Cybersecurity

At PostNL, as our reliance on systems and data intensifies, the importance of cybersecurity becomes ever greater. To manage our digital information and processes, we ensure the security of data, systems, and applications integral to our business processes. Our cybersecurity policy guides the implementation of effective cybersecurity measures across the organisation.

In 2023, we changed our cybersecurity operating model by strengthening our first and second line defense capabilities. In our first line of defense, we assess the cyber risk posture for relevant IT assets and update the risk treatment plan accordingly. This covers six main focus areas:

Central monitoring capability

Implementation of central monitoring, including logging requirements based on a standard classification policy, now covers our 10 main log sources, including our AWS engineering environment. This enables us to onboard specific applications and use cases efficiently.

Asset management policy and standard

We have defined a policy and standard for asset management from a cybersecurity perspective, and have implemented a vulnerability management tool to assess risk across critical asset domains.

Information security management system

Utilising our existing repositories and risk system (Topdesk combined with Onetrust), we have integrated these systems to conduct risk assessments according to our data classification.

Risk assessment process

We have standardised the Business Impact Analysis to conduct cyber-risk assessments and made it mandatory for all penetration tests and high-classified assets.

Configuration management control set

Our IT cybersecurity framework is based on the CIS control set, providing benchmarks for common IT environments and applications. This has been particularly effective for our O365 environment.

First-line cybersecurity function

To strengthen our cybersecurity function, we have started adding business information security officers in the first line and IT security managers in central teams.

Our second line of defense focuses on three main capabilities:

1. Accurate and current policies, including a control framework
2. An awareness programme
3. An incident reporting and management process.

In 2023, we strengthened this with a 24/7 security operation centre, implementation of a central SIEM and automated vulnerability management, and implementation of DevSecOps controls together with the IT engineering teams. Throughout the year, we also regularly performed internal control testing, including identity & access management, change management, and incident management. Centralised processes, such as single sign-on, multi-factor authentication, patch management, firewall management, and backup and recovery, mitigate cybersecurity threats.

We further extended our detection and response capabilities by performing incident response simulations. This both on operational and board level. With the lessons learned we are further improving our resilience including  red-team exercising to test our in depth resilience.

On regulations we assessed our NIS-21 readiness in 2023. As we will fall under this legislation by the end of 2024, we will implement necessary additional controls based on this assessment. In 2023, we had a total of 362 cybersecurity incidents. This is an decrease of 30 % compared to 2022. Of these incidents, one was classified as high, while six involved a data breach.

We continue to address cybersecurity in our review of internal controls, especially as most of our critical applications are based on SaaS and Cloud principles. These assessments, critical for maintaining robust security, will persist into 2024 and beyond.