Case Study: De Vereende - De Vereende is DORA ready with a pentest strategy from Securify
Enhanced resilience for De Vereende thanks to compliance and security test strategy
De Vereende is a small insurance company that provides solutions for risks that are difficult to place elsewhere and thus fulfils a safety net function. Where regular insurers consider the risk too high, De Vereende provides the solution. Thanks to their specialized knowledge and customer-oriented approach, De Vereende plays a crucial role in ensuring coverage for diverse and complex risks in the market.
Challenges
De Vereende relies on the integrity and reliability of its IT systems. The nature of their work means they handle sensitive customer data and complex financial transactions, making them an attractive target for cyberattacks.
With the introduction of the Digital Operational Resilience Act (DORA), financial institutions must meet stringent requirements in risk management, incident reporting, and operational resilience testing. Although De Vereende is not subject to the most stringent requirements due to its size, they still follow the guidelines to achieve high resilience. To address these challenges, De Vereende collaborates with Securify, experts in preventive cybersecurity.
Cybersecurity and DORA
Under DORA, financial institutions are required to conduct regular penetration tests. De Vereende works with Securify for this purpose. Their testing program includes various types of tests and activities, including pentests and Purple Teaming sessions. Patricia Koppers, Chief Information Security Officer (CISO) at De Vereende, emphasizes the importance of this collaboration: "I find it appropriate that pentests are included in DORA; it is one of the most important measures. We already knew our strengths and weaknesses, but the collaboration with Securify has taken this to the next level."
Together with Securify, De Vereende developed a roadmap and test strategy. A Business Impact Analysis (BIA) identified the critical applications, such as portals linked to the back office. The BIA classifies these applications according to the Dutch BIV (which means: Availability, Integrity, and Confidentiality). Based on this, the test strategy was developed.
Security test strategy and implementation
Veruschka Kavelaars, Information Security Officer at De Vereende, highlights: "A good testing policy is a prerequisite. As an organization, you must set the goals yourself and determine with the testers what you want to achieve. Then you follow that path together and eventually reach the result." For one of the tests, De Vereende followed a realistic scenario as a hacker would act. A phishing test was set up to collect login details and use them to break into the environment.
"We gave Securify a laptop with minimal rights to see how far they could get," Kavelaars explains. "Fortunately, our organization responded well. The party handling our SOC/SIEM monitoring was not informed, but they immediately alerted us when they noticed the activity."
Purple Teaming
Securify also conducted Purple Teaming sessions, where defenders and attackers are physically together. This makes the process more interactive and contributes to the learning effect. "During these sessions, we first go through the theory and later practice how a hacker operates and what actions and steps have been taken in our environment," says Kavelaars. "We held these sessions with technical teams, IT teams, and the security team, as well as a team of 20 employees at other levels in IT."
Patricia Koppers acknowledges the importance of these sessions: "After a while, the security aspect can be downplayed. Then we use examples from the tests and Purple Teaming. We also bring in Securify to clarify something."
Results and continious improvement
HThe starting point is always that the organization follows up on the findings. Securify's reports include not only findings but also recommendations and possible solutions. "The reports are comprehensive and accessible, understandable to everyone," says Koppers. "It is clear what needs to be done, and after resolving the findings, you must retest to ensure that you have increased your resilience."
Securify communicates clearly at both management and technical levels. "They go into depth for the technical people, and for management, they highlight the key points differently," Kavelaars notes. "We can always call Securify when we need them; we have a strippenkaart for this. This was very useful when we discovered a hacker in the environment. Securify quickly understood what was happening and advised on how to deal with the hacker."
Conclusion
The collaboration with Securify has significantly increased De Vereende's digital resilience. Various security tests are conducted at different levels depending on the organization's goals and maturity. By regularly conducting pentests and purple teaming sessions, De Vereende will comply with DORA requirements and protect its critical IT systems from cyber threats.
Patricia Koppers concludes: "We are in the lead, we must determine the goal of the tests. Securify provides advice to ensure the coherence of the tests and help us achieve our ultimate goal. It is a learning process for the entire organization. Securify's reports include clear findings and practical advice. By increasing awareness, we have also made our organization more resilient. Employees now think more from a security perspective."
The collaboration with Securify remains crucial for De Vereende to maintain and continuously improve digital resilience.
In short:
Enhanced resilience for De Vereende through governance and test strategy
Goals
- Increase the organization's resilience.
- Comply with DORA requirements.
- Raise internal awareness about the importance of security.
- Reduce risks by addressing findings and implementing the right measures.
- Gain clear insight into the specific cyber risks faced by the organization.
Solutions
- Pentests: Securify regularly conducts penetration tests to assess the resilience of De Vereende's systems and identify vulnerabilities.
- Purple Teaming exercises: Through realistic attack simulations, Securify helps De Vereende further strengthen its operational resilience.
- Strippenkaart: On-call advice and assistance, with Securify providing the right expertise and support at the right time.
Results
- Enhanced resilience of De Vereende, based on the organization and IT environment, against cybercrime.
- Increased security awareness within the organization.
- Compliance with DORA guidelines regarding pentests.