Team building for cyber crises
You can't escape it: sooner or later you will be attacked by hackers. What can you do as an institution, and as a director, to prepare for such an emergency? We asked three executive board members: Pauline Satter (COG), Jos Vranken (Hotelschool The Hague) and Patrick Groothuis (TU/e).
A cyberattack is probably the toughest crisis you can experience as an executive. And it happens often. Just last January, TU/e struggled for a week with a hack. This forced the institution to take the network down instantly; over ten thousand students and staff were affected for days. And this despite a - also according to external experts - quick and effective approach to the crisis.
Communication
What kind of challenges does such a crisis bring to administrators? We can best ask an expert by experience. As TU/e vice-president, Patrick Groothuis was also chair of the central crisis team that had to repel the cyber attack in January.
Patrick Groothuis (TU/e)
"It's not just about IT: the moment it goes wrong, it also becomes an organisational problem. At that point, you have to be able to call in everything and everyone in your organisation, from the executive board to IT professionals, communication and other staff. And those have to work well together."
That's where communication comes in. "Take the people who first have to deal with the impact of a cyberattack: if they don't communicate well with the CISO, the response team and so on, then the central crisis team also gets the wrong idea. You're then going to suffer tremendously from that in everything that comes after."
Work on a secure corporate culture
Another expert by experience is Jos Vranken, chair of the board of Hotelschool The Hague. As a supervisor at the KNVB, he experienced the football association being hacked in 2023.
He stresses that effective communication is also a matter of corporate culture. "Especially in a cyber crisis, the pressure and tension increase. People need to feel safe and free to give their expert advice in such a situation, both solicited and especially unsolicited. And not to wait for instructions. So, in my experience, you have to permanently work on creating a culture where that is normal."
Jos Vranken (Hotelschool The Hague)
Do you know the relevant phone numbers?
And then there is the most fundamental aspect of communication. Vranken: "If it really happens and all your systems go down, are you able to reach the relevant experts and stakeholders by other means? Do you know their phone numbers? Or are they all neatly in digital files that you can no longer access?"
This was a very real problem when the TU/e had to put all screens on black last January, Groothuis explains. "We even got to the point where we no longer knew which systems still had integrity and were safe to use. Was WhatsApp still safe?"
Fortunately, TU/e also has experts in cryptology and cybersecurity. According to them, Signal was the only truly secure communication channel. "As long as the users don't make mistakes," laughs Groothuis, referring to the riot surrounding the US Secretary of Defence, who mistakenly added a journalist to a confidential Signal group. "So, as an executive board member, I went to work on the spot on my phone to get the right people into such a Signal group. Because we were not prepared for that."
"The consequences of poor communication are huge. It leads to confusion, to turmoil, to a flood of phone calls and e-mails."
See what you can control
Signal, however, is not an option if you need to inform thirteen thousand students. Groothuis: "And you have to. The consequences of poor communication are huge. It leads to confusion, to turmoil, to a flood of phone calls and e-mails."
"That's why we chose two channels: our website and the external media. But we only thought about that too during the crisis. We also decided then to come up with announcements every day at set times. Because in a crisis, nothing works as well as a clear structure and approach. People benefit from that."
Photo: TU/e
The crisis team itself should also focus on certainties, Vranken adds. "You should not let things that are uncontrollable drive you crazy. Rather, look at what you can control."
Groothuis: "You only know afterwards what all happened. But gradually you can fit more and more pieces of the puzzle together. In fact, you are reducing uncertainty, especially in the first phase of such a crisis."
Teamwork you can learn
In a cyber crisis, an organisation - and its managers - have to perform optimally under enormous time pressure and highly unusual circumstances. Can you learn to do that? Yes, by practising. For example, with OZON, SURF Cooperative's biennial sector-wide cyber crisis exercise.
"With an exercise like OZON, you can really learn to operate as a crisis team."
Vranken had just been appointed at Hotelschool The Hague when he was assigned to OZON 2025. This was a pleasant surprise for him. "It is a precious commodity that the sector exercises crisis management collectively. This allows individual institutions to arm themselves better. Because if you still have to invent the wheel at the start of the crisis, you have a huge problem. And you can also really learn to work as a crisis team with OZON."
