Objective: A culture of cybersecurity

In fact, the confrontation with cybercrime has become inevitable, especially for private companies. After all, they are the ones who, in Western economies, manage critical infrastructures and hold the most valuable databases and patents.  

Managers' immediate attention and action are therefore required. Doing nothing or perpetuating the illusion that you are immune to this reality can bring fatal costs: millions of euros in lost turnover; lawsuits from shareholders, customers, suppliers and authorities; and perhaps irreparable reputational damage.

The starting point for the manager's work in this area is auspicious. Recent studies agree that more than 80% of cyber-attacks are caused by human error. In other words, ensuring that everyone in the organization is responsible for cybersecurity is one of the most effective ways of protecting data.

In fact, changing behavior across the board, in the name of prevention, is by far the best remedy. That's why, from a management point of view, cybersecurity is a cultural issue rather than a technical one. It doesn't just concern the CISO or the DPO. For effective awareness and protection, the board itself must be convened at all times, together with all the functional areas.

Training managers in this area requires, first of all, an x-ray of the threats to which organizations are subject. In addition to the classic attacks of phising, ransomware, and CEO/IBAN Fraud , new malicious strategies are emerging, such as social engineering attacks using Artificial Intelligence. It is also crucial to understand that the motivation for crime is no longer limited to the financial aspect, but now includes geopolitical reasons. In the current context of war in Ukraine and fierce bipolarity between the United States and China, companies are being attacked by state actors simply because they are on one side of these rivalries.

Secondly, manager training requires knowledge of the main lines of the regulatory framework, namely the NIS 2 Directive, which must be transposed into national law by October 2024. In addition to extending the number of entities and sectors covered by NIS 1, this new legislation provides higher penalties for non-compliance as well as assigning liability to management bodies for proven negligence in cybersecurity matters.

Only after learning about the threats and legislation will we be able to adopt the best behavioral practices throughout the organization. Measures such as multiple factor authentication, hiring anti-DDoS services, regular penetration tests and offline backups should be part of everyday life. As part of this behavioral component, we also need to reflect on governance models for cybersecurity, with the acclaimed three lines of defense: implementing controls, risk supervision and control, and auditing. 

However, 100% security in the digital space is impossible. Even the best-prepared organizations can fall victim to data breaches. In this sense, managers have to prepare themselves to face a cyber-attack, they have to put themselves in the shoes of a decision-maker who suddenly finds their company paralyzed and the target of extortion by third parties. And in these chaotic hours and days, knowing what to do and how to communicate act as real beacons in the middle of the storm. 

‍

This text was written by Pedro Latoeiro and Filipe Domingues, co-founders of the Center for Cooperation in Cyberspace.