An in-depth interview with a cybersecurity expert from our partner company, Top privacy s.r.o., on an important and timely topic: cybersecurity. How do companies determine whether they need to ensure cybersecurity? What is the process for addressing cybersecurity? You’ll learn all the important details in an interview with Ms. Barbora Plavcová Gombárská, a specialist and expert on GDPR and cybersecurity.
How do companies typically ensure their cybersecurity?
Given that the legislation is relatively new—it was introduced in 2018—many companies are not sufficiently prepared for it. Many companies don’t even know they’re required to have a cybersecurity plan in place, since they haven’t conducted an internal analysis to determine whether they fall under the list of essential services defined by the Cybersecurity Act. As for technical security, even though things are starting to look up, there are still companies that largely pay little attention to cybersecurity and information security, so their IT infrastructure is very poorly secured. Certain measures must be taken to prevent and reduce the risk of threats. It is important to realize that digitalization continues to advance, and as it does, we increasingly encounter cyberattacks; in the event of a serious security incident, this often leads to the collapse of an entire system within companies.
What is the current state of cybersecurity in practice?
As we discussed earlier, it is necessary to take certain measures to prevent—or at least reduce—the risks that will always be present. These measures are implemented based on a risk analysis that identifies our most vulnerable points. Such an analysis will always identify the human factor as the greatest threat, regardless of whether you commission an analysis for cybersecurity, information security, physical security, or fire protection. And that is precisely why the measures taken should not be merely technical but also personnel-related.
People (employees) are often unprepared to deal with cyber threats and frequently lack the necessary training. We often see companies neglecting to provide employees with cybersecurity training. Because people largely lack the knowledge of how to work safely in the digital space, they are often the gateway for cyberattacks when working with digital technologies.
Is there a legal obligation for all companies to ensure cybersecurity?
One thing is the obligation to ensure cybersecurity under Act No. 69/2018 Coll. on Cybersecurity and on Amendments to Certain Acts (hereinafter the “Cybersecurity Act”)—here, companies either are or are not required by law to do so. Under Decree No. 164/2018 of the National Security Authority, which establishes the identification criteria for operated services, it is defined who falls under and who does not fall under the scope of essential services,
and based on this decree and its annex, it is possible to determine the individual sectoral and impact criteria for an essential service operator with regard to the relevant sector (segment).
Take the pharmaceutical industry, for example—this segment is defined as a drug manufacturer under Act No. 362/2011 Coll. on Drugs and Medical Devices and on Amendments to Certain Acts (hereinafter “Act No. 362/2011 Coll.”). All such drug manufacturers should take note and conduct an internal analysis/audit to assess the specific sectoral and impact criteria set forth in the annex to this decree. Since the decree does not establish specific criteria for the pharmaceutical industry, only impact criteria will be assessed as part of the analysis. If a pharmaceutical manufacturer meets at least one impact criterion, it is required to register with the National Security Authority (NBÚ) in the list of essential services.
Many companies that are not required to ensure cybersecurity in accordance with Act No. 69/2018 Coll. on Cybersecurity nevertheless decide, as part of process improvement and ensuring business continuity, to ensure compliance with the ISO 27000 series of information security standards, which always brings them significant benefits.
How does this analysis work, and what needs to be analyzed for companies to determine whether they fall under this law?
As I mentioned, the law stipulates that for an operator of an essential service to be included in the list of essential services, it must meet one specific sectoral criterion and one impact criterion. These criteria are defined in the annex to the aforementioned decree. If a company meets at least one specific criterion, it then proceeds to the analysis of the impact criteria; if it meets at least one of these as well, it automatically falls under the category of essential service operators and must be reported to the National Security Authority (NBÚ). This means that if it meets a specific criterion but does not meet any impact criterion, it does not fall under this essential service. Specific sectoral criteria describe each segment of operators separately. For example, no specific sectoral criterion is defined for the pharmaceutical industry, but specific sectoral criteria are defined for drinking water suppliers and distributors. Specific sectoral criteria for a drinking water distributor include, for example, whether it produces and supplies or distributes drinking water, operates a wastewater treatment plant, operates a water treatment plant, or operates a water supply system or sewer system. This is the specific criterion that will indicate whether the company should be analyzed against the impact criteria.
