The National Coordinator for Security and Counterterrorism (NCTV) recently published the Cybersecurity Assessment Netherlands (CSBN) 2025. The report outlines a digital threat environment that is becoming increasingly complex, diverse, and unpredictable. As the threat grows, the defense lies in strengthening basic digital hygiene. Organizational culture plays an important role in how incidents are recognized and reported. The CSBN 2025 makes it clear that digital security is not purely a technological issue, but depends on how people within organizations act. Transparency International Netherlands (TI-NL) therefore emphasizes the crucial role of human behavior and a safe reporting culture in effective cybersecurity.
The CSBN 2025 shows that the Netherlands is facing various types of cyberattacks, such as ransomware, espionage campaigns, DDoS attacks, and targeted attacks on critical infrastructure. However, it is striking that a significant proportion of incidents are not caused by advanced hacks, but by vulnerabilities in systems. The report mentions software errors, faulty updates, and outdated systems, among other things. It is precisely these unintentional errors that provide an ideal entry point for cyber attacks. Cybercriminals can, for example, exploit misconfigurations or outdated software to penetrate deep into a network. Human error contributes to this. Think, for example, of employees clicking on a phishing link or documents being uploaded incorrectly.
Cybersecurity is therefore not only a technical problem, but also a human and organizational one. Many incidents stem from a lack of basic digital hygiene, rather than a shortage of technological capacity. The CSBN therefore emphasizes that the solution does not primarily lie in increasingly complex defense mechanisms, but in strengthening thebasic digital principles, as set out by the NCSC and DTC. These include installing updates in a timely manner and properly managing access to data and services. Identifying and reporting errors and incidents is also mentioned, which directly affects organizational culture.
Effective cybersecurity largely depends onhuman behavior and the cultureof an organization where incidents occur. After all, people are the weakest link in digital security systems: through carelessness, making mistakes, or susceptibility to bribery.Researchshows that one in three Dutch people has experienced phishing at some point. In reality, these figures could be much higher, as not everyone will always admit that they have been deceived by phishing. Shame and fear of repercussions play a major role in this.
We see a direct link here with integrity violations. People who do not feel safe reporting integrity violations will almost certainly not feel safe when they make a mistake with cybersecurity. The same applies to integrity issues: when employees do not dare to report incidents, situations can become much bigger than they already are. When organizations punish their employees for making mistakes, it discourages employees from speaking up. This not only makes these organizations more susceptible to integrity violations, but also increasingly vulnerable to cybercrime.
Organizational culture therefore plays an important role in promoting digital security. It is essential that organizations understand which risks are relevant to them. This means that employees must be trained to recognize potential incidents, but also that they feel confident in reporting incidents when something goes wrong. Only then can organizations intervene in a timely manner and limit damage.
The insights from CSBN 2025 show that technological measures are only part of the solution. Many incidents originate from human error and a lack of basic hygiene. A safe reporting culture is therefore not a side issue, but an absolute prerequisite for cybersecurity. Organizations that give employees the space to report errors increase their resilience to both integrity breaches and cyber threats.
Earlier this year, TI-NL published a guide to assist organizations in setting up an effective reporting system and thus support them in creating a safe reporting culture. The guide can be downloaded free of chargehere.
