- Kateřina Kubíková
1. Are resources allocated for cybersecurity?
Ensuring cybersecurity requires financial, human, and technical resources. Company leadership should account for cybersecurity costs in their budgets and allocate sufficient funds for implementing and maintaining security measures. Besides finances, qualified experts and the right technology are essential.
Cybersecurity should be a priority for every organization, especially for top management, which should at least have a basic understanding of the company’s cybersecurity posture. Growing threats and new regulatory requirements demand increasing attention.
While cybersecurity may not be a top priority for companies that don't specialize in it, it's wise to view it in a broader context. How well are we protecting our systems and data? Are we prepared to face emerging cybersecurity challenges?
2. Where are our weakest points?
Asset and risk management is arguably the most critical aspect of cybersecurity. Identifying weaknesses starts with a thorough analysis of assets and risks. This process helps pinpoint the most critical assets and the threats they face. Setting priorities, is crucial since it’s impossible to address everything simultaneously. Risk management is a continuous process that requires regular updates and adjustments to new threats.
3. How aware are employees about cybersecurity? mezi zaměstnancfor example,?
The human factor is often the weakest link in a company’s security chain. Regular training and awareness programs significantly reduce the risk of successful attacks. Up-to-date and recurring training sessions yield the best results, helping employees develop essential skills and knowledge.
4. Do we back up our systems and data regularly?
Regular backups are invaluable, especially when recovering data after incidents like ransomware attacks. Backups should be securely stored and regularly tested to ensure their effectiveness.
Did you know...
5. What will we do in case of an incident?
Quick and effective incident response can minimize damage significantly. Plans, such as business continuity plans and disaster recovery plans, should include clear steps for incident response and recovery. Chaos during severe incidents adds unnecessary stress, potentially worsening the situation.
6. What do we know about our suppliers?
Supplier management is another critical component of cybersecurity, as modern cyberattacks often target vulnerabilities in supply chains. Mapping out key suppliers, and understanding their access to your organization is essential.
7. Does the company have functional security documentation?
Incident response plans and other processes must be well-documented. For many organizations, this will become a mandatory aspect of cybersecurity, especially according to the new cybersecurity legislation.
Security policies should be regularly updated and actively utilized, not merely formalities. Documentation should serve as a functional tool, adaptable to current needs and threats.
8. Who has access to what?
Access control is the cornerstone of cybersecurity. Employees should only have access to data and systems necessary for their work. This approach minimizes the risk of unauthorized access and misuse of sensitive information.
Regularly review access rights, ensuring former employees no longer have access to company systems and data.
9. How are we managing physical security?
Physical security is also part of cybersecurity. Data centres and infrastructure must be protected against physical threats, like water, wind, or fire. Preventing unauthorized access, safeguarding equipment from damage or theft, and mitigating unauthorized interference are essential aspects of physical security. Do not underestimate and regularly review physical access.
10. What laws apply to us?
Cybersecurity regulations are constantly evolving, introducing new requirements for organizations. New Cybersecurity Act (according to the NIS2 Directive) will likely take effect in mid-2025. Other regulations, such as the DORA regulation aimed at enhancing digital resilience in financial institutions or MiCA for crypto-asset markets, also apply.
