24 April, 2026
Odido, Ajax, ChipSoft, BasicFit... the list of companies that have been hacked grows by the week. The well-known big companies make the press, but Dutch SMEs are also targeted every day. Attention to good cyber security is therefore more important than ever. To further increase the digital security of our customers, we have been working closely with cyber security specialist Masero for a few months now. Among others for our additional XDR service that 24/7 monitoring offers. How valuable it is? Masero's operations director Wilko Buijs and sales manager Elmer Evers are happy to explain. From their professional, but certainly homely nerve centre in Veenendaal, they talk about the usefulness of continuous monitoring, specialist assessment and lightning-fast intervention. And how they can make a difference together with IT Local.
Just to get straight to the point: can you clarify in a few sentences what Masero does?
Wilko: "In short, we help make SMEs more resilient against cyber attacks and give them more control over cybersecurity. We do this with a wide range of services. From our SOC, the Security Operations Centre here in Veenendaal, we monitor customers' IT environments 24/7. This monitoring allows us to detect anomalous behaviour at an early stage, which we then carefully analyse and quickly stop. We often work as a security extension of the IT partners (MSPs) of SMEs. We are that for you too. And for other MSPs within Smizer. Within the Smizer Group, we fulfil the role of Centre of Excellence."
What is your role within the company?
Wilko: "A year after Wolter and Nico founded Masero in 2020, I joined. I mainly deal with the SOC, projects and everything operational, including aligning processes." Elmer: "I have been working here since 2024. The commercial part lies with me."
"With some companies, something has to happen before they take action"
With all the threats today... how are SMEs doing in terms of security? Do all companies see the urgency of getting things right?
Elmer: "With some companies, something has to happen before they take action." Wilko: "It won't happen to me is still a thought that occurs. But things can just go wrong: we saw that again last week with a hack by a known group at a client of one of our partners: you arrive at work as a director in the morning and you can't work anymore, that gives you quite a shock. And then you read: Hi friends, we understand your shock, we want to help you... Friendly communication, with a lot of attention to feelings. But you have to pay as a company..." Elmer: "So this was a customer who didn't have monitoring yet. Then when an incident occurs and we want to investigate to find out what went out, we have to onboard such a customer first. And then suddenly a lot is possible... say what you need, what Microsoft licences should we buy, etc."
Does NIS2 help increase urgency?
Wilko: "NIS2 obviously helps to see the importance of a good level of security, companies are actually only now waking up a bit because they read about it, also about the possible consequences. Because as a director, you can just be held jointly and severally liable if things go wrong." Elmer: "We also see it coming from the chain, where large companies ask their suppliers whether they have demonstrably arranged their security. Last year, we got regular questions about NIS2. But now that the introduction of NIS2 is really going to happen in July, we see more urgency. We are getting more questions about whether we can offer support to become NIS2-compliant."
When it comes to security, what is not well organised at companies?
Wilko: "MFA or not setting up your authentication that's something you see a lot. Hardening the systems. And permissions, companies issue far too many permissions to their employees. And once you as a hacker get hold of a global admin you can obviously do a lot more within such an environment. Passwords that are not adapted to certain applications we also see a lot. Sometimes it's very simple things that are not properly regulated." Elmer: "And the update policy is also crucial."
"We also include that on premises server in our monitoring"
Elmer: "From Masero we set requirements for the security baseline, for what must be set up on a customer's tenant. Then we do see things that are not right. Sometimes customers also say: we already have an antivirus or an EDR product, so our endpoints will be monitored. You then have the perception that you are safe, but 60-80% of attacks do not target an endpoint. And then things can still go wrong because not everything is monitored. We provide full monitoring. We are also not only focused on what is in the cloud, on Microsoft 365, but we also include that on premises server. If we can see more, security comes at a higher level. Running a good scan can help expose vulnerabilities and discover gates that are open or things that have not been patched."
"Employees often work on autopilot"
What do you often see going wrong?
Wilko: "Employees often work on autopilot. Hackers are focused on that and play on the fact that you are busy or that you are just working on something or that is in the news that fits the hackers' message. What did you post on Instagram about me, we saw the other day. You immediately think... did I do something wrong? On that feeling, they try to trigger you. And if you then click on the link or worse, go ahead and give your username and password, you can get caught very quickly. Awareness training for employees is therefore very important." Elmer: "Certainly also for those people who don't often work with a laptop, think of employees who provide care or work in a production environment. You see with some companies that they only monitor office workers, but we want complete visibility of the environment."
Wilko: "Besides the human part, you have the technology where things go wrong. Because things are not properly regulated, which we mentioned above. There are legacy systems that do not yet meet the latest security requirements. If hackers then use the tools they have to scan for where there is an opening somewhere, they will exploit it. Via reconnaissance, calling, trying to get credentials and then logging in, or technically from brute force. What we've seen lately is that it's not just ransomware but they also just grab your data and say: we'll put it on the dark web, what's it worth to you if we don't? Like with Odido."
