Scammers are using AI tools to create increasingly convincing ways to trick victims into sending money, and to access the personal information needed to commit identity theft. Deepfakes mean they can impersonate the voice of a friend or family member, and even fake a video call with them! The result can be criminals taking out thousands of dollars worth of loans or credit card debt in your name. Fortunately there are steps you can take to protect yourself against even the most sophisticated scams. Here are the security and privacy checks to run to ensure you are safe … 9to5Mac is brought to by Incogni: Protect your personal info from prying eyes. With Incogni, you can scrub your deeply sensitive information from data brokers across the web, including people search sites. Incogni limits your phone number, address, email, SSN, and more from circulating. Fight back against unwanted data brokers with a 30-day money back guarantee. Use a password manager At one time, the advice might have read “use strong, unique passwords for each website and app you use” – but these days we all use so many that this is only possible if we use a password manager. This is a super-easy step to take, thanks to the Passwords app on Apple devices. Each time you register for a new service, use the Passwords app (or your own preferred password manager) to set and store the password. Replace older passwords You probably created some accounts back in the days when password rules were much less strict, meaning you now have some weak passwords that are vulnerable to attack. If you’ve been online since before the days of password managers, you probably even some passwords you’ve used on more than one website. This is a huge risk, as it means your security is only as good as the least-secure website you use. What happens is attackers break into a poorly-secured website, grab all the logins, then they use automated software to try those same logins on hundreds of different websites. If you’ve re-used a password, they now have access to your accounts on all the sites where you used it. Use the password change feature to update your older passwords, starting with the most important ones – the ones that would put you most at risk if your account where compromised. As an absolute minimum, ensure you have strong, unique passwords for all financial services, as well as other critical ones like Apple, Google, and Amazon accounts. Make sure you include any accounts which have already been compromised! You can identify these by putting your email address into Have I Been Pwned. Use passkeys where possible Passwords are gradually being replaced by passkeys. While the difference might seem small in terms of how you login, there’s a huge difference in the security they provide. With a passkey, a website or app doesn’t ask for a password, it instead asks your device to verify your identity. Your device uses Face ID or Touch ID to do so, then confirms that you are who you claim to be. Crucially, it doesn’t send a password back to the service, so there’s no way for this to be hacked – all the service sees is confirmation that you successfully passed biometric authentication on your device. Use two-factor authentication A growing number of accounts allow you to use two-factor authentication (2FA). This means that even if an attacker got your login details, they still wouldn’t be able to access your account. 2FA works by demanding a rolling code whenever you login. These can be sent by text message, but we strongly advise against this, as it leaves you vulnerable to SIM-swap attacks, which are becoming increasingly common. In particular, never use text-based 2FA for financial services accounts. Instead, select the option to use an authenticator app. A QR code will be displayed which you scan in the app, adding that service to your device. Next time you login, you just open the app to see a 6-digit rolling code which you’ll need to enter to login. This feature is built into the Passwords app, or you can use a separate one like Google Authenticator. Check last-login details Some services, like banking apps, will display the date and time of your last successful login. Get into the habit of checking this each time you login, as it can provide a warning that your account has been compromised. Use a VPN service for public Wi-Fi hotspots Anytime you use a public Wi-Fi hotspot, you are at risk from what’s known as a Man-in-the-Middle (MitM) attack. This is where someone uses a small device which uses the same name as a public Wi-Fi hotspot so that people connect to it. Once you do, they can monitor your internet traffic. Almost all modern websites use HTTPS, which provides an encrypted connection that makes MitM attacks less dangerous than they used to be. All the same, the exploit can expose you to a number of security and privacy risks, so using a VPN is still highly advisable. Always choose a respected VPN company, ideally one which keeps no logs and subjects itself to independent audits. I use NordVPN for this reason. Don’t disclose personal info to AI chatbots AI chatbots typically use their conversations with users as training material, meaning anything you say or type could end up in their database, and could potentially be regurgitated when answering another user’s question. Never reveal any personal information you wouldn’t want on the internet. Consider data removal It’s likely that much of your personal information has already been collected by data brokers. Your email address and phone number can be used for spam, which is annoying enough, but they can also be used by scammers. For this reason, you might want to scrub your data from as many broker services as possible. You can do this yourself, or use a service like Incogni to do it for you. Triple-check requests for money Finally, if anyone asks you to send them money, be immediately on the alert. Even if seems to be a friend, family member, or your boss, never take it on trust. Always contact them via a different, known communication channel. If they emailed you, phone them. If they phoned you, message or email them. Some people go as far as agreeing codewords with family members to use if they ever really do need emergency help. If anyone asks you to buy gift cards and send the numbers to them, it’s a scam 100% of the time. Requests to use money transfer services are also generally scams unless it’s something you arranged in advance. Even if you are expecting to send someone money, be alert for claims that they have changed their bank account. This is almost always a scam. Again, contact them via a different, known comms channel. Photo by Christina @ wocintechchat.com on Unsplash Add 9to5Mac to your Google News feed.  