Cybersecurity: Safeguarding Against Escalating Digital Threats
Insights
As digitalization accelerates, organizations face an escalating risk of cyber threats. October, recognized as Cybersecurity Awareness Month, offers a timely reminder of the critical importance of the protective measures mandated by the Cybersecurity Act and the need for their robust implementation.
According to reports from Croatia’s national authority for cyber incident oversight (CERT), there were 1,236 reported cyber incidents in 2023 alone. While data for 2024 is still pending, rising incidents of phishing and ransomware suggest an upward trend, underscoring the urgency for organizations to enhance their cybersecurity strategies.
The Cybersecurity Act sets forth a framework distinguishing between “key” and “significant” entities, encompassing businesses within critical infrastructure sectors—such as telecommunications, energy, transportation, water supply, finance, and healthcare—as well as those whose operational scale or technological sophistication exceeds that of small enterprises. For these entities, operational disruptions pose serious risks to societal and economic stability. Within this corporate landscape, directors and authorized representatives bear primary responsibility for preventive cybersecurity practices, which include regular employee training and conducting security system audits every few years. Non-compliance with these measures can lead to steep fines, up to 1.4% of annual revenue, adding a compelling incentive to adopt robust security protocols.
Cyberattacks frequently threaten personal data as well, closely aligning cybersecurity with the requirements of the General Data Protection Regulation (GDPR). GDPR mandates technical and organizational measures to secure personal data, including encryption, pseudonymization, and regular system testing. In the event of a data breach, such an incident must be reported to the Croatian Personal Data Protection Agency (AZOP) within 72 hours, with non-compliance penalties reaching up to 20 million euros or 4% of global annual turnover.
What actions should organizations take following a cyberattack? Directors are required to report the incident to the National CERT. If personal data is compromised, an additional report must be filed with AZOP. This process should be followed by an internal investigation, damage assessment, and notification to affected individuals if their data has indeed been compromised. Subsequent revisions to security policies are essential to mitigate future risks. Additionally, cybersecurity insurance can provide an extra layer of protection, as detailed in our prior article on the topic[1].
The Cybersecurity Awareness Month campaign underscores that, with thorough preparation and adherence to regulatory measures, businesses can substantially reduce the risk and impact of cyberattacks, ensuring both stability and security in today’s digital environment.
According to reports from Croatia’s national authority for cyber incident oversight (CERT), there were 1,236 reported cyber incidents in 2023 alone. While data for 2024 is still pending, rising incidents of phishing and ransomware suggest an upward trend, underscoring the urgency for organizations to enhance their cybersecurity strategies.
The Cybersecurity Act sets forth a framework distinguishing between “key” and “significant” entities, encompassing businesses within critical infrastructure sectors—such as telecommunications, energy, transportation, water supply, finance, and healthcare—as well as those whose operational scale or technological sophistication exceeds that of small enterprises. For these entities, operational disruptions pose serious risks to societal and economic stability. Within this corporate landscape, directors and authorized representatives bear primary responsibility for preventive cybersecurity practices, which include regular employee training and conducting security system audits every few years. Non-compliance with these measures can lead to steep fines, up to 1.4% of annual revenue, adding a compelling incentive to adopt robust security protocols.
Cyberattacks frequently threaten personal data as well, closely aligning cybersecurity with the requirements of the General Data Protection Regulation (GDPR). GDPR mandates technical and organizational measures to secure personal data, including encryption, pseudonymization, and regular system testing. In the event of a data breach, such an incident must be reported to the Croatian Personal Data Protection Agency (AZOP) within 72 hours, with non-compliance penalties reaching up to 20 million euros or 4% of global annual turnover.
What actions should organizations take following a cyberattack? Directors are required to report the incident to the National CERT. If personal data is compromised, an additional report must be filed with AZOP. This process should be followed by an internal investigation, damage assessment, and notification to affected individuals if their data has indeed been compromised. Subsequent revisions to security policies are essential to mitigate future risks. Additionally, cybersecurity insurance can provide an extra layer of protection, as detailed in our prior article on the topic[1].
The Cybersecurity Awareness Month campaign underscores that, with thorough preparation and adherence to regulatory measures, businesses can substantially reduce the risk and impact of cyberattacks, ensuring both stability and security in today’s digital environment.