An in-depth interview with our expert on an important and topical issue – cyber security. How can companies determine whether they need cyber security? What is the procedure for addressing cybersecurity? You will learn all the important information in an interview with Ms. Barbora Plavcová Gombárska, a specialist and expert on GDPR and cybersecurity.
How do companies usually ensure cyber security?
Given that the legislation is relatively new, having come into force in 2018, many companies are not sufficiently prepared. Many companies are not even aware that they need to have cyber security in place, as they have not conducted an internal analysis to determine whether they fall within the list of essential services defined by the Cyber Security Act. As far as technical security is concerned, although things are starting to look up, there are still companies that do not pay much attention to cyber and information security, so their IT is very poorly secured. Certain measures need to be taken to prevent and reduce the risk of threats. It is important to realize that digitization is still advancing, and as it advances, we are increasingly encountering cyber attacks, which in the event of a serious security incident often lead to the collapse of entire systems within companies.
What is the current state of cybersecurity in practice?
As we mentioned earlier, it is necessary to take certain measures to prevent – or at least reduce – the risks that will always be present. These measures are taken based on a risk analysis that shows us the most vulnerable areas. Such an analysis will always reveal the human factor as the greatest threat, regardless of whether you have an analysis carried out on cyber security, information security, object security or fire protection. That is why the measures taken should not only be technical, but also personnel-related.
People (employees) are often unprepared to deal with cyber threats and often lack the necessary training. We often find that companies neglect to train their employees in cyber security. Since most people lack the knowledge of how to work safely in the digital space, they are often the gateway to cyber attacks when working with digital technologies.
Is there a legal obligation for all companies to ensure cyber security?
One thing is the obligation to have cybersecurity in place under Act No. 69/2018 Coll. on cybersecurity and on amendments to certain acts (hereinafter referred to as the Cybersecurity Act) – here, companies either have it or they don't. Under Decree No. 164/2018, which determines the identification criteria for operated services, defines who falls within and who falls outside the scope of essential services, and on the basis of this decree and its annex, it is possible to determine the individual sectoral and impact criteria for essential service operators with regard to the area (segment) in question.
Take the pharmaceutical industry, for example – this segment is defined as a manufacturer of medicines under Act No. 362/2011 Coll. on Medicines and Medical Devices and on Amendments to Certain Acts (hereinafter referred to as Act No. 362/2011 Coll.). All such drug manufacturers should take note and carry out an internal analysis/audit to assess the specific sectoral and impact criteria set out in the annex to this decree. As no specific criteria are set for the pharmaceutical industry in the decree, only impact criteria will be assessed in the analysis. If a drug manufacturer meets at least one impact criterion, it is required to register with the NBÚ (National Security Authority – note) in the list of essential services.
Many companies that are not required to ensure cyber security in accordance with Act No. 69/2018 Coll. on cyber security nevertheless decide to ensure compliance with the ISO 27000 series of information security standards as part of their process improvement and continuity assurance efforts, which always brings them significant benefits.
How does this analysis work, and what needs to be analyzed for companies to determine whether they fall under this law?
As I mentioned, the law stipulates that in order to be included in the list of essential services, an operator of an essential service must meet one specific sectoral criterion and one impact criterion.
These criteria are defined in the annex to the aforementioned decree. If a company meets at least one specific criterion, it moves on to the impact criteria analysis, and if it meets at least one of those, it automatically falls under the category of essential service operators and must report to the National Security Authority. This means that if it meets a specific criterion but does not meet any impact criteria, it does not fall within this essential service. Specific sector criteria are described separately for each segment of operators. For example, there are no specific sector criteria defined for the pharmaceutical industry, but there are specific sector criteria defined for drinking water suppliers and distributors. Specific sector criteria for a drinking water distributor include, for example, whether it produces and supplies or distributes drinking water, operates a wastewater treatment plant, operates a water treatment plant, or operates a water supply or sewerage system. This is the specific criterion that will indicate whether a company should analyze the impact criteria.
Returning to pharmaceutical companies, the first step is to assess whether they are manufacturers of medicinal products under Act No. 362/2011 Coll. Subsequently, the impact criteria are assessed and the impact of a cyber security incident on the basic service provided is analyzed.
It is important to note that each impact criterion must be examined in depth. A detailed analysis is carried out for each criterion with regard to the company, as each company is different in terms of data processing. The impact criterion assesses the impact of a cyber security incident on the information system or networks on which the provision of the service depends.
This is cyber security from a legal perspective. We also have a second type, known as information security, which companies often implement to keep themselves safe and prevent various cyber attacks, but they are not required by the Cyber Security Act to be included in the list of essential services. Such companies address this issue in accordance with the ISO 27000 series of standards. Within the ISO standards, they set their own rules, measures, and guidelines, which they adopt and comply with as a whole company, and within these measures, they strive to protect themselves against individual threats in the digital world. Cyber security as a whole is a reflection of established security standards and norms, and most auditors who perform cybersecurity audits base their work on and require proof of the measures taken not only from the law and regulations specifying cybersecurity requirements, but also from established security standards (such as ISO/IEC, CIS, NIST, etc.).
Several terms have been mentioned here. Let's start with the term cyber security audit. I assume that this is important for companies in terms of whether they are doing it right, whether their cyber security is set up properly...
