Security and Privacy

Security

The pace of digital transformation travels ever faster, and – in line with our strategic ambitions – presents opportunities and challenges for every area of our activities. Cyber threats increase at similar speed so, for our knowledge-centric company, information security is critical. We constantly update and test our information security measures to protect the interests of our clients, employees, company and other stakeholders. Information we handle includes that which is entrusted to us by clients and other third parties, project information, and company information like intellectual property, employee details and financial information.

We need to protect our internal systems and data to keep our business processes going. We also need to respond to client demands for specific solutions for their security requirements. Our increased focus on delivering digital products led us to expand our secure software development cycle (SDLC) in 2023 to include Dependency Checker. This is an intelligent component analysis platform that allows us to identify and reduce risk in the software supply chain by analysing and producing a Software Bill of Materials (SBoM).

Our information and privacy protection strategy is centred around our Information Security Management System (ISMS), based on the international ISO/IEC 27001 standard. We were re-certified for ISO 27001 in 2023, having first obtained it in 2019. In 2023 we maintained the UK National Cyber Security Centre’s (NCSC) Cyber Essentials and Cyber Essentials Plus certifications. Cyber Essentials Plus is the highest level of certification offered under this scheme and is required when bidding for contracts which involve handling certain sensitive and personal information. Our clients are becoming increasingly aware of security and privacy concerns and demand specific solutions for their security requirements.

We only work with ICT vendors and suppliers that have a robust security level in place. A risk assessment and mitigation programme test the security of our own and our suppliers’ systems. As part of that, we undertake periodic pen test and vulnerability assessments on critical systems.

In 2023, we made further steps in our transformation from a reactive to a proactive security operation. This is a direct result of the Zero Trust philosophy adopted three years ago. We continued to expand our Security Operations Centre (SOC) team’s efforts to continuously evaluate potential incidents, and proactively hunt for threats.

Despite the automated, real-time response that comes with state-of-the-art technology, an important human factor still exists for maintaining a healthy security posture. This is why we invested in raising awareness and enhancing our cyber resilience in 2023 to ensure employees know the basics of information security and understand the role every individual plays in protecting sensitive information and company assets. It included a mandatory e-learning on best practices and behaviours to prevent and respond to cyber incidents offered to our employees and external agents. It covers topics such as password management, phishing, malware, social engineering, and data protection. We also started campaigns simulating realistic phishing scenarios to test and improve our employees’ ability to detect and report malicious emails. This is of real relevance to colleagues as, across the organisation, we receive around 1,000 phishing emails every day.

We closely monitor cyber threats resulting from cybersecurity developments worldwide. In 2023 we joined the Connect2Trust, a cross-sectoral partnership between major companies in the Netherlands. It offers a safe and trusted environment in which private parties, together with government bodies charged with security, can analyse and exchange sensitive and confidential information about cyber threats and best practices. Based on advisories and threat intelligence provided by authorities like the Dutch National Cyber Security Centre (NSCS), we carry out a risk analysis on emerging threats and potential impacts. No material impact emerged from these

Privacy

Royal HaskoningDHV collects and uses personal data for various purposes if the conditions set by applicable data privacy legislation are met. These can include personal data of clients, vendors, business contacts, employees, and other stakeholders. This is done via various mechanisms such as client relationship management, proposals and projects for our clients, digital applications and services, financial management, human resource management, and information and communication technology. We are dedicated to protecting the privacy of individuals and are committed to comply with privacy legislation such as the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation and Data Protection Act 2018 and South African Protection of Personal Information Act (POPI Act).

We maintain policies, processes, and procedures within a privacy and personal data protection framework. This includes actively verifying the compliance of our processing activities against relevant legislation and maintaining a compliance register through which we identify, investigate, and report data breaches, process data subject requests appropriately, and raise awareness. In the Netherlands and the United Kingdom, the Data Protection Officer ensures compliance with data privacy and, in 2023, we further strengthened our commitment to data privacy by incorporating it within our 12 ethical principles, see the Business Ethics section.