FTC: We use income earning auto affiliate links. More.You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Jun 06, 2025The Hacker NewsMalware / Endpoint Security Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation," security researcher Koushik Pal said in a report published this week. "The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries." It's believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware's source code. The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[.]net" or "spectrum-ticket[.]net"). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to "review the security" of their connection before proceeding further. However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification." Doing so causes a command to be copied to the users' clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it's substituted by a shell script that's executed by launching the Terminal app on macOS. The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer. "Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure," Pal said. "The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction 'Press & hold the Windows Key + R' was displayed to both Windows and Mac users." The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year. "Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access," Darktrace said. "These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads." The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue. The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls. The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware. Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism. "While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers," Cofense said. The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the "Accept" button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies. In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data. "ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses," Darktrace said. "By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data." Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks. These fake pages are "pixel-perfect copies" of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible," SlashNext's Daniel Kelley said. "Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine." Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

When it comes to Apple, all eyes are on AI. Generative AI (genAI) is the most disruptive technology we’ve seen in years; it is weaving itself into all parts of life – so why should IT management be left unscathed? It won’t be, and the latest AI-powered IT management features within the Jamf platform will soon be the kind of tools IT expects. Jamf is a leading Apple-in-the-enterprise device management (and security vendor recently began offering enterprise support for Android devices). The company has been working away on AI features to support its solutions for some time, and has at last introduced some of these at its Jamf Nation Live event. The tools are designed to boost efficiency and support better decision-making when it comes to handling your fleets. Of course, you’d expect anyone fielding genAI solutions to say something like that, so what do these tools do? Introducing Jamf AI Assistant Available as a beta, AI Assistant is designed to support tech support! That means it will help IT admins find what they need and help them understand how and why devices they do find are configured. Jamf splits these two paths into two categories: Search skill and Explain skill. Search skill lets admins perform natural language inventory queries across their managed fleets, enabling them to quickly find devices within their flotilla that meet the search parameters. The goal is to make it quicker and easier to audit managed devices for compliance, and to troubleshoot when things go wrong. Explain skill caters to another facet of an IT admin’s daily challenges. As Jamf explains, it means the genAI can translate complex configurations and policies into clear, easy-to-understand language. This helps admins make informed decisions, streamline troubleshooting and manage policies more confidently, says Jamf. While these new Jamf tools don’t automate much of the workload facing IT, it’s not hard to see how once the AI can understand what’s happening on a Mac and identify those devices that meet a set of parameters, the only missing piece is to automate some of the workflow in between. This, of course, is the direction of travel and will likely ripple across IT and every platform. Who knows, it might even make the cost of supporting Windows fleets almost as affordable as that of managing fleets of Apple devices. (Though I doubt it.) Beyond AI Jamf also made a handful of announcements outside of AI, including the general availability of Blueprints, a set of tools the company announced at JNUC last year. Blueprints builds on Apple’s Declarative Device Management framework and is designed to simplify and accelerate device configuration by consolidating policies, profiles and restrictions into a single, unified workflow. This makes a lot of sense on a road map to further AI deployment, as well as for anyone attempting to manage and deploy large Apple fleets. I imagine admins preparing for mammoth college- or school-wide deployments will have some optimism that Blueprints could help save time. Don’t neglect that education tech is expected to deploy thousands of devices in a few weeks, so these tools should be significant to them. Jamf continues working on Blueprints, and has introduced a beta release of Configuration Profiles within Blueprints. This tech consists of a new dynamic framework designed to help teams manage devices at scale, thanks to the new dynamic framework for MDM key delivery. Ticket to ride Jamf has offered a Self Service+ portal since earlier this year. Aimed at end-users, the system lets users request, download and update apps, as well as monitor their device security. Those features have been expanded with identity management tools, so users can view their accounts change passwords, and request things like temporary admin access. The beauty of Self Service+ is that it enables users to do these things autonomously while keeping their devices fully auditable and compliant. The idea is that it’s a lot better to focus the expensive tech support teams on the big problems, rather than seeing them bogged down in small, transient (albeit important), challenges.  The company also introduced Compliance Benchmarks. Based on Apple’s macOS Security Compliance Project (mSCP), this system helps IT automate the process of securing their Apple devices. Jamf has also added malware detection to its App Installers module, which means every application made available through that system is scanned to maintain security confidence. That’s really important to companies attempting to provision apps to employees, particularly if they want to avoid accidental installs of hacked malware posing as the original app. You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

They are the latest in a string of high-profile companies publicly reporting being hacked.