If an operator is classified as a basic service, a cyber security audit (not an information security audit) is mandatory. Every entity that has been included in the list of operators of essential services must carry out a cybersecurity audit in their company within two years of being included. Preparation is necessary for this audit. The Cybersecurity Act defines a framework for what needs to be done. If we look at Decree No. 362/2018 Coll., which establishes the content of security measures, the content and structure of security documentation, and the scope of general security measures, we have a precise definition of which security measures a company must adopt. So, before deciding to adopt these measures, it carries out an initial internal audit to determine whether or not it is classified as a basic service (cyber security), assessing specific and impact criteria. It is then important to carry out a status analysis, assessing the technical nature of the security elements already in place in the company and addressing the classification of information and the categorization of networks and information systems, as well as risk analysis. This classification assesses, for example, individual production processes or whether the data held by the company is sensitive (whether public, internal, protected or strictly protected – this data may have different levels of protection). Based on this classification, we can define which measures the company must adopt in accordance with the law.
Risk analysis is the next step in the process of implementing cybersecurity (based on the classification of information and categorization of networks and the actual technical condition of the company), where we can respond and take appropriate measures in a way that is tailored to the client. Risk analysis assesses the risks and the extent of the threats in the event of a security incident. If the level of risk is high, certain measures must be taken to reduce it.
In the process of implementing individual measures, guidelines, and rules, it is not possible to rely on documents that are created using templates. The current situation is always analyzed and individual measures are adopted based on that situation. Once the situation is known, security policies and guidelines are developed, which in a certain way specify the application part, within which we adopt measures for operational implementation.
Measures need to be taken in segments, whether we are dealing with technical security, where we can talk about network segmentation, antivirus programs, and software security for cyber space protection, or personnel security, where it is necessary to provide training and retraining for employees. There are various training courses available on how to deal with cyber threats. There are various options within cyber security for educating employees in a way that will engage them. Here I would like to point out that it is really important for the trainer to have soft skills, to be able to approach people in a way that is human and acceptable. Since we are talking about the IT segment and the cyber security segment, there is often a lack of understanding of these topics among trainees. Employees should be able to understand the whole issue to the best of their ability and learn how to protect this data and individual systems so that it is not just another wasted hour and compulsory training for them.
Once the guidelines have been adopted, we have taken certain measures, and the question arises as to whether that is all. And no, it is not. It is important to realize that cybersecurity is not a state, but a process. This means that it is constantly evolving, new threats are constantly emerging, and these threats must be monitored. For example, current vulnerabilities in individual products must be monitored and addressed in some way, included in individual measures, and so on. Let's look at it this way: the process of cybersecurity is constantly evolving, and we are constantly striving to improve it and prevent new threats. We know that hacking and hackers are often two steps ahead of those trying to defend against them. They are constantly developing and devising new ways to attack and harm other users in the virtual environment. On the other hand, it should be noted that, for example, the adoption and implementation of at least basic cyber security principles minimizes the risk of disruption by trivial attacks, which are the most common. Of course, this does not only apply to basic service operators, who are subject to mandatory measures laid down by regulations, but every company should address the issue of cyber threats in a realistic and practical manner in its own interest. It is therefore necessary to be vigilant and constantly address the situation and current cyber threats.
Once measures have been taken, a process begins in which we update individual measures in light of vulnerabilities, threats, and new risks. As the operator's hardware and software equipment naturally evolves and new information systems are expanded and adopted, risk analysis must be performed repeatedly so that the operator knows whether threats still exist and what their severity is.
And the audit comes after two years?
Yes, it comes two years after reporting to the NSA and registering for the basic service.
What role does the cybersecurity manager play in the whole process?
The cybersecurity manager should have an independent position within the company. From a hierarchical point of view, the director should, of course, be at the top of the organizational structure. The cyber security manager submits proposals for improvement and presents the state of cyber security to the director and senior management of the company, below whom there is only an executive body and cyber security "implementers." The cybersecurity manager is therefore really the one who supervises, monitors, makes proposals for measures, and reports on the state of cybersecurity. They monitor threats, vulnerabilities, and other issues.
Does this cybersecurity manager have to be an internal employee, or can it be someone from outside the company?
It can be an internal employee, but it can also be an external person.
What are the advantages and disadvantages?
An external person, if they have experience from various other companies, has more extensive knowledge and competencies in cyber security management. The advantage of an internal manager is that they know the internal infrastructure of the company better – the background of the company itself – and should be better able to design individual measures, given that they know the company. However, there may be a problem with dealing with threats – an external manager may be better at dealing with cybersecurity threats than an internal one, who has limited training opportunities and usually less experience.
So what can companies do to protect themselves in cyberspace? To ensure that their cybersecurity is at a good level? Start with an analysis to find out if they even belong, if they are an operator of an essential service?
It is important to realize one thing: a cyber security incident occurs and insufficient measures are taken, and the incident is so extensive that it prevents us from operating and stops, for example, the production process or prevents the provision of services, then the question may be whether the company is even capable of resuming operations. To give an example, many manufacturing companies operate on specific software. Let's say that a security incident completely disables that software. This means that not only do the lines stop working, but there are no manufacturing processes (procedures), and essentially the entire company stops functioning and the manufacturing process comes to a halt. Here we are talking, for example, about a ransomware attack (note: malicious code that encrypts data, after which the attacker blackmails the victim and demands payment of a certain amount), where computers and the network itself are blocked and data cannot be accessed. The computers themselves are only tools, but the entire know-how is in the data on which the company operates. Once this data is restricted, even if you replace the computers and reinstall the software, you will not be able to restore the company's operations without properly backed up data. Usually, when we talk about ransomware attacks, we talk about the system or individual computers being blocked, in which case the attackers demand a ransom and, once the ransom is paid, they can provide you with the codes to unblock them. However, this does not always work. Even if you pay the ransom, the codes and entire systems are often so damaged that they cannot be restored. This means that in such an attack, the company pays the ransom and still has a non-functional system, which can be a really big problem. It is therefore necessary to take measures based on risk analysis. Times have changed, digitalization is advancing, and everything depends on technology. Cyber security and information security must be taken seriously.