Groothuis confirms: "We had already learned from our OZON participation how such a crisis works. How does the central crisis team function compared to the IT organisation's crisis team? You also learn that from the administrative side, you have to approach the situation along two lines: on the one hand, you want insight into the impact of what is occurring; and on the other, how you can influence or direct it, and in what timeframe. And the need for good communication also quickly becomes clear at OZON."
Realism could still be higher
No wonder, then, that there is growing interest in OZON. In 2016, the first edition of the cyber crisis exercise had 27 participating institutions and sector partners. That number has grown steadily since then: at the fifth edition last March, there were 90.
Pauline Satter (COG)
OZON's popularity is due to the realism of the exercise, thinks Pauline Satter, executive board member at COG (Christelijke Onderwijs Groep Vallei & Gelderland-Midden). "The scenario comes close to reality. It could have just happened in your school."
For Groothuis - used to military exercises as a former officer - OZON's realism could be a notch higher. "The exercise has a lot of good ingredients, but during office hours. Everyone is ready, because the exercise is about to start. But a real cyber crisis like ours starts unexpectedly, late on a Saturday night. Can the people you need be reached at all then?"
More collaboration
In one respect, however, OZON is tougher than reality: the scenario assumes a nationwide crisis of the entire sector. Groothuis: "Fortunately, we have not yet experienced that in practice."
That collective aspect could be developed further, according to Satter. "I think we could perhaps share those lessons learned a bit more. Everyone now does the exercise in their own way: we each evaluate our own part. But why do other institutions make certain choices? We don't discuss that now."
Photo: Margriet Dingmans in front of Hotelschool The Hague
Vranken also likes to see more collaboration in cybersecurity. "We are all fishing in the same pond of professionals in cyber, privacy, security. Moreover, that's where we as education have to compete with the big money. So we'd better cooperate: in SURF and VH contexts, but also among ourselves, for instance bilaterally in a city or region."
Intersectoral coordination
What about administrative cooperation during a crisis? That is where the multi-sectoral cybersecurity administrative coordination consultations have now been established. At the end of OZON 2025, for the first time there was also an exercise specifically for the members of this consultation.
"Who decides to take all mbo institutions offline when there is a real crisis in all institutions?"
Satter represents the mbo in the consultations. According to her, it was a learning exercise. "In doing so, we came to choices and agreements. Because in the beginning, everyone tackles the crisis with their own methods. To give a simple example: one person writes on sheets on the wall, another has an app for it, and the next a series of digital boards. Then when you get together in crisis mode, everyone prefers to work with their own method. Because that's what you're used to."
"This was the first time we did a multi-sectoral governance exercise, and it felt really good to be able to pick up on precisely these kinds of basic choices. We also created a Signal group for the members of the consultation. So if necessary, the team is quickly ready for action."
More difficult is the issue of mandate. "Who decides to take all mbo institutions offline when it is really a crisis in all institutions? You are actually dealing with very long decision lines. But in a cyber crisis, on the contrary, you have to be able to act very quickly."
Text: Aad van de Wijngaart
Want to practice too? Take part in NOZON 2026
In the years between OZON editions, SURF organises a tabletop exercise: NOZON. Institutions can get to work themselves with exercise material for a cyber crisis. This way, you discover where weaknesses are and how things can be improved. NOZON is in 2026.
In cooperation with Z-CERT, MBO Digitaal and Kennisnet, training sessions are also organised on setting up, observing and evaluating cyber crisis exercises.
OZON 2025 scenario
Government policies - cuts in higher education and the mandatory maths test in mbo - lead to student and staff protests. In part, those protests are peaceful: the national Unity Uprising Movement (EPO) encourages people to protest on social media or physically. One way they can support the movement is by signing a petition. To do so, they need to install a browser plugin.
However, the movement also has a radical splinter cell: the Revolution Reckoners. They abuse the plug-in to carry out DDoS attacks on institutions' IT systems. There are even Reckoners who, as institution employees, have access to sensitive data, such as exams, research data and personal data of students and staff. They threaten to make that data public on the dark web.
'Team building for cyber crises' is an article from SURF Magazine.
Back to SURF Magazine
Questions following this article? Mail to magazine@surf.nl.
