Expert
Know Who Your Potential Attackers Are
Marcel van Oirschot, Commercial Director at Hunt & Hackett


Hunt & Hackett is a Dutch cybersecurity company specialising in protecting organisations against (advanced) digital threats. They focus primarily on identifying, preventing and combating cyber attacks, and offer services in managed detection & response, threat intelligence/hunting, incident response retainers, and security roadmapping. Marcel van Oirschot, Commercial Director at Hunt & Hackett, explains his company’s approach and shares his views on the NIS2 Quality Mark.
Marcel, can you tell us why you consider the threat landscape so important?
Marcel: ‘We believe that the threat landscape or threat picture is different for every organisation. Not everyone is a ministry or a super innovative high-tech company, but that doesn’t mean that a threat picture isn’t important for other organisations. It’s important to realise that every organisation, no matter how large or small, faces certain risks and threats. We currently track more than 750 criminal cyber groups and monitor who they are, what they focus on, what techniques they use, and what their motivation is. This helps us to get a good picture of which threats are currently active and how we can specifically advise companies to defend against them.’
That sounds like quite a number. Is this the tip of the iceberg or a substantial portion of the threats?
Marcel: ‘This is quite a large portion of the existing threats that we’ve mapped. Of course, I can’t claim that we’re 100% complete, that would be impossible, but I’m confident that we have a very clear picture of the market. Cybercriminals often exhibit copycat behaviour. There’s a subset of those 750+ that is unique and has very specific tools and methodologies. But beneath that subset, you see groups doing the same thing as their “neighbour”, just in a different sector and often with the same technologies. This means that even if you don’t know ALL groups, you can still cover a large portion of the threats because they use the same methods.’
How does this insight help companies to better defend themselves?
Marcel: ‘The idea is simple: if you know which criminal groups are interested in your organisation, then you know your potential attackers. And if you know who your attackers are and what methods they use, you can optimise your defence. Many attacks can be detected early if you understand who poses the threat. This means you don’t necessarily need to protect your entire infrastructure against every possible attack immediately, but you can set good priorities against those specific methods that pose a risk to your organisation. We can specifically help companies identify which of the 750+ groups might be interested in them based on their sector and activities. This helps companies to better prepare and to get everything sorted in a targeted way.’
Can you tell us more about the link with the NIS2 Quality Mark?
Marcel: ‘Certainly. One of the most important aspects of NIS2 is chain liability. What does that mean exactly? Suppose you’re a large company and you have your security well organised. That’s great, but if one of your crucial suppliers – for example, a logistics company that delivers your products to customers – hasn’t got things sorted, then there remains a weak link in your chain. And that still makes your organisation vulnerable. The NIS2 Quality Mark can help smaller companies in that chain, which may be smaller but just as crucial, to get support. They often don’t have the same resources as large enterprises to get their IT and security sorted. This certificate ensures that they too achieve a basic level of security.’
Why is this so important for smaller companies?
Marcel: ‘Large companies often have special teams and resources to keep their security well-maintained. That’s logical, because they have the budget to invest in technology and expertise. However, for smaller small and medium-sized enterprises, this is much more difficult, as they often depend on external IT parties, hosting and service providers. These often say they have things well arranged, but as a small business, do you actually have the means to verify that? The NIS2 Quality Mark provides a baseline against which companies can test whether their IT and security are in order. It helps them to ask the right questions to their suppliers and take a critical look at their own organisation. This way, they not only gain more control over their own security but can also be more certain about security at their partners.’
How do you view the implementation of the NIS2 Quality Mark in the Netherlands, especially given the situation in countries like Germany and Belgium?
Marcel: ‘Germany and Belgium are really leading the way in this area. The demand for compliance and checks is already much greater there than in the Netherlands. If you trade extensively with German companies, for example, you’ll notice that they set strict requirements for security and compliance. In the Netherlands, we’re somewhat slower with the implementation of these measures, and that’s something companies need to be alert to. The NIS2 Quality Mark can help prepare companies in the Netherlands in time for what’s inevitably coming. We’re already seeing that there are many more compliance checks in Germany and Belgium, and if you’re active there, you can be certain that you’ll need to comply with these requirements eventually. The implementation of the NIS2 Quality Mark here helps companies avoid sudden surprises and makes it easier to meet requirements from foreign trading partners.’
Is cybersecurity, and specifically standardisation and certification, high on the agenda for company boards?
Marcel: ‘Unfortunately, I don’t think it’s high enough on the agenda yet. Many small business boards give socially desirable answers when you ask them how important they consider cybersecurity. Of course, no board will say they don’t think it’s important. But there’s a big difference between saying it’s important and actually doing something about it. Many entrepreneurs want to act but don’t know how and where to begin. There’s so much information, and often it’s contradictory. The NIS2 Quality Mark can play a major role here because it provides an independent, objective baseline that’s separate from the commercial interests of IT companies. It’s a guide that helps companies understand step by step what’s expected of them.’
What would you say to companies who think they still have plenty of time to prepare for NIS2?
Marcel: ‘Begin straight away. There are many aspects in NIS2 that you’ll eventually need to comply with, and you can’t arrange all of those on a Wednesday afternoon. If you start now, you still have time to get everything sorted properly. Once the law formally takes effect, you can no longer wait. Fines and audits probably won’t happen immediately from day one, as the government’s focus is on improving security. And if you structurally fail to comply, sanctions may follow. Why take the risk when you can get started right away?’
How does the market view the introduction of the NIS2 directive and the NIS2 Quality Mark?
Marcel: ‘It needs to register properly still, especially with small and medium-sized enterprises. Recently, I had 40 businesses in a room, and when I asked who was familiar with NIS2, only five hands went up. That means there’s still a lot of work to do, including in the area of certification. There’s been quite a fuss about NIS2, and companies sometimes don’t know what to believe anymore. They’ve been hearing for years that it’s coming, and as a result, it loses its urgency. This has led to a rather wait-and-see attitude. But eventually, this will change, especially when companies notice that their international customers are increasingly setting these certifications as a requirement.’
Finally, why would you recommend the NIS2 Quality Mark?
Marcel: ‘It provides an objective baseline for small and medium-sized enterprises to test what they need to comply with. This isn’t only important for their reassurance but also commercially interesting. For example, if you’re a small business that’s crucial to the supply chain of a large organisation, such as transport or logistics, then that large customer wants assurance that you have everything sorted. The NIS2 Quality Mark gives you that assurance. This way, small businesses can show that they’re engaged with cybersecurity and that they meet a certain standard. Moreover, it keeps many difficult questions from large customers off your hands and allows you to focus on what you’re good at. Ultimately, as a small business, you don’t want to spend all day filling out audit lists and dealing with technical details. The NIS2 Quality Mark helps to streamline that process and make it simpler.’