Cyberattacks are getting more and more costly, can put people’s lives in danger, and more than 80% of companies face a cyberattack sooner or later. Yet Czech companies still underestimate the importance of information and cyber security. What damage can a cyber-attack really cause, what are the most common mistakes revealed by IT audits and how to prepare for a rather strict NIS 2 regulation? Read an overview by Iva Vondrová, an Associate Manager in Risk Consulting.

An IBM survey conducted in 550 companies showed that 83% have experienced a data leak or cyber incident. In 2020, the estimated yearly costs related to cybercrime reached 5,5 billion euros globally, doubling compared to 2015, according to the European Commission. In its “Cost of a Data Breach 2022” survey, IBM estimates an average price of a data leak and related damages at 4,35 million dollars – with an extra half a million dollars in case of critical infrastructure.

Czech Republic isn’t much better off; in 2021, the National Cyber and Information Security Agency received reports of 476 cyber incidents, with eight very serious cases. The University Hospital Brno estimates it suffered 150 million crowns worth of damage after a 2020 cyber-attack. The cost of a 2019 ransomware attack on a hospital in Benešov is estimated at 59 million crowns. Both incidents caused a permanent loss of significant patient and hospital data; in both cases, the perpetrators were never found. A case of a company that suffered a cyberattack in October of 2021 and still hasn’t been able to fully recover despite heavy investments into security is also a cause for alarm.

What do the audits say?

Companies don’t realize that risks of data leaks don’t only come from the outside, but from the inside as well. Audits often show errors like the cumulation of access rights or failure to remove them from former employees. We have also seen cases of developers implementing back doors into apps. Combined with employees using the same password on their work and personal devices, the attackers can easily break into the employees’ work laptops.

The first hours of the attack are crucial, and taking the right steps can help contain it. Often, however, employees simply don’t know what to do, and many companies lack any plans that would allow them to recover and resume operations (the so-called continuity plans) or have plans that are completely insufficient. Keep in mind that recovery plans need to be reviewed, updated, and tested at least once a year. In case of a cyber incident, your CISO (Chief Information Security Officer) plays a vital role, and if this position doesn’t yet exist in your company, you would do well to create and fill it soon.

Data are the most valuable property of every company. Losing your data can cost you your reputation, clients, and lots of money – so make sure to regularly train your employees and test their ability to withstand a potential attack.

How can you prepare for the NIS 2 directive?

In recent years, inadequate of cyber security has become a much-discussed topic in the EU as well, leading to the European Parliament’s adoption of NIS 2 – a Network and Information Security 2 directive – in late 2022. DORA – the Digital Operational Resilience Act – was adopted at the same time, with the goal to improve the financial sector’s resistance to cyber-attacks. In the Czech Republic, NIS 2 will come into effect and become a part of the Act on Cyber Security in 2024. As for the DORA, companies, and institutions have until 2025 to implement it into their processes.

Many companies find it difficult to even make sense of all the new rules, let alone to achieve compliance, so they often turn to consulting firms for help. Among the most popular services we provide to our clients are various gap analyses and analyses of the impact of the new regulations and directives on their company. That means we help our clients understand whether they are compliant with specific regulations and directives and what steps they need to take to improve their compliance. We are also happy to help you create or revisit your recovery plans.