The increasing number of cyber attacks, new regulatory obligations and limited human resources make cyber security one of the key challenges for Polish companies – regardless of their size or industry. Dawid Zięcina, Technical Department Director at DAGMA Bezpieczeństwo IT, discusses what threats dominate today’s business environment, to what extent SOC-as-a-Service is becoming a viable alternative and what mistakes and organisational barriers companies most often face when building security systems.
Klaudia Ciesielska, Brandsit: What cyber threats are currently dominating the Polish corporate environment? Are you really seeing an increase in advanced attacks (APTs), or are phishing incidents and malware still prevalent?
Dawid Zięcina, Dagma IT Security: Polish companies are still exposed to the same, well-known types of cyber attacks. The most common threat remains classic phishing, based on fake phishing websites. Although the number of phishing campaigns is slightly decreasing compared to previous years, it is still the most commonly used technique by cybercriminals.
In the case of malicious software (malware), our observations are consistent with data from industry reports – the scale of its use is growing, with data theft being the main target.
It is also worth noting the increasing activity of APT (Advanced Persistent Threats) groups, which is closely linked to the current geopolitical situation. These are usually groups linked to foreign states, operating for intelligence and disinformation purposes. Importantly, their activities are increasingly extending beyond the public sector or large state-owned companies – smaller companies in the supply chain are also becoming victims of attacks. Individuals associated with employees or owners of these companies are also sometimes targeted.
“Polish companies are still exposed to the same, well-known types of cyber attacks.”
Brandsit: The NIS2 Directive and the amendment to the KSC Act introduce significant obligations in the area of cyber security. What challenges do companies most often face when trying to implement compliance with these regulations?
D.Z.: Currently, the biggest challenge for Polish companies in implementing NIS2 compliance is the lack of an unambiguous, officially adopted Polish interpretation of the national regulations to be included in the amended Act on the National Cyber Security System (KSC). Although most of the guidelines contained in NIS2 have a relatively clear interpretation, it is the implementation details in the Act that may, in practice, determine the direction of change in the area of cyber security. For this reason, many organisations are adopting a wait-and-see attitude.
Despite the lack of a final law, we have seen a significant increase in interest in services supporting the implementation of information security management systems (compliant with ISO/IEC 27001) and business continuity systems (compliant with ISO 22301). This is a good direction that allows organisations to prepare in a systemic way for the upcoming requirements and to plan specific actions.
A common problem is a lack of awareness of how much in-depth analysis of one’s own operations these processes require, and how much time and resources need to be devoted to effectively implement solutions to increase the cyber resilience and resilience of the organisation – particularly against the risk of downtime caused by, for example, a cyber attack.
Brandsit: Is security outsourcing – e.g. in the form of SOC-as-a-Service – becoming a viable alternative for companies without in-house security teams?
D.Z.: Managed cyber-security services are gaining popularity not only among companies that do not have their own teams of specialists, but also as a support for existing security departments. With services such as SOC-as-a-Service, the customer gets access to an efficient, highly specialised team, ready to operate in the customer’s environment within a short time of the service launch.
Importantly, the contracting authority gains a wide range of competences necessary to handle security at various stages – without the need to employ narrowly specialised experts regardless of whether an incident occurs and, if so, of what type.
Maintaining and managing such extensive teams internally would require significant human and financial resources – in an outsourcing model, this responsibility shifts to the service provider, making this solution particularly attractive in terms of flexibility and cost-effectiveness.
Brandsit: What strategic mistakes do companies most often make when building an IT security management system?
D.Z.: The most common mistakes made by companies during the implementation phase of security systems are the lack of a prepared transformation plan based on a sound risk analysis, a piecemeal approach to the problems identified and underestimation of the resources – both human, time and financial – required for successful implementation.
“Cyber security is an ongoing process that has no endpoint and requires creating the right environment for growth.”
Very often organisations approach the process as a sprint, assuming that once the goal is reached quickly, the project will be completed. Meanwhile, cyber security is an ongoing process that has no endpoint and requires the right environment to be created for development.
Such an environment can be built by, among other things, implementing an information security management system and a business continuity system – even if the organisation does not plan to formally certify compliance with the chosen standard.
Brandsit: Are you seeing a change in the approach of boards and a shift in budgets towards cyber security, or is it still treated as a duty rather than a real business need?
D.Z.: In companies where experienced professionals are responsible for the area of cyber security, boards demonstrate a high level of understanding of both the responsibility and the positive impact of well implemented security processes on the business as a whole.
“Far more often than not, it is the downplaying of risks or ignoring previously identified problems that leads to costs that are disproportionately higher than investments that could have been made in advance – before the incident occurred.”
However, we still encounter an approach in which cyber security is seen as an unnecessary constraint – something that hinders operations and generates costs without generating direct revenue.
Building awareness of the risks, analysing the impact of IT on business operations and identifying scenarios where the organisation could be paralysed or suffer significant losses as a result of business disruption are key elements in changing this perspective.
It is worth emphasising that ensuring the security of systems and networks does not have to involve huge expenditure. Far more often, it is the downplaying of threats or ignoring previously identified problems that leads to costs that are disproportionately higher than investments that could have been made in advance – before the incident occurred.