Lothar Hänsler, Operations Officer, RADAR Cyber Security

Anyone who makes an effort to look at the investment report published by the European Union Agency for Cyber Security (ENISA) will learn a few shocking facts about the negligence of European operators of critical and digital services. Despite all cyber threats: the average budgets for IT security in 2022 have fallen by another 1 % compared to the previous year (6.7%). The total damage to companies and organizations that relates to cybercrime is estimated at a devastating sum of 203 billion euros in 2022 in Germany, according to Statista. Finance and healthcare remain the industries with the highest incident costs.

And it gets worse: Only a quarter (27 %) of surveyed PES in the healthcare sector have a dedicated program to defend against ransomware. 4 in 10 (40 %) agencies don’t have an awareness program in place to sensitize their employees. And the ever-changing threat landscape around ransomware and malicious email traffic continues to be one of the biggest threats to businesses and government agencies.

IT and OT security: What (not only) EU’s critical operators should pay attention to assessment by Lothar Hänsler, Operating Officer at RADAR Cyber Security.

Critical operators are increasingly targeted by cyber criminals. Meanwhile, attackers are not solely concerned with making money. Increasingly, they are putting pressure on their victims and threaten to publish stolen data or offer it on the darknet without their knowledge. In frequent cases they also intend to severely disrupt network systems – including nation-state systems. This is a threatening trend that will continue to gain momentum in 2023.

Technology, Processes, Experts

It is not only as a result of Russia’s war of aggression on Ukraine that many critical operators should take the current threat situation seriously in 2023. Cyber attacks are now a means of political confrontation. Governmental IT systems are going to experience increased DDoS attacks in the future. Organizations, companies and government agencies should therefore focus their attention on email security and rely on a 3-part package of measures consisting of technology, staff knowledge and processes.

IT infrastructures must consistently become more resistant. Zero-trust networks, securing remote access and the use of endpoint detection and response (EDR) will be essential in the future. As the Industrial Internet of Things (IIoT in short) is increasingly the focus of hackers, it is also advisable to combine IT and OT security. It is also extremely important to focus on educating and raising awareness among employees. However, this becomes effective if continuous awareness campaigns are carried out.

Taking a holistic and consolidated view of the security aspect – along with risk management – is becoming increasingly necessary. Over a third of Europe’s critical operators and digital service providers still do not operate a Security Operations Center (SOC). In the energy sector, it is less than 1 in 3 operators who have their OT processes monitored through inhouse SOCs or a managed security service provider.

Cyber security becomes a strategic top-level decision

Chief information security officers (CISO) can avert damage by putting the right products, processes and people in place. However, a successful ransomware attack, coupled with the encryption of critical information, has an overall business impact. In fact, deciding whether to pay a ransom in the event of an emergency is a strategic business decision. And this is not solely the responsibility of the CISO. Preparation for any cyber attacks, supported by trainings such as table-top exercises, is a key element of business continuity. In addition, business leaders are becoming more vulnerable to extortion due to time and decision-making pressure. This is another problematic that needs to be taken into account. Strong cyber resilience has therefore long since ceased to be the sole responsibility of the IT department – but must become a strategic issue that assigns the ability to act.