"Business-e-mail compromise, that's what we see the most"
Is this method you describe a trend?
Wilko: "What we see most often these days is business email compromise (BEC). Studies also show that around 60-70% is BEC. It often starts because your hardening is simply not in order, for example your MFA is not set up. Then, of course, it is much easier for hackers to get in, then they grab an account and within that mailbox they go to work... they check who they should have: the buyer, the salesperson or the ceo and go and see what invoices they can find. Is there a folder from which invoices were sent? Then they adjust the account number there and send the invoice again and eventually it is paid. And so you don't see that until much later. So it's important to detect that quickly."
"If a lot of e-mail is suddenly sent or mailbox rules are changed we also get a notification of that"
So how do you detect it?
Wilko: "The moment you set up your MFA properly it is already more difficult to get in. If hackers do get through, we see that they have created a rule like: throw away all e-mails that still arrive in this mailbox or put them all in a separate folder. So they take measures within the mailbox so that it is not noticeable that a hacker is inside." Elmer: "So that email from that customer saying I suddenly get a new invoice from you, how weird... so that reply is gone..." Wilko: "If a lot of e-mail is suddenly sent or mailbox rules are changed, those are signals, we get a notification of that too. Also at night." Elmer: "Then it's a high alert and then a specialist comes into action immediately."
And then I guess it's not a quiet start-up with a cup of tea or coffee?
Wilko: "Haha, well no, we work with picket services where - as agreed in our SLA - we intervene (also outside office hours) within ten minutes. We also do the triage and at the moment something is really wrong, we have the rights to install something or disable a user on the customer's tenant, for example. With each MSP or end customer, we have an agreement on who we contact and whether we contact them. These are (at night) often the executives/directors. They need to be informed and have the mandate to set up an incident team. We always send a ticket anyway."
"Sometimes you're unlucky and have to go out several times at night"
Has there been any night work recently?
Wilko: "We had another notification at 4.45 last night. Rotten time. You get a wake-up call and then you have to log in quickly and respond." Elmer: "Sometimes you have bad luck and you have to go on multiple calls. Of course we do take into account the shifts on that." Wilko: "I asked a colleague this morning: you've been woken up twice now, what had happened, what was it really something or false alarm? With the latter, we immediately look the next day to see how we can improve the system to prevent repetition and take out the noise."
Can your employees usually resolve such an incident themselves?
Wilko: "Often it does, but with the more serious incidents it has to be escalated, then eventually Tier 3 is called." Elmer: "And if it happens at a client where we don't have monitoring and there is a hack or there is ransomware (fortunately that hasn't happened yet at clients we monitor) and they call for help, then of course you need other expertise."
"If that client wasn't monitored and something like that only catches on the next day you're tens of thousands of euros down the road"
Elmer: "Very often a threat does target a user where we see something that does make us take an action right away by isolating the user or a device. For example, we saw weird Azure activity a while ago at a customer's site: within ten minutes, some 60 Azure servers were spun up... cloud mining. We immediately got a high alert on that and stopped it right away. If that customer was not being monitored and the customer only notices something like this the next day then you are tens of thousands of euros down the road. Microsoft also takes action on this kind of activity, but they generally do it much later than we do." Wilko: "They blocked the tenant the day after."
Elmer: "So 24/7 monitoring and immediate action is an important one. We will also investigate where it comes from and if there are other anomalous things. And it's directly a cybersecurity specialist who performs the action, not a student who has to escalate it first which delays it. Moreover, someone who speaks Dutch: that is often an advantage in communicating with SMEs in our country."
XDR standard in Elite
To keep your IT environment safe, IT Local lets you choose from three security levels/packages: Essential, Plus and Elite. The XDR service with 24/7 monitoring and immediate incident response, which we offer in close cooperation with Masero, is included as standard with Elite and optional within Essential and Plus.
Within the XDR service, do you also communicate towards IT Local's customers?
Wilko: "At IT Local, we always call your people. You guys are the counter for your clients."
"Your customers want to be unburdened: one point of contact, one contract"
A counter in between does not immediately sound like very valuable. Wouldn't our customers be better off doing business directly with you then?
Elmer: "Your customers usually do not have their own IT department and have IT Local as their IT partner. For them, you are the trusted advisor for all things IT and they also expect a bit of security from you. If they have us as a separate partner, we will start sending things back to them and then they have to go into a kind of director's role. They don't want that, they want to be unburdened: one point of contact, one contract."
