Cybersecurity: new risks and regulations

Cybersecurity: new risks and regulations

Cyber incidents have become the biggest business risk worldwide. At the same time, the risk of significant damage to society is growing. But it is not only because of the multi-layered risks that companies are being called upon to do more for their IT security: for the first time, a new EU directive on cybersecurity holds organisations of all types and sizes accountable.

Cyber criminals are becoming increasingly sophisticated and unscrupulous in their ransomware attacks. Encrypting data is no longer enough for them. They increase the pressure by applying multiple types of blackmail, also stealing data and threatening to publish it in order to get a ransom. It only takes them an average of eleven days from spying to theft – a race against time for companies that can end expensively: at 4.35 million US dollars, the average cost of a data breach is higher than ever before.

The Ukraine conflict and other geopolitical tensions further increase the risk of a large-scale cyberattack by state-sponsored actors. In the process, hackers find a broad potential attack surface: meanwhile, the internet is ubiquitous, in companies IT supports every department – from cloud services and communication tools to intelligent sensors in production or software for managing logistics. Individual IT systems are also often interconnected.

EU cybersecurity law for all

Accordingly, the European Union values the importance of digital infrastructure and cybersecurity for the smooth functioning of the Single Market. With the entry into force of the new NIS2 Directive at the beginning of 2023, it has expanded its previous requirements and will in future oblige considerably more organisations to stringently protect themselves against cyberattacks:

• “Sectors of high criticality” such as energy providers, internet and cloud computing providers, banking, public administration – with particularly strict requirements
• Now also many other sectors, including postal and courier services, food, the automotive industry, digital providers such as online marketplaces and search engines
• As a novelty: companies with at least 50 employees and ten million euros in turnover

The legislative package aims to make IT security part of corporate management – and a matter for decision at the top level. It explicitly involves management in order to achieve systematic protection. Risk management, emergency plans and a rapid reporting system are essential. Another central building block is a protection concept to secure the supply chains, since systems are increasingly penetrated via suppliers. The directive also calls for comprehensive “cyber hygiene” such as systematic data protection, management of vulnerabilities, encryption of information and training of employees.

Those who have not yet dealt with the topic should start setting up a management system for IT security immediately. This is because the requirements must be met by autumn 2024 – a tight schedule for all companies that fall under the regulation for the first time.

Have these trends on your radar

One of the trends that organisations should have on their agenda when it comes to protecting themselves from risks: securing Software as a Service (SaaS) platforms is becoming increasingly important. It is a fact that 80 per cent of business processes in companies now depend on SaaS platforms. They connect to other software via API and merge into a large ecosystem. This creates new risks that are more difficult to monitor and manage as the complexity of the environment increases.

Another significant trend is emerging in remote access: SASE (Secure Access Service Edge) is gaining in importance. Home offices will continue to be part of the new working world, so secure remote access is in demand. Purely VPN-based concepts (Virtual Private Network), however, only allow security gaps to be closed to a limited extent. In contrast, a zero-trust approach with the architecture concept SASE, which secures all accesses and enables high-performance remote work, is on the rise.

A look at business-critical cloud services and remote access alone shows how complexity, networking and security challenges are growing – in times of increasing threats. But it is IT and digitalisation that drive innovation, open up new markets and increase efficiency. Valuable assets and competitiveness depend on their resilience. In the future, it will be all the more crucial that organisations protect themselves systematically and with a holistic security strategy – for the benefit of the economy and society.

More insights