FME is the trade association for the technological industry in the Netherlands. A large part of its membership consists of SMEs that are rapidly digitizing, both on the factory floor and in the office. But as digitalization accelerates, so do the risks, especially now that OT is increasingly connected to IT and the internet.
The challenge
Entrepreneurs take cyber threats seriously, but the topic often loses out to production demands, staff shortages, and sustainability priorities. In many SMEs, cybersecurity is simply added to someone’s existing responsibilities, while the impact of an incident directly affects business continuity, reputation, and the supply chain.
Objectives
FME was looking for an approach that helps members to:
- make cybersecurity concrete and action-oriented, rather than focusing only on awareness or theory;
- get management and IT leaders moving together, creating both understanding and budget;
- look beyond their own organization by making supply chain risks visible;
- work with scenarios that reflect the day-to-day reality of the technological industry.
Why CCRC?
FME was not looking for a knowledge session, but for an approach that allows companies to experience what a cyber crisis actually means and, above all, what needs to be in place before such a crisis occurs. CCRC’s supply chain approach was a perfect fit, because in this sector, risks rarely stop at the boundaries of a single company.
The approach
Together, FME and CCRC organize recurring cyber exercises: realistic scenarios from the technological industry, developed over several rounds. Participants work in groups on concrete decisions, such as forming a crisis team, defining the first actions, and handling communications, and report back after each round. This not only creates insight, but also a sense of urgency to act: “What do we not yet have in order?”
An important part of the collaboration is the supply chain perspective. While many companies tend to view cyber risks only within their own boundaries, the exercise helps them see how an incident can affect customers and suppliers, often with far greater consequences than anticipated.
The result
The cyber exercises immediately resonated with FME’s members. The first edition sold out right away, and since then the sessions have consistently been fully booked. FME now organizes them as a standard event twice a year.
Their popularity is mainly due to the practical value they deliver: participants experience firsthand how decision-making works under pressure and leave with concrete action points. The mix of participants also plays an important role: FME deliberately targets both management and IT/security leaders, preferably together. This speeds up follow-up, because both groups have gone through the same exercise and feel the same sense of urgency.
Follow-up
FME is continuing the cyber exercises and is working on a tighter follow-up process, so that more participants actually take the next steps after the exercise — whether through CCRC, their IT partner, or another route. The goal is simple: to help SMEs become resilient more quickly, both within their own organization and across the supply chain.