The 2007 cyber-attacks on Estonia were detrimental to the country and the rest of Europe, turning people’s heads and drawing attention to cybersecurity as a serious global threat for the first time.
We've come a long way since 2007 - we now live in a society where we’re only a couple of clicks away from the internet most of the time, and surfing the web can be swift and spontaneous rather than a process that requires time and effort.
But with the progress of technology comes new and more complex challenges. With the rise of innovations from smartphones to generative AI, cyber-attacks and threats have evolved and have become more sophisticated. As a result, it’s now more important than ever for society as a whole to have an awareness of cybersecurity, and for businesses to ensure that they are adequately protecting themselves and their customers. Although most organizations are evolving their cyber awareness, and EU legislation attempts to guard users from potential harm, threats are evolving at such pace that they’re becoming difficult to keep up with.
Businesses Must Prioritize Cybersecurity
ISACA’s research into the state of cybersecurity in Europe found that of the European business and IT professionals who said they were experiencing an increase or decrease in cybersecurity attacks when compared to a year ago, over half (52%) say that they are experiencing more cyber-attacks.
Despite being aware of the pervasive cyber threat, and clearly acknowledging that the problem is worsening and becoming increasingly prevalent, measures are evidently not being taken to prevent their occurrence. This is because businesses are unable to prioritize cybersecurity - almost two thirds (62%) of respondents report that their cybersecurity team is understaffed.
Alongside staffing issues, the importance of regularly assessing cybersecurity systems is often overlooked. Our research revealed that less than one in ten of the organizations who complete cyber risk assessments do this monthly, while two in five (40%) conduct them annually. Hackers have the ability to infiltrate systems and syphon data for years on end, going undetected and having the potential to cause serious damage. In order to stop this, organizations need to be completing these cyber risk assessments more regularly.
The fallout from a hack like that can be devastating. Businesses don’t exist in isolation from everyone else - they have networks of customers, suppliers, and other businesses who they share data with, sometimes across countries. By failing to protect against or detect cyber-attacks, they put everyone else in that network at risk, too.
Legislation is Vital
But, of course, it’s not just down to decision makers at individual businesses to choose how far they want to protect their ecosystems. Government legislation plays a vital role in ensuring that businesses across countries have a basic set of rules and principles to follow. This way, organizations can effectively follow guidelines that should benefit everybody.
“All of these regulations require one thing that is sparse across the industry right now - people.”
The introduction of the EU Cybersecurity Act in 2019 provides this guidance, unifying the EU’s cybersecurity into a single framework. This means that ENISA (European Union Agency for Cybersecurity) can now contribute to operational cooperation and crisis management across the EU with an EU-wide certification scheme, a move that looks to protect those across businesses, networks and supply chains within the EU.
Whilst it’s an improvement that those in charge are taking cybersecurity seriously and taking a pre-emptive, rather than reactive, approach to cyber-attacks, the rollout of strict rules that businesses need to comply with can be costly and tricky. Legislation like the EU Digital Services Act increases trust for all users, so the end goal is worth it, but all of these regulations require one thing that is sparse across the industry right now - people.
Only People Can Make Regulation Work
Even the best set of rules and regulations a government or body introduces are not useful without a trained workforce that can accurately implement them. Ultimately, the biggest problem that we’re facing is the cyber skills gap.
The stats are stark - the shortage of cybersecurity professionals in Europe ranges between 260,000 and 500,000.
Employing those with cyber skills or providing current employees with holistic cybersecurity training will give businesses the steer they need to stop attacks in a timely manner and recover in a way to minimize impact. These staff members will also be able to provide their expert insight in a situation where one decision could hold terrible consequences. Although investing in technology and resources is of course important, it won’t be of much value if there aren’t people there that are qualified to use it effectively.
“All members of an organization should have a basic education on the risks of cyber-attacks.”
Alongside standard training for cybersecurity professionals, all members of an organization should have a basic education on the risks of cyber-attacks, and what it means if protective measures aren’t taken. The onus shouldn’t be entirely on a cybersecurity or IT department to protect people - everyone within a business, from the C-suite to marketing, has a role to play.
Cyber-attacks, unfortunately, are not going away anytime soon. Although technological advancements can help us to protect businesses, it also comes with risks. We need to be on the front foot globally when it comes to cybersecurity and continue to invest. A combination of legislation, a qualified and skilled workforce, and prioritization of cybersecurity will help organizations protect themselves.