EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Companies need to acquire more cybersecurity knowledge at all levels; every executive team must have a Chief Information Security Officer.
In brief
- Due to the threat of sophisticated cybercrime and to comply with the upcoming NIS2 legislation, boards need to prioritize cybersecurity.
- Companies need a robust cyber policy that integrates into all strategic initiatives and strengthens the supply chain to protect critical business processes.
- People are the first line of defense. Boards must endorse the importance of awareness and training to prevent, respond to, and recover from a cyberattack.
Cybercrime is a very profitable sector. Coupled with geopolitical evolutions, with certain countries conducting cyberattacks, companies that have increasingly digitized core processes are becoming very vulnerable.
If cybersecurity is inadequate, the consequences can be severe. Consider ransomware, malicious software that encrypts files on a computer and demands a ransom to release them, or deepfake fraud, such as at a British engineering firm where an employee recently transferred 23 million euros based on false images of the CFO, made with artificial intelligence. You only need a photo and a few seconds of speech to make a deepfake.
There are other ways criminals are using AI. They used to send poorly written English-language phishing emails on a large scale to gain access to computer systems. Now, they can almost automatically send highly targeted, well-written emails based on (profile) data found online.
The executive team must include a Chief Information Security Officer (CISO), and the board must give the CISO the mandate to roll out a cyber policy throughout the organization.
European legislation
Companies must therefore be more concerned with cyber security than ever. However, in practice, this often leaves much to be desired. Companies will have to do better quickly. Boards also have to catch up in the field of cyber and technology knowledge.
From October 18, 2024, NIS2 will introduce legislation that will make the board and management liable for cybersecurity. For non-compliance, fines can amount to 10 million euros or 2 percent of global annual turnover, whichever is higher. That’s why it is essential for companies to acquire sufficient knowledge of cybersecurity in-house, and not just on the board. The executive team must include a Chief Information Security Officer (CISO), and the board must give the CISO the mandate to roll out a cyber policy throughout the organization.
Companies that are not very advanced with their cyber security policy no longer receive insurance.
Protecting critical business processes
A good cyber policy not only integrates into all strategic initiatives and crisis management of the company but also strengthens the supply chain. How vulnerable is the company's ecosystem? What are the consequences if a supplier becomes a victim of cybercrime? And what happens to your customers if your company itself suffers a cyberattack?
The board must make enough resources available to protect its critical business processes from an impactful cyberattack. Has the company taken the proper measures to protect them? Is there a monitoring system that quickly warns if there are signs of a cyberattack? Does the company have sufficient capacity and knowledge to respond?
People are the first line of defense. Awareness and training are crucial for preventing, responding to, and recovering from a cyberattack.
Awareness and training
Corporate culture and awareness are crucial and require constant attention. Boards must also endorse its importance. Every cyberattack involves people; they are the first line of defense. Awareness and training are crucial for preventing, responding to, and recovering from a cyberattack. For example, if you work in finance and get a strange request from the CFO to transfer money, pick up the phone to confirm.
Companies can take out cyber insurance to cover, among other things, the damage caused by unauthorized access to IT systems. However, that insurance is becoming increasingly difficult to obtain. A few years ago a simple report was sufficient, but nowadays the conditions are much stricter. Companies that are not very advanced with their cyber security policy no longer receive insurance.
At EY, we can help clients implement a complete cyber strategy. Our experts help companies identify cyber risks, determine priorities, ensure a long-term improvement path and monitor progress.
How EY can Help
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Read moreService Leader
-
Andy DeprezEY Belgium Cybersecurity Leader; EY EMEIA Cybersecurity Competency Leader
EY Belgium newsletter
Subscribe to our monthly newsletter and stay updated on our latest insights.
Summary
Cybersecurity is crucial for companies due to the rising threat of sophisticated cybercrime. The new NIS2 legislation will hold boards accountable for cybersecurity, with significant fines for non-compliance. Therefore, boards must prioritize cybersecurity, and companies should acquire comprehensive cyber knowledge in-house. Implementing effective cyber policies will protect critical processes and the supply chain, with continuous awareness and training as key components. As cyber insurance becomes harder to obtain, advanced cybersecurity measures are essential.
Related articles
How to prepare for the NIS2 Directive?
Discover the key updates the second iteration of the Network and Information Systems Directive brings and how your organization can prepare.