Cybersecurity is not a matter of choice, but a necessity

České Radiokomunikace (CRA), one of the largest domestic IT and digital service providers and a critical infrastructure entity of the state, offers small and medium-sized enterprises in particular not only high-quality cybersecurity products, but also consultations and advisory services on obtaining subsidies. We spoke with CRA senior product manager Martin Pavelka about the current measures he would recommend to SMEs in the field of cybersecurity.

SMEs are the most vulnerable to cyber-attacks. What types of attacks would you point out?

The types of cyber-attacks that still pose the greatest threat to businesses are phishing, ransomware and supply chain attacks.

Can you briefly describe these?

Phishing involves fraudulent emails, messages or websites designed to deceive employees of an organisation into providing sensitive information or opening malicious attachments. Phishing is a common method by which attackers gain access to their company systems.

Ransomware is a type of malware that encrypts a company’s data, with attackers then demanding a ransom to restore the data. It is one of the biggest threats for SMEs, as they often lack adequate backups and sensitive data protection.

When it comes to supply chain attacks, SMEs often collaborate with larger companies, and attackers may exploit weaknesses in their supply chains to target larger business entities.

Smaller organizations often lack adequate security. They typically don’t have dedicated IT teams or cybersecurity specialists, which makes them more vulnerable to attacks on unsecured servers or applications with security flaws. Recently, DDoS attacks have also become a major focus area for us.

What kind of damage can these attacks cause to companies?

Attacks can lead to direct financial losses, such as ransom payments (in ransomware cases), theft of financial information, or costs related to restoring systems and data. For some smaller organizations, the amount of these losses can be devastating.

If data leaks or service disruptions occur, customers may lose trust in the company’s security, which can lead to a decrease in the volume of orders and loss of clients. Of course, there are many other potential consequences.

Investing in cybersecurity is cheaper than taking risks

How can businesses with limited financial resources defend themselves effectively and proportionately to their means?

I consider regular data backups, updated software, strong passwords and two-factor authentication to be a security minimum that does not have to be expensive at all.

All companies should regularly back up data to external storage to avoid complete data loss in the event of a ransomware attack. Regular system updates and installing security software (antivirus, firewall) are key to minimizing risks. Implementing policies for strong passwords and two-factor authentication can significantly reduce the risk of unauthorized access. Employee training is also very important. Human factor plays a big role in cybersecurity, so employees should be regularly trained to recognize phishing and other fraudulent practices.

Can you advise SMEs on how and where to obtain funding from external sources?

With every offer, we always evaluate whether a subsidy programme from the Ministry of Industry and Trade could be used for the given implementation. At first glance, the subsidy may seem accessible, but upon closer examination, applicants often find that some conditions are ultimately not applicable or that they are simply not eligible. For example, consultations may reveal that the business has a parent company abroad, which means it no longer meets the criteria for enterprise size and so on.

A Highly Relevant Issue

The transposition period for the introduction of the EP directive on new cybersecurity rules, the so-called NIS2, into national legislation was 21 months and ended this November. The relevant bill was addressed by the Czech Parliament on 19th November, just in time. Do you have any insight into how Czech businesses are preparing for this important European regulation?

Recently, there have been many different readiness statistics in the media. In our experience, it's about 40 to 60. There are organizations that know quite clearly what they need. However, then there is a larger group of companies that either don’t know what’s coming or rely on the assumption that the law’s effectiveness is postponed for the time being, which gives them relatively enough time for everything. But we must realize that the implementation of new measures is a long-term process, and our practice shows that it can take a year or more. Considering that there aren’t many experts available in the market who can advise you, the impact could be fatal.

Personally, I approach security from the perspective of acting with due diligence. Securing your business regardless of current legislation is in your own interest. On the other hand, I understand that organizations have limited resources and budgets. That’s why we always try to find a good compromise, focusing on the essentials and helping customers invest efficiently. However, I strongly disagree with the notion that cybersecurity doesn’t concern certain businesses.

Can CRA offer a helping hand to companies preparing for the application of NIS2 and with improving cybersecurity measures?

Absolutely. We are an ICT provider that, in addition to now-standard services such as telco, data centres or cloud solutions, also offers cybersecurity services. We can help with a wide range of organizational and technical measures stemming not only from NIS2 and ZoKB but also from other standards that help improve the state of cybersecurity for these companies.

Martin Pavelka was interviewed by Věra Vortelová

Photo credits: CRA