US banks aren't happy about having to disclose cyberattacks.

Data broker LexisNexis Risk Solutions (LNRS) has just disclosed a data breach that occurred at the end of last year, and while it doesn't affect as many individuals as other recent high profile incidents—such as the DISA hack that included 3.3 million people's information—it underscores the ever-present concerns with companies collecting (and profiting off of) user data. As TechCrunch reports, LexisNexis Risk Solutions uses consumers' personal and financial information to help corporations conduct risk assessments on prospective customers and detect fraudulent transactions. For example, LexisNexis sold data on vehicle driving habits collected by car manufacturers to insurance companies to set premiums, while law enforcement agencies pull data from LexisNexis about suspects. (LexisNexis Risk Solutions is a subsidiary of the same corporation that owns data analytics and research firm LexisNexis.)The LexisNexis hack compromised data collected on 364,333 individuals, and there's a potential class action lawsuit brewing over the incident. Here's what you need to know. What happened with LexisNexis?According to the company's filing with the Maine attorney general's office, a data breach took place on December 25, 2024 but wasn't discovered until May 14, 2025. A third-party platform used by LexisNexis was hacked, compromising information that may include the following: NamePhone numberMailing addressEmail addressSocial Security numberDriver's license numberDate of birthIn a letter to affected individuals, LexisNexis states that no financial or credit card information was included in the breach, nor has any data been obviously misused (so far). Few additional details about the incident have been disclosed, other than that none of the company's own networks or systems were hacked. What consumers need to doLexisNexis sent a notice dated May 24 to consumers whose data may have been compromised, so if you receive a letter from LexisNexis Risk Solutions, don't throw it out. The company is offering 24 months of identity protection and credit monitoring services through Experian IdentityWorks, and you must enroll online by August 31, 2025 using the activation code provided in your notice. Affected individuals can also indicate their interest in joining a class action lawsuit against LexisNexis through Oklahoma-based firm Abington Cole + Ellery. If you want to volunteer to be considered as a class representative, fill out the online form with your name, contact information, and connection to the breach.Finally, even if you don't plan to join the class action suit, you should keep an eye out for signs of identity theft. Check your credit report—which you can request for free on a weekly basis—and monitor your accounts for any unauthorized activity. You can also freeze your credit, place a fraud alert, and take other steps to secure your Social Security number so no one can open accounts or take out debt in your name.