Returning to pharmaceutical companies—in the first step, the assessment for them merely determines whether they are drug manufacturers under Act No. 362/2011 Coll. Subsequently, the impact criteria are assessed, and within this framework, the potential impact of a cybersecurity incident on the essential service provided is analyzed.
It is important to realize that every single impact criterion must be examined in depth. A detailed analysis is conducted for each criterion with respect to the company, as every company is different in terms of data processing. Within the impact criterion, the impact of a cybersecurity incident is assessed within the information system or networks on which the provision of the service depends.
This is cybersecurity from a legal perspective. There is also a second type, known as information security, which companies often implement to ensure their safety and prevent various cyberattacks, but they are not required under the Cybersecurity Act to be included in the list of essential services. Such companies address this issue in accordance with the ISO 27000 series of standards. Within the framework of ISO standards, they establish their own rules, measures, and guidelines, which the entire company adopts and adheres to, while striving to protect against individual threats in the digital world through these measures. Cybersecurity as a whole reflects established security standards and norms, and most auditors who conduct cybersecurity audits base their requirements for demonstrating implemented measures not only on laws and regulations defining cybersecurity requirements but also on established security standards (such as ISO/IEC, CIS, NIST, etc.).
Several terms have been mentioned here. Let’s start with the term “cybersecurity audit”; I assume this is important for companies in terms of whether they are doing it right, whether their cybersecurity is set up properly...
If an operator is classified as a critical infrastructure operator, a cybersecurity audit (not an information security audit) is mandatory for them. Every entity included in the list of essential service operators must conduct a cybersecurity audit within two years of inclusion. Preparation is required for this audit. The Cybersecurity Act provides a framework for what needs to be fulfilled. When we look at Decree No. 362/2018 Coll., which establishes the content of security measures, the content and structure of security documentation, and the scope of general security measures, we have a precise definition of which security measures the company must adopt. So, before deciding to adopt these measures, the company conducts an initial internal audit to determine whether it is classified as an essential service (cybersecurity), during which specific and impact criteria are assessed. Subsequently, it is important to conduct a status analysis—the technical nature of the security elements already in place within the company is assessed, and the classification of information, the categorization of networks and information systems, and risk analysis are addressed. As part of this classification, individual production processes are assessed, for example, or whether the data held by the company is of a sensitive nature (whether public, internal, protected, or strictly protected—this data may have varying levels of protection). Based on this classification, we can define which measures the company is legally required to implement.
Risk analysis is the next step, where—in the process of implementing cybersecurity (based on information classification, network categorization, and the company’s actual technical state)—we can assess the risks and adopt appropriate measures tailored specifically to the client’s needs. Risk analysis assesses the risks and the severity of potential threats in the event of a security incident. If the risk level is high, certain measures must be taken to mitigate it.
When implementing individual measures, guidelines, and rules, we cannot rely on documents created using templates. We always analyze the current situation and adopt specific measures based on that assessment. Once the situation is known, security policies and guidelines are developed, which in a way define the implementation phase, within which we then put measures into operation.
Measures must be implemented in segments, whether we are addressing technical security—where we can discuss network segmentation, antivirus programs, and software security for protecting cyberspace—or personnel security, where it is necessary to provide training and retraining for employees. There are various training programs for dealing with cyber threats. There are various options within cybersecurity for how to educate employees in a way that engages them. Here, I would perhaps note that it is truly important for the trainer to possess so-called soft skills, to be able to connect with people in a way that presents the material in a human and accessible manner. Since we are discussing the IT sector and the cybersecurity sector, these topics are often misunderstood by the trainees. Employees should be able to understand the entire issue to the best of their ability and learn how to protect this data and individual systems so that it isn’t just another wasted hour and mandatory training for them.
