Deloitte’s 2023 Cyber Survey shows that companies and public institutions are at early phases of adopting the importance of digital resilience to protect organisations against an unprecedented level of cyber-attacks.
As we are writing the introduction for Deloitte’s 2023 Cyber Survey, the Danish newspaper Politiken is reporting that a coordinated and possibly state-sponsored attack has taken place to block GPS signals in Danish waters and airspace, using sophisticated military technology to jam the vital signals used by ships and aeroplanes to navigate1.
Such stories of cyberattacks are not unusual, but the magnitude, gravity and ability to cause destruction and chaos is something that are raising the concerns of organisations and the lawmakers at the highest levels.
Deloitte’s Tue Jagtfelt from our Cyber Regulatory Compliance & Privacy team recently sat down with Danish member of the European Parliament Morten Løkkegaard, who also serves as the vice chair of the Special Committee on foreign interference in all democratic processes in the European Union, including disinformation (INGE 2).
According to Morten Løkkegaard, we have only seen the beginning of cyber regulation given the extraordinary level of threat that European companies and public institutions are facing now.
Løkkegaard knows this regulatory development first-hand because he has been an integral part of the process. It is remarkable to hear him talk about the Network and Information Security directive (NIS1) that was completed in 2018. However, it failed to make the desired impact given the number of exceptions with core intentions often diluted. When the preparation for NIS2 started a few years later, the EU had opted for unwavering determination to achieve a higher baseline of cybersecurity across the Member States. This is testament for Member States in taking this risk seriously.
A wave of inbound regulations
Although the NIS2 directive is a significantly more comprehensive than NIS1 (for example, it strengthens security requirements, addresses supply chain risks, streamlines reporting obligations, and introduces more stringent supervisory measures and harmonised sanctions; it also adds new sectors to its scope, including public administration, critical infrastructure, energy, food, transportation, critical product manufacturing and more), it is by no means the only regulation that will be facing European companies and public institutions in the coming time.
As Morten Løkkegaard rightfully points out in his interview:
“Together, we are not stronger than the weakest link when it comes to securing the European states, which is why the EU will continue to develop new legislation to fight back against what Løkkegaard calls a ‘distasteful mix’ of ‘criminals and autocrats’.”
A lot more regulation is already at various stages in the pipeline of the EU Commission, including the ePrivacy Regulation, Market in Crypto-Assets Regulation, the Artificial Intelligence Act, Digital Markets Act, Data Governance Act, Digital Services Act, Identity Regulation, the Directive on the Resilience of Critical Entities, the Cyber Resilience Act, Digital Operational Resilience Act, the Machinery Directive (also known as the Robots Act), the European Health Data Space Act, and the Data Act that regulates business-to-government and business-to business data sharing to improve data access and use.
A rise in regulatory complexity? It will be more of a tsunami that will require a holistic review of how regulatory compliance is currently carried out to ensure the companies and public organisations can absorb the inbound requirements.
A cyber-everywhere world
So how do organisations protect themselves against current threats, and how do they prepare for a volatile future with increasing regulatory scrutiny? Deloitte’s 2023 Cyber Survey gives some of the answers, and highlights some of the vulnerabilities that exist as organisations are trying to close gaps to safeguard their data and assets.
As we write in the survey, the question is not whether you will be targeted, but when, to what degree, and with what consequences. Some are able to stand up against the attackers, but many are not. 6 per cent of cyber security leaders said in the survey that in the last 12 months alone, they had experienced not just a successful cyberattack, but one with a material impact on their organisation.
Many security leaders also showed concern for the lack of security enhancements. 49 percent of respondents in the survey pointed to lack of internal resources, 38 percent highlighted the lack of time, and 27 percent of security leaders stated that the senior executives of their organisation are not giving cybersecurity the priority it needs.
The road towards digital resilience
Our survey highlights that organisations have a higher perception of their security maturity than in reality based upon the self-scoring of maturity vs partial implementation of basic cyber security hygiene. With the backdrop of external drivers through cyber-attacks with increased regulatory scrutiny, validation and continued enhancements will be the key to ensure organisations stay ahead of the curve. Identification and prioritisation of key business assets will be critical to ensure that the protection of crown jewels are taken as the priority before recovering ‘business as usual’ processes within an organisation.
To achieve this outcome, organisations are raising awareness to define what constitutes a core ‘DNA’ that they will need to protect and recover in the event of a catastrophic loss scenario. By gaining a better understanding of the impact of these types of crises, companies and public institutions can determine the data, infrastructure, applications and systems they need to recover quickly as a minimum viable scenario.
Secondly, many organisations will inevitably have to re-assess their use of back-up technology as many current technologies are already inadequate for the increasing sophistication of attackers. From our experience, organisations still rely on the conventional back up in response to catastrophic loss scenarios with few early adopters implementing controls such as cyber vaulting to extract and store the core ‘DNA’ of the organisation. With the backdrop of the threat and regulatory landscapes, more organisations are likely to consider such technology, in which essential data are stored in a segregated, secured and immutable form and thus protected from destruction.
Political and economic uncertainties are making organisations look the importance of core business operations and business resilience will likely remain a boardroom discussion for the foreseeable future. Although progress is made to improve cyber security posture in Denmark, there are still a fragmented overview in terms of overall maturity within the market. Compounding this with robust regulations and customer expectations mean that continual enhancement of posture such as the focusing on the availability agenda in addition to confidentiality and integrity of data will be a theme that will stay. There is no substitute for preparedness. Having a strong cyber resilience and recovery programme can mean the difference between mitigating damage and thriving uninterrupted.