Why it matters: It's somewhat ironic that arguably the biggest piracy enabler today is a device that comes from Amazon, a $2 trillion tech giant with a streaming service. According to a new report, jailbroken Amazon Fire Sticks are used to watch billions of dollars worth of pirated streams, and Google, Meta and Microsoft are exacerbating the situation. A report from Enders Analysis, titled "Video piracy: Big tech is clearly unwilling to address the problem," looks at the issue of illegal streams. Driving the piracy epidemic, particularly in Europe, is the sports broadcasting industry. The BBC reports that the overall value of media rights for this business passed $60 billion last year, which means fans are paying increasingly higher prices to watch sports on TV, especially if they pay for multiple services. UK soccer fans had to pay around $1,171 in the 23/24 season if they wanted to watch all televised Premier League games. The same is also true for mainstream streamers such as Netflix and Disney Plus, which keep raising their subscription costs and clamping down on account sharing. Paying so much in these economically uncertain times has pushed more people into canceling their legitimate streaming services and turning to pirated alternatives. The report notes that Tom Burrows, head of global rights at the world's largest European soccer streamer, DAZN, called streaming piracy "almost a crisis for the sports rights industry." // Related Stories Comcast-owned European TV giant Sky Group echoed the warnings. It said piracy was costing the company "hundreds of millions of dollars" in revenue. Many high-profile events, such as major games, can draw tens of thousands of viewers away from legal services and toward the many pirated streams showing the same content at a fraction of the price – or free. Most people are familiar with jailbroken Amazon Fire Sticks being used to access illegal streaming services – the report calls the device a "piracy enabler." According to Sky, 59% of people who watched pirated material in the UK over the last year did so using a Fire Stick. The report says that the device enables "billions of dollars in piracy" overall. Would you pirate this pirate show? "People think that because it's a legitimate brand, it must be OK. So they give their credit card details to criminal gangs. Amazon is not engaging with us as much as we'd like," said Sky Group COO Nick Herm. As with all forms of piracy, there are risks associated with this trend. Providing credit card details and email addresses to those behind the services isn't exactly safe, and there have been cases of jailbroken, malware-infested pirate streaming devices – not just Fire Sticks – being sold on eBay, Craigslist, and the dark web. There has been a crackdown on the sale of hacked Fire Sticks in the UK recently. Last year saw a man given a two-year suspended sentence for selling the devices, while another was jailed. Just using these sticks or illegal IPTV subscriptions is breaking the law. It's not just Amazon that is being blamed. The report highlights Facebook's lack of action to stop ads for illegal streams running on the platform. Google and Microsoft are also called out for the "continued deprecation" of their respective DRM systems, Widevine and PlayReady; the report says they "are now compromised across various security levels." Microsoft's last update to PlayReady was December 2022. "Over twenty years since launch, the DRM solutions provided by Google and Microsoft are in steep decline," reads the report. "A complete overhaul of the technology architecture, licensing, and support model is needed. Lack of engagement with content owners indicates this a low priority." Amazon says it is working with industry partners and relevant authorities to combat piracy and protect customers from the risks associated with pirated content. The company has taken (or is about to take) steps to make turning Fire TV-branded devices into piracy boxes more difficult. These include raising the technical bar (ADB over local network disabled, tighter DRM), and adding warning messages about legality. Moreover, Amazon is switching Fire TV devices from Android to the Linux-based Vega OS later this year, which doesn't run Android APKs at all.

Asus' routers and popular and well-reviewed. As such, there's a good chance you have one of its devices powering your home wifi. If you do, you should probably check on it, since thousands of Asus' routers are now compromised. What happened?Cybersecurity company GreyNoise published a blog post about this router attack on Wednesday. GreyNoise says attackers used brute-force login attempts (running millions of login attempts until the right match is found) and authentication bypasses (forcing your way in around traditional authentication protocols) to break into these routers. Notably, hackers used authentication bypass techniques that aren't assigned CVEs (common vulnerabilities and exposures). CVEs are labels used to track publicly disclosed security vulnerabilities, which means the security vulnerabilities were either unknown or known only to a limited circle.Once in, hackers exploited the Asus router's CVE-2023-39780 vulnerability to run whatever commands they wanted. Hackers enabled SSH (secure shell) access through Asus' settings, which let them connect to and control the devices. They then stored the configuration—or backdoor—in NVRAM, rather than the disk of the router. The hackers did not leave malware behind, and even disabled logging, which makes their attacks difficult to detect. It's not clear who is behind these attacks, but GreyNoise did say the following: "The tactics used in this campaign—stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection—are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary."How did GreyNoise find out?Sift, GreyNoise’s AI technology, first detected an issue on March 17, noticing unusual traffic. GreyNoise uses fully emulated Asus profiles running factory firmware to test for issues like these, which let researchers observe the attackers' full behavior, reproduce the attack, and discover how the backdoor was installed. Researchers at the company received Sift’s report the following day, and began researching, coordinating with “government and industry partners.” GreyNoise reported that, as of May 27, nearly 9,000 routers were confirmed compromised. The company is pulling that data from Censys, which keeps tabs on internet-facing devices throughout the world. To make matters worse, the affected devices only continue to increase: As of this piece, there were 9,022 impacted routers listed on Censys' site. Luckily, GreyNoise reports that Asus patched the security vulnerability in a recent firmware update. However, if the router was compromised before the patch was installed, the backdoor hackers put into the router will not be removed. Even if this is the case, you can take action to protect your router.If you have an Asus router, do thisFirst, confirm your router is actually made by Asus. If it is, log in to your router via your internet browser. Logging into your router varies by device, but according to Asus, you can head to www.asusrouter.com, or enter your router's IP address into your address bar, then log in with your Asus router username and password. Asus says if this is the first time you've logged into the router, you'll need to set up your account.From here, identify the "Enable SSD" settings option. (You may find this under "Service" or "Administration," according to PCMag.) You'll know the router is compromised if you see that someone can log in via SSH over port 53828 with the following key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ (the rest of the key has been cut for length).Now, disable the SSH entry and block these IP addresses: 101.99.91.151101.99.94.17379.141.163.179111.90.146.237From here, factory reset your router. Unfortunately, the patch alone won't be enough, since the attack survives any update. A total reset is the only way to be sure your router is protected. However, if you see your router was not affected here, install the latest firmware update ASAP. Unaffected routers that install the latest patch will be protected from this type of attack going forward.

