The line between technological innovation and a new attack vector is becoming ever thinner. Companies, regardless of industry, now operate as technological organisms, which inevitably makes them vulnerable to digital threats.
However, the paradigm of security thinking, where security is the sole responsibility of the IT department, is rapidly becoming obsolete. The new battleground is becoming the consciousness of every employee and corporate governance, and the pressure to change is compounded by strict new regulations.
In many organisations, the misconception persists that specialised IT teams can fend off any threat on their own. The reality, however, is more complex. Market data shows that Polish companies are under constant pressure, with as many as 83% of them experiencing at least one security incident in 2024, an increase of 16 percentage points per year.
At the same time, more than a third of businesses point to a shortage of skilled professionals as a major barrier to building an effective defence. Overloaded IT teams, struggling with day-to-day operational tasks, are unable to simultaneously neutralise increasingly sophisticated and targeted attacks.
This mismatch between expectations and real capabilities creates dangerous gaps in the company’s defences.
Regulatory pressure is stepping up the game
The technical problems are compounded by increasing pressure from regulators. Two key legislative initiatives of the European Union – the DORA regulation and the Artificial Intelligence Act (AI Act) – are fundamentally changing the rules of the game, shifting responsibility for cyber security and digital governance to the board level.
The Financial Sector Operational Digital Resilience Regulation(DORA), which comes into force on 17 January 2025, imposes uniform requirements on banks, insurance companies and other financial institutions for ICT risk management, incident reporting and resilience testing.
Penalties for non-compliance can be as high as 2% of total annual global turnover.
The EU AI Act, in turn, introduces a legal framework for the use of artificial intelligence, categorising systems according to their level of risk. Some applications, such as social scoring systems or behavioural manipulation tools, will be completely banned as early as February 2025.
The most serious breaches carry fines of up to €35 million or 7% of global annual turnover. These regulations make ignoring digital governance not only an operational risk, but also a strategic financial risk.
Man – the weakest link strengthened by AI
Despite advances in technology, humans remain the most common gateway to corporate systems. Phishing is still the dominant attack vector, and its effectiveness is increasing thanks to the use of generative artificial intelligence. AI tools allow cybercriminals to create linguistically flawless and highly personalised messages that easily bypass traditional filters.
The statistics are alarming. The average cost of a data breach caused by phishing in 2024 was $4.88 million. Equally dangerous are Business Email Compromise (BEC) attacks, including so-called CEO fraud, where attackers impersonate executives to get employees to make urgent, unauthorised transfers. It is estimated that up to 64% of companies have experienced this type of attack, with the average loss per incident reaching $150,000.
In this context, regular hands-on training and simulated attacks for all employees ceases to be an option and becomes a necessity. It is also crucial to implement clear procedures, for example a rule that absolutely prohibits ordering payments via unofficial communication channels such as private messengers.
Technology as a support layer, not a replacement
While the human factor is key, modern technologies offer additional layers of security. Electronic signatures allow for verification of the authenticity and integrity of documents – any attempt to modify it after it has been signed invalidates it, which is an immediate wake-up call.
A promising solution is also the European Digital Identity Wallet (EUDI Wallet), which is expected to be implemented in EU member states by the end of 2026. The wallet is intended to provide citizens with a secure digital identity, enabling unambiguous verification in the online world and thus making identity theft-based fraud significantly more difficult.
