Interview with Matthijs Van der Wel

Matthijs van der Wel

Matthijs van der Wel, MBA CISSP® CISA®

Director –Forensic Technology Solutions Amsterdam, The Netherlands

Matthijs is specialized in Incident Response and cyber security. His business background and hands on experience provides himwith the ability to discuss complex security matters on board room level. He has investigated and lead the investigation into some of the worlds largest data breaches involving payment card data and IPat both retailers and financial institutions globally.


1. Being specialized in incident response and cyber security, can you tell us more on the types of damages cyber-attacks can inflict on enterprises in Mauritius and worldwide ?


Very often cybersecurity is seen as a pure technical problem, not something board members of companies should be very involved in. However, if you look at the impact of a cyber-attack, you realise that there is more at stake. If you can’t get access to your files anymore, can you still do business? If you lose customer data, will your customers still trust you? If your website or IT systems are down, what would be the impact on your business? And if all of your email messages and files are being made public, what would be the consequences?



2. Cyber security is becoming a critical issue in today’s world. Do you think Mauritian decision-makers you met during your stay here are well aware, prepared and equipped with risk management solutions to face such risks?


Cybersecurity is complex and difficult to do right. If it would be easy and straight forward, we would not have any successful cyber-attacks anymore. It’s key to understand that you can’t be 100% secure. If you realize that an attacker at one day will gain access to your systems and data, you can prepare for that. Make sure you can detect the attackers activity as soon as possible and that you can stop the attacker’s action in time. That sounds a lot easier than it is unfortunately. You need not only to get the right tools and people in place, but also spend time practicing and testing your detection and response capabilities. Every year, companies must do a fire drill to determine if they can evacuate the office building fast enough in case of a fire. Why not do a “cyber fire drill” at least each year?

Important to understand is that attackers may not use just one way to break into your systems and steal your data. They may also target your employees by calling them with a fake story or trying to gain access to your building. Therefore you should also spend time educating your staff, making it easy and known where to report potential security breaches.

During my stay in Mauritius I found that everyone was so friendly and helpful. Everybody wanted to help and assist in any way possible. It made my stay really enjoyable. But keep in mind that criminals may abuse that helpfulness as well.


3. Please tell us about Game of Threats, introduced by PwC Mauritius. What is it all about?


Game of Threats is a digital game that is designed to create cybersecurity awareness. During this game, two teams play against each other. One team will try to defend itself against the cyberattacks, while the other team, the threat actors, will deliver.

The game environment creates a realistic experience where both sides are required to make quick decisions with minimal information at hand. After the game we evaluate, together with the teams, the decisions that were made in order to learn and get insight into the consequences of these decisions.

Game of Threats is all about critical decision-making; it enables players to get insight into the complexity of cybersecurity and the steps that need to be taken to better secure their organisation against attacks.


4. What has been the response of local entities to this new concept?


The response has been overwhelming and enthusiastic. Senior leadership and board members I spoke with understand the importance of cyber security awareness. What better way to create awareness than to play a competitive Game of Threats? We believe this is a good way to make board members understand the implication of a potential breach to their business. It also prompts the Board and senior leadership to ask the right questions to their IT and security team, so that they can stay on top of these complex and dynamic risks. During our conversations, they have shown interest to have these sessions during their Board meetings, executive retreats or strategic planning meetings across different levels of management.



5. As director of Forensic Technology Solutions in the Netherlands you have been involved in investigations regarding card payment frauds, which is a major risk area. The payment card industry seems to be particularly vulnerable on the internet.


For a criminal, cybercrime is very attractive. The margin on cybercrime is higher than the margin on, for example, drugs or money counterfeiting. At the same time, the chance of getting caught is relatively low. And even if you are a not a cyber-security expert, you can hire hackers who can do the job for you, “cybercrime as a service”.


From a criminals’ perspective, there are a lot of ways to make money in cybercrime. There’s a black market where you can sell stolen data. Credit card data and health records are in demand and can be easily sold. But also holding your data hostage for money, like what we’ve seen with the WannaCry ransomware attack. Or threatening to bring your systems offline and requiring “protection money”, like we see in a lot of Ddos attacks.



6. Hacking, phishing, scams, viruses, fraud, money laundering, industrial espionage, cyber terrorism, etc. Crime on the internet is taking many forms. Are there no limits?


As long as there is money or something else to be gained, people and certain organizations will always find a (creative) way to get their hands on it. This will always continue, not only on the internet.

 We make a distinction between “being a target of choice” versus a “target of opportunity”. In the latter case, you need to ensure that you are not the easiest target. If your security is better than someone else, attackers will focus their efforts on someone else. If you are a target of choice, and attackers specifically are after your data, make sure your defences can match the attackers’ capabilities. 



7. It seems that communication remain very sensitive around cyber-attacks happening to local entities, companies are not very keen talking about them. Is this a normal trend? If so, why? If not, are we too conservative in Mauritius? 


No company or organization likes to publicly admit that their security wasn’t adequate. So many security incidents remain unknown, allowing attackers to perform the same attack on others. While criminals are very active in sharing information, we may not be. 

In The Netherlands, many companies participate in various Information Sharing and Analysis Centres (ISAC's) where they share incident information. As a result cybercrime has gone down.


Contact us

Jean-Pierre Young

Advisory Leader, PwC Mauritius

Tel: +230 404 5028

Vikas Sharma

Partner, PwC Mauritius

Tel: +230 404 5015

Ariane Serret

Media Relations, PwC Mauritius

Tel: +230 404 5029

Follow PwC Mauritius