650
Daan Soons, information security and privacy adviser

'We want to create more options and greater flexibility for more members of staff worldwide.’

It could be a stranger looking over your shoulder while you’re checking your email on the train. Or someone following you on the street or coming to sit suspiciously close to you and your laptop. It might sound like a scene from a spy movie, but now more than ever hackers and cybercriminals are looking for ways to access the information on your phone and laptop. And they can use techniques you might not be expecting. Cyberattacks are common at BZ and information security is high on the ministry’s agenda. Senior information security adviser Victor Flietstra and his colleagues in the Security, Crisis Coordination and Integrity Department (VCI) identify potential threats. They monitor BZ work processes and relevant information on a daily basis. ‘We look, for example, at who might be interested in BZ information, from casual hackers working on their own to state actors that could include foreign intelligence services working with criminal organisations,’ says Victor.

Victor-0564
Victor Flietstra, senior information security adviser

‘Be aware of the dangers, and if you see or experience anything suspicious, report it.’

Intelligent, dangerous and incredibly patient

In a cyberattack, information can be deleted or manipulated without you even being aware of it. Often you don’t immediately notice that there’s anything wrong or know what has been stolen. ‘Attackers are intelligent, dangerous and incredibly patient,’ explains Victor. ‘Anyone of us could be a target. You might not be of much use to an attacker now, but you could be later. Even if that’s 10 years down the road. Cybercriminals often operate from other countries. One popular and effective technique they use is phishing, which can be done through email, text messages or messaging apps.’ Phishing emails keep the information security specialists in the Information and Digital Innovation Department (IDI) busy as well. ‘The most dangerous type of phishing email at BZ is when the sender presents themselves as someone from another embassy in a partner country,’ says senior risk management, information security and privacy adviser Daan Soons. ‘These fake messages are very targeted and are nearly impossible to distinguish from real ones. So you should always check whether the sender’s email address is a legitimate address at the organisation they claim to be from.’

IDI 2 BZ bv 24 -0503

Reporting incidents

What should you do if you accidentally click on a link you shouldn’t have or if you are approached by a potentially dubious person? ‘If you make a mistake, it doesn’t meaning that a cyberattack is imminent,’ says Victor. ‘But be aware of the dangers, and if you see or experience anything suspicious, report it.’ You can report non-digital security incidents (such as being a approached by someone suspicious) to VCI, and digital security incidents (such as phishing) to the Information Security Centre. Daan stresses the importance of reporting an incident, ‘If there’s an email you don’t trust, forward it to the Information Security Centre. Even if you’ve already clicked on it. Don’t feel embarrassed – phishing emails are getting more convincing all the time and harder to distinguish from genuine messages. The people sending them are clever and very good at what they do. And in the years ahead, artificial intelligence (AI) will make their techniques even more sophisticated and dangerous. The question is not whether an attack will succeed but when. And when it does, it’s important that we as an organisation know how to respond.’

‘It’s a matter of constantly seeking the right balance between protection and practicality.’

Remote working

Digital awareness is an important first step. BZ offers training to all its staff on how to handle sensitive information. IDI and VCI are working together to improve digital security throughout the organisation. They provide practical solutions without a lot of hassle. ‘Our aim is to make BZ more resilient, but with minimal inconvenience,’ says Daan. ‘We work behind the scenes to filter out phishing emails and reconfigure firewalls, and are completing the transition from Becrypt to Cryhod.’ And yet these solutions still cannot eliminate all threats, which are increasing worldwide. That’s why not all staff at the missions can work from home. Daan explains, ‘Right now it’s all or nothing: either you have access to the VPN or you don’t. We’re working hard to come up with workable solutions for everyone. We want to create more options and greater flexibility for more members of staff.’

IDI 3 BZ bv 24 -0124

Temporary phones for use in high-risk countries during official travel

More and more countries are buying commercial spyware and aren’t shy when it comes to using it. This means there’s a significantly higher chance of your phone being infected with malware. ‘Staff travelling for work to a high-risk country where there’s an elevated threat of this should swap their regular BZ phone at the service desk for a temporary phone to use during the trip,’ says Daan. ‘The temporary iPhone is empty, except for essential apps like BlackBerry Work. If the temporary phone is infected, the impact is limited. It will be wiped when you return, and your regular phone won’t have been compromised.’ Visit BZelf to find out in which countries a temporary phone is required and how to request one.

New passwords

Hackers are becoming increasingly adept at cracking passwords. For protection purposes it’s necessary to have passwords that are longer than 14 characters. For the sake of practicality, BZ staff now only have to change their passwords once a year. The question is how to make a strong password that’s easy to remember. Victor has the answer, ‘Think of a long, silly sentence that uses at least three languages, if possible. Add a few numbers and special characters for good measure. It will be harder to crack, but easy to remember.’

Smart use of new technology

BZ staff need to be able to work in a way that is both secure and convenient. How can we make the smartest use of today’s technology to ensure that’s possible? According to Daan and Victor, the most important thing is to think outside the box. ‘New smart technology will help us identify suspicious activity faster so we can respond effectively. This will allow us to give our staff more scope for remote working. And it will enable us to identify phishing emails more quickly so we can remove them in time. But that’s not our current reality. Until then, we need to keep our information flows running smoothly and securely, so it’s important that we continue having these discussions. It’s a matter of constantly seeking the right balance between protection and practicality', says Daan.

Read more about the Information and Digital Innovation Department (IDI):

(Note: the following links can be accessed by central government staff only)