SSH Utrecht manages student housing and everything that comes with it, from rental processes and resident data to building-related systems that are increasingly connected to the internet. With such a broad internet footprint, ranging from back-office applications to cameras and solar panels, the potential impact of a cyber incident also grows. That is why SSH looked for a way to manage cyber risks not only on paper, but by truly experiencing them: what happens when things go wrong, who needs to decide what, and where are the gaps?
The challenge
The main challenge was not unwillingness, but a kind of complacency that can quietly creep in when it comes to this topic. Yet SSH works every day with a lot of personal data and operational dependencies, so it is an important item on the agenda. Another factor was that SSH had already put certain elements in place, but lacked a real-world test: what actually works under pressure, when you have to make decisions with incomplete information?
Objectives:
With the training and exercises, SSH primarily wanted to achieve the following:
- Make awareness tangible: what does a hack concretely mean for SSH, employees, and residents?
- Practice decision-making under pressure, including escalation and clear role allocation.
- Compare existing plans against a realistic situation.
- Generate concrete improvement actions around crisis management, supplier communication lines, backups, and system visibility.
Why CCRC?
The choice for CCRC was remarkably straightforward. SSH had previously attended a similar session through the Municipality of Utrecht and was immediately convinced by the approach. The combination of practical examples, energy, and interaction made the topic both accessible and urgent, without resorting to fearmongering.
The approach
The initiative came from the Supervisory Board and the Management Team: are we actually in control when it comes to ransomware and cyber threats? That is why SSH started at the top of the organization:
- A crisis simulation for the Management Team and Supervisory Board focused on decision-making, risk, and governance.
- Multiple sessions with middle management to explore differences in perspective and responses, and to strengthen resilience across the organization.
The exercise was also tailored to SSH’s context. SSH contributed its own environment (systems, architecture, and partners and suppliers), after which CCRC developed a scenario that matched.
The result
The biggest gain was not a clever technical fix, but the effect on mindset and behavior. People felt the pressure and saw how much comes at you during an incident. Vulnerabilities and dependencies suddenly became very concrete.
The impact was also clear in the team sessions. Managers reacted with surprise and said they would change how they work right away, for example by being more cautious before clicking on something or sharing data.
Follow-up
After the sessions, SSH continued with a smaller group to further develop crisis management and translate insights into policy and governance. Specifically, they looked at:
- A grab-and-go “folder from the cabinet” that anyone can use: who do you call, what do you do, and which steps do you take?
- Better embedding of agreements with suppliers and secured communication lines.
- Backup and contingency planning and improved visibility over cloud versus on-premise applications.
- Repeating awareness work structurally, not as a one-off, but as a learning pathway.