White House Chief of Staff Susie Wiles uses a phone as she attends a National Day of Prayer event hosted by President Donald Trump in the Rose Garden at the White House, May 1, 2025 in Washington / Image credits - Andrew Harnik/Getty Images The personal phone of Susie Wiles, the U.S. President Donald Trump’s chief of staff, was allegedly hacked, with the individual responsible obtaining access to a bevy of contacts, including high-profile officials. According to the latest report, a federal probe has been launched, but there is no confirmation on how the phone was compromised in the first place. The contacts present in Susie Wiles’ phone grew suspicious after the impersonator asked to move the conversation to Telegram, risking the leaking of sensitive information Shortly after gaining access to the White House chief of staff’s personal phone, the hackers leveraged AI to impersonate Wiles’ likeness and sent multiple contacts voice and text messages from a different number. It was only after the person or persons on the other end recommended continuing the conversation to a private platform like Telegram that the contacts realized that something was off. FBI Director Kash Patel shared the following statement with CBS News regarding the incident. “The FBI takes all threats against the President, his staff, and our cybersecurity with the utmost seriousness; safeguarding our administration officials’ ability to securely communicate to accomplish the President's mission is a top priority.” As for how Wiles’ phone was compromised, TechCrunch asked White House spokesperson Anna Kelly if a cloud account associated with the chief of staff’s device was compromised, or if her handset was a part of a more sophisticated attack involving government-grade spyware. Unfortunately, the outlet did not receive a meaningful response, suggesting that the investigation is still ongoing. This is the second incident in which Wiles has been targeted by hackers, with the first instance transpiring in 2024, when it was reported that Iranian cyber-espionage experts attempted to obtain access to her personal email account. A separate report claims that these individuals were successful in bypassing the security as they obtained a dossier on Vice President JD Vance, who was Donald Trump’s running mate at the time. Going over a few images, we realized that the U.S. President’s chief of staff is currently in possession of an iPhone, which should cause even more concern because Apple prides itself on its robust security and privacy. News Source: The Wall Street Journal

The Netherlands is facing a growing cyber security crisis, with a staggering 66% of Dutch businesses lacking adequate cyber resilience, according to academic research.   As geopolitical tensions rise and digital threats escalate, Rick van der Kleij, a psychologist and professor in Cyber Resilient Organisations at Avans University of Applied Sciences, who also conducts research at TNO, says that traditional approaches have failed and a paradigm shift is urgently needed.  Van der Kleij suggests that cyber security provides the illusion of safety rather than actual protection for many Dutch organisations. His stark assessment is that the Netherlands’ traditional approach to cyber risk is fundamentally broken.  “We need to stop thinking in terms of cyber security. It’s a model that has demonstrably failed,” he says. “Despite years of investment in cyber security measures, the frequency and impact of incidents continue to increase rapidly across Dutch businesses.”  This reflects the central argument of his recent inaugural lecture “Now that security is no more”, where he called for a paradigm shift in how Dutch organisations approach cyber risks.  Van der Kleij describes “the great digital dilemma” of balancing openness and security in a country with one of Europe’s most advanced digital infrastructures. “How can entrepreneurs remain open and connected without having to completely lock down their businesses?” he asks.  The statistics are stark. Van der Kleij’s study found that 66% of Dutch businesses are inadequately prepared for cyber threats. Recent ABN Amro research confirms the crisis: one in five businesses suffered cyber crime damage last year, rising to nearly 30% among large companies. For the first time, SMEs (80%) are more frequently targeted than large corporations (75%), marking a significant shift in cyber criminal strategy.  Despite the numbers, a perception gap persists. Van der Kleij identifies ‘the overconfident’ – Dutch businesses believing their cyber security is adequate when it isn’t. While SME attack rates soar, their risk perception remains static, whereas large organisations show marked awareness increases (from 41% to 64%). This creates a “waterbed effect” – as large companies strengthen defences, cyber criminals shift to less-prepared SMEs which are paradoxically reducing cyber security investments.  