After the guidelines are adopted and certain measures are implemented, the question arises: is that all there is to it? And no, it is not. It is important to realize that cybersecurity is not a static state but a process. This means it is constantly evolving; new threats are constantly emerging, and we must monitor these threats—for example, current vulnerabilities found in individual products—and address these vulnerabilities in some way, incorporating them into specific measures, and so on. Let’s look at it this way: the cybersecurity process is constantly evolving, and we are constantly striving to improve it and prevent new threats. We know that hacking and hackers themselves are often two steps ahead of those trying to defend against them. They are constantly developing and devising new ways to attack and harm other users in the virtual environment. On the other hand, it is important to note that, for example, by adopting and implementing at least the basic principles of cybersecurity, the risk of disruption from trivial attacks—which are the most common—is minimized. Of course, this does not apply only to operators of essential services, who are subject to mandatory measures prescribed by regulations; every company should, in its own interest, address the issue of cyber threats in a realistic and practical manner. Therefore, it is necessary to remain vigilant and continuously address the situation and current cyber threats.
Once measures are implemented, a process begins in which we update individual measures in light of vulnerabilities, threats, and new risks. As the operator’s hardware and software naturally evolve, and new information systems are expanded and adopted, risk analysis must be performed repeatedly so that the operator knows whether threats still persist and to what extent.
And does that audit come after two years?
Yes, it comes two years after reporting to the National Security Authority (NBÚ) and registering for the basic service.
What role does the cybersecurity manager play in the entire process?
The cybersecurity manager should have an independent position within the company. From a hierarchical perspective, the director should naturally be at the top of the organizational structure. The cybersecurity manager submits proposals for improvement and reports on the state of cybersecurity directly to that director and the company’s senior management; below them are only the executive body and the “implementers” of cybersecurity.
The cybersecurity manager is therefore truly the one who merely oversees, monitors, makes recommendations for measures, and reports on the state of cybersecurity. They monitor threats, vulnerabilities, and various other issues.
Does this cybersecurity manager have to be an in-house employee, or can it also be an external consultant?
It can be an internal employee, but it can also be an external consultant.
What are the advantages and disadvantages?
An external consultant, provided they have experience from various other companies, possesses more extensive knowledge and expertise in cybersecurity management. The advantage of an in-house manager is that they have a better understanding of the company’s internal infrastructure—the company’s background itself—and should be better equipped to design specific measures, given their familiarity with the firm. However, there may be a problem with dealing with threats—an external manager may be better equipped to handle cybersecurity threats than an internal one, who has limited educational opportunities and typically less experience.
So what can companies do to protect themselves in cyberspace? To ensure a high level of cybersecurity? Start with an analysis: determine whether they even qualify as operators of essential services.
It is important to realize one thing: if a cybersecurity incident occurs and sufficient measures are not taken, and the incident is so extensive that it disrupts operations and halts, for example, the production process or prevents the provision of services, then the question may be whether the company is even capable of resuming operations. To illustrate this with an example—many manufacturing companies rely on specific software; let’s say that, as part of a security incident, that software becomes completely restricted. This means that, in addition to production lines not functioning, there are no manufacturing processes (procedures); essentially, the entire company ceases to function and the production process comes to a halt. Here we’re talking, for example, about a ransomware attack (note: malicious code that encrypts data, after which the attacker blackmails the victim and demands payment of a certain sum), where both the computers and the network itself are blocked, and the data cannot be accessed. The computers themselves are merely tools, but the entire know-how lies in the data upon which the company operates. Once access to this data is restricted, even if you replace the computers and reinstall the software, without properly backed-up data, you will be unable to restore the company’s operations. Typically, with ransomware attacks, we’re talking about the system or individual computers being locked; in such cases, the attackers demand a ransom, and after payment, they may provide you with the codes to unlock them. However, it doesn’t always work that way.
Even if you pay the ransom, the codes and entire systems are often so damaged that they cannot be restored. Thus, in such an attack, the company pays the ransom and still ends up with a non-functional system, which can be a truly major problem. That is why it is necessary to implement measures based on a risk analysis. Times have changed, digitalization is advancing, and everything depends on technology. Cybersecurity and information security must be taken seriously.