Wilko: "The management is also done by you guys, of course. You know exactly what needs to be done, know the client and know how to set up certain policies or not. Maybe the client uses a certain macro that has to run but which could cause a security incident. Then you start weighing that up with each other, what do you do with that? Sometimes we build something that we can monitor that as well. But you always do that together, we don't have enough knowledge of the customer's environment." Elmer: "Especially with incidents or vulnerabilities, then you want the time to intervene to be as short as possible. You don't want to lose time that an e-mail is stuck, for example. Every minute just counts in such a situation." Wilko: "You know each other and you know how you work then. It works very well in incidents that you know where to find each other, know where the areas of expertise are. Then you don't duplicate things or call in third parties just like that and you solve it together. In the end, it works faster."
So you are not going to sit in our chair?
Wilko: "No, we may see certain things in terms of security now and then that we draw your attention to from our expertise. Because developments are happening so fast, if it's not your core business you won't keep up. You have to have people who have the right certifications and who know exactly how things work within a Microsoft environment."
"For specific cases, we write detection rules ourselves"
Speaking of Microsoft... what do you actually do in addition to what Microsoft already offers?
Wilko: "We see Microsoft as a kind of black box. It does a lot, but for certain specific issues we simply make detection rules ourselves. We see which incidents are happening, from thread intelligence you already have certain information about what is going on in the cybersecurity field in the Netherlands and abroad. We use that information to write down detections. If there are none, we can build them ourselves in code. On top of the detections that are already there, we have a lot of our own detection rules that we also push on the customer's tenant. And what you see at one customer you immediately check if that also plays at other customers and we can then immediately roll that out on all environments."
Elmer: "Of course, you (or the client) can see everything that happens on the tenant via Microsoft Sentinel. Only the interpretation of that and action on it... you have to do something with that and that's what we do." Wilko: "But all in the tenant, we don't extract data to do analysis on it which other vendors might do."
So it's a bit more than turning a few sliders in Microsoft?
Elmer: "You really have to have some knowledge of Microsoft technology to be able to set that up properly and interpret it. And how do you then take action on that 24/7? How do you deal with incidents outside office hours and during holidays?"
"80-90% is Silver, Gold is customisation"
Within the XDR service there are two flavours, Gold and Silver, can you point out where the difference lies?
Elmer: "To put it very flatly: for 80-90% of SMEs in the Netherlands, our Silver flavour is appropriate. Provides 24/7 monitoring, focusing on endpoints, identity, cloud and e-mail. Gold is customised, if, for example, there is a desire to integrate additional log sources to monitor SAAS applications. For instance, following the hack at Odido, a customer wanted us to also onboard Salesforce for them and watch for anomalous behaviour. Say a lot of data is suddenly exported.... that gives an alert that allows us to start investigating.
Gold is also further needed when we need to integrate logs from, for example, a Fortinet firewall or Netskope or - more on that compliance side - when you start working with data labelling from an AI angle, with Microsoft Purview. We can also get alerts on that and that too is customisation. Oh yes, I forgot monitoring IoT(Internet of Things) devices, that also falls under Gold." Wilko: "If the connections are not there and we do want the logs in Sentinel, we build them ourselves." Elmer: "By the way, the price difference between Gold and Silver is not only in the customisation. Because more connections also mean more alerts, it also requires more capacity from our people. And we make different demands on the Microsoft environment, in terms of licences."
You can also stop threats automatically within the XDR service, how does that happen?
Wilko: "On the downside, we do do that by setting up to automatically isolate a device or disable an account. But we do that to a limited extent; our starting point is: watch and handle it yourself. Especially in important incidents. If you crash a server, the whole production might be on hold. Important to look at that precisely as a human being and make that decision."
Elmer: "Automatic stopping can also do something you don't want and impact a user. An extra validation is nice then." Wilko: "Example: For a director who was flying to Turkey, a detection was triggered of impossible travel, someone on the move while they had just logged in. But this director had wifi on the plane and was working there. So then automatic intervention by blocking immediately seems logical, but then such a director can no longer work and is not happy about that."
"We complement each other well and we keep each other on our toes"
That's a great example of a specific situation that shows that within cybersecurity you really have to know what you're doing...
Elmer: "Seeing, investigating and taking action, that really is a specialism. The average MSP doesn't manage to do something like that themselves and hire cybersecurity specialists." Wilko: "You have to think like a hacker and have to know how such a person works. It's really a different business from managing an environment, but it's an extension of that. That's why it's nice to do that in collaboration with you guys, we complement each other well and we keep each other on our toes."
Elmer: "And it might be good to know that in the cybersecurity field we do even more than just that monitoring: from NIS2 advice and consultancy to just sparring. There too, with our specialism, we can be an extension for you towards your customers."
11 June: webinar 'The impact of AI on cybersecurity'
On 11 June, we from IT Local are co-hosting a free lunch webinar with Masero on today's increasing cyber threats, which criminals, partly due to AI, are increasingly professionalising. And how to better arm yourself against them. Register now!
Photo above: Wilko Buijs (left) and Elmer Evers speaking in their office in Veenendaal.