Van der Kleij emphasises a crucial distinction: while cyber security focuses on preventing incidents, cyber resilience acknowledges that incidents will happen. “It’s about having the capacity to react appropriately, recover from incidents, and learn from what went wrong to emerge stronger,” he says.  This requires four capabilities – prepare, respond, recover and adapt – yet most Dutch organisations focus only on preparation. The ABN Amro findings confirm this: many SMEs have firewalls but lack intrusion detection or incident response plans. Large companies take a more balanced approach, combining technology with training, response capabilities and insurance.  Uber’s experience illustrates the weakness of purely technical approaches. After a 2016 hack, they implemented two-factor authentication – yet were hacked again in 2022 by an 18-year-old using WhatsApp social engineering. “This shows that investing only in technology without addressing human factors creates fundamental weakness, which is particularly relevant for Dutch businesses that prioritise technological solutions,” van der Kleij adds.  Van der Kleij challenges the persistent myth that humans are cyber security’s weakest link. “People are often blamed when things go wrong, but the actual vulnerabilities typically lie elsewhere in the system, often in the design itself,” he says.  The misdirection is reflected in spending: 85% of cyber security investments go toward technology, 14% toward processes and just 1% toward the human component. Yet the ABN Amro research shows phishing – which succeeds through psychological manipulation rather than sophisticated technology – affects 71% of Dutch businesses.  “We’ve known for decades that people aren’t equipped to remember complex passwords across dozens of accounts, yet we continue demanding this and then express surprise when they create workarounds,” van der Kleij says. “Rather than blaming users, we should design systems that make secure behaviour easier. In the Netherlands, we need more human awareness in security teams, not more security awareness training for end users.”  Why do so many Dutch SMEs fail to invest in cyber resilience despite evident risks? Van der Kleij believes it’s about behaviour, not business size. “It’s not primarily about size or industry – it’s about behaviour and beliefs,” he says.  Common limiting beliefs among Dutch entrepreneurs include “I’m too small to be a target” or “I don’t have confidential information”. Remarkably, even suffering a cyber attack doesn’t change this mindset. “Studies show that when businesses are hacked, it doesn’t automatically lead them to better secure their operations afterward,” van der Kleij says.  The challenge is reaching those who need help most. “We have vouchers, we have arrangements where entrepreneurs can get help at a significantly reduced fee from cyber security professionals, but uptake remains negligible,” van der Kleij says. “It’s always the same parties who come to the government’s door – the large companies who are already mature. The small ones, we just can’t seem to reach them.”  Van der Kleij sees “relational capital” – resources generated through partnerships – as key to enhancing Dutch cyber resilience. “You can become more cyber resilient by establishing partnerships,” he says, pointing to government-encouraged initiatives like Information Sharing and Analysis Centers.   The ABN Amro research reveals why collaboration matters: 39% of large companies experienced cyber incidents originating with suppliers or partners, compared with 25% of smaller firms. This supply chain vulnerability drives major Dutch organisations to demand higher standards from partners through initiatives such as Big Helps Small.  European regulations reinforce this trend. The new NIS2 directive will expand coverage from hundreds to several thousand Dutch companies, yet only 11% have adequately prepared. Among SMEs, approximately half have done little preparation – despite Dutch police warnings about increasingly frequent ransomware attacks where criminals threaten to release stolen data publicly.  Van der Kleij’s current research at Avans University focuses on identifying barriers to cyber resilience investment through focus groups with Dutch entrepreneurs. “When we understand these barriers – which are more likely motivational than knowledge-related – we can design targeted interventions,” he says.  Van der Kleij’s message is stark: “The question isn’t whether your organisation will face a cyber incident, but when – and how effectively you’ll respond. Cyber resilience encompasses cyber security while adding crucial capabilities for response, recovery and adaptation. It’s time for a new paradigm in the Netherlands.”  Read more about Dutch cyber security