Information security is often presented as a matter of technology and awareness. We train employees, run phishing simulations and hope everyone stays alert. But the reality is simple: people remain human. Sooner or later, someone will click on the wrong link, accidentally share information or ignore a procedure in the rush of the day.
The question, therefore, is not if something will go wrong, but when. And more importantly: how well is your organisation prepared to deal with that situation?
Awareness helps, but is never enough
Training and awareness campaigns are valuable. Employees learn to recognise phishing, are more willing to report mistakes quickly and feel part of the security effort. Yet awareness is not a magic shield against human error. Research shows that in 2024, human error played a role in 95 percent of data breaches, such as misconfigurations or a wrong click (Infosecurity Magazine). Other studies estimate that around 68 percent of security incidents are caused by human actions, ranging from phishing to misuse of credentials (ISPartners). Unsurprisingly, 89 percent of organisations even cite human error as their biggest cybersecurity challenge (ITPro).
These figures make one thing clear: preventing mistakes is important, but responding resiliently is at least as essential.
Three pillars of resilience
True resilience requires more. It starts with insight, continues with preparation and ends with how you recover from an incident.
A Business Impact Analysis (BIA) maps which processes are truly critical and how long the organisation can function without certain systems. For management, this provides a concrete picture of vulnerabilities: what does it cost if client records are unavailable for days in a healthcare organisation, or if a production line in a factory comes to a complete standstill? Such scenarios make painfully clear what the organisation really depends on.
This is followed by the Business Continuity Plan (BCP). This is the playbook for the moments when the vulnerabilities identified in the BIA become reality. What do you do if client records are inaccessible for days due to a system failure? How do you ensure a factory can keep operating when a production line is halted by a cyber attack? The BCP describes who takes decisions in a crisis, how communication is organised and which temporary solutions are available. By defining this in advance and practising it regularly, you avoid panic and chaos and ensure the organisation continues to function as much as possible, even under severe pressure.
Finally, there is the Incident Response Plan (IRP). This plan focuses on the acute phase of an incident. Consider a ransomware attack in which the systems containing client data are locked, making them inaccessible to the organisation. Often, those same data are also stolen and later offered on the dark web. The IRP sets out how the organisation acts in such a situation: who takes action, how damage is limited, which notification obligations apply and how communication with clients and supervisory authorities is handled.
The IRP does not only define who takes which actions, but also how the organisation complies with legal obligations, such as the duty to notify the Dutch Data Protection Authority. It also includes the contact details of specialised bodies, such as the National Cyber Security Centre (NCSC) and the Computer Security Incident Response Team (CSIRT), which provide expertise, coordination and advice during a cyber incident.
Even more important: an IRP or BCP only has value if it is actually practised. A plan that ends up in a folder on a shelf will not save your organisation. By regularly organising tabletop exercises or crisis simulations, employees become familiar with their roles. In these simulations, a realistic scenario is worked through step by step, so everyone knows what is expected of them. This makes responding to an incident as natural as evacuating a building in the event of a fire.
When things go wrong
That these are not theoretical risks is shown by recent incidents. Healthcare organisations hit by ransomware saw complete client records end up in the open, with lasting reputational damage and loss of trust as a result. Organisations that reported too late or incompletely to the Dutch Data Protection Authority faced not only fines, but also critical questions from clients and regulators. And there are companies that believed their backups were in order, only to discover during a crisis that they had never been properly tested. The result: weeks of downtime and millions of euros in damage.
These examples show that it is not enough to focus solely on preventing mistakes. What matters is how quickly and effectively you respond and recover.
Technology and people together
Alongside plans, technology of course plays an important role. Multi-factor authentication, email filtering, monitoring and reliable backups are indispensable. The IT department and the Security Officer ensure that mistakes do not immediately escalate into a disaster. But technology alone is also not enough: without clear processes, trained employees and well-practised playbooks, an organisation remains vulnerable.
A relatively simple but powerful measure is to create predictability in communication. If employees know that sensitive information is always shared via a secure portal with multi-factor authentication, the likelihood that they fall for a phishing email is significantly reduced. The fewer “click moments” there are in daily work, the harder it becomes for criminals to exploit our automatic clicking behaviour.
From vulnerable to resilient
The lesson is clear: training alone is not a safety net. You achieve resilience through insight into your processes via a BIA, through an up-to-date and tested BCP that safeguards continuity, through a well-practised IRP that provides direction when every second counts, and through technical measures that absorb mistakes. Organisations that get this right can say with confidence: people remain people, but one mistake will not bring our organisation to a standstill.
We help organisations, in healthcare and beyond, to make that resilience tangible. We carry out BIAs and translate them into practical BCPs. We develop Incident Response Plans that not only meet notification obligations, but also leave room for forensic investigation. We advise on technical measures and governance and support exercises, so that plans do not exist only on paper.
Would you like to know how resilient your organisation really is? Please feel free to contact us.
Contact us
