17 million devices. Controlled from servers in the Netherlands.
Last week, the Dutch police and the NCSC dismantled the Asocks botnet. One of the largest cybercrime infrastructures ever operated from the Netherlands.

Routers, cameras, laptops, smartphones, IoT devices. Ordinary devices belonging to ordinary users and businesses, used for years as a conduit for attackers who took control remotely.

The striking thing: the owners had no idea.
No hacked systems with visible damage. No alarm bells ringing. Just a router sending slightly more traffic than usual at night.
That is precisely what makes these kinds of attacks so dangerous, and why they go unnoticed for so long.

The NCSC emphasised it once again: poorly secured devices are all too often the starting point.
Software updates that are postponed. Default passwords that have never been changed. Devices that are on the network but are not visible to those responsible for security.
The latter is precisely the risk that NIS2 addresses under asset management. You cannot control what you cannot see.

What devices are on your network? Who manages them? When were they last patched? Are they registered?
These aren’t rhetorical questions. These are the questions that regulators ask too. And increasingly, they are the questions that auditors include in their assessments.

The Asocks case serves as a good reminder that cyber resilience starts with the basics: knowing what you have, and knowing who is responsible for it.