By Jeroen van Es
A few weeks ago, I met with a manufacturing CEO whose company narrowly avoided a serious ransomware attack on its OT systems. As we talked, he reflected on the experience and shared a key takeaway: cybersecurity couldn’t just be another line item; it had to be part of the company’s DNA. This mindset is exactly what separates companies that merely react to threats from those that thrive despite them.
According to a recent Harvard Business Review article, companies that embed cybersecurity into their core strategy and cultivate a culture of awareness are the most resilient. It’s not enough to invest in the latest technology; the true power lies in creating a mindset where every employee sees themselves as part of the security fabric. With cyberattacks on the rise, especially against Operational Technology (OT) systems, this approach is no longer optional—it’s essential.
A Rising Threat Landscape for OT Systems
The 2024 Threat Report by Waterfall Security and ICSStrive paints a concerning picture: last year alone, there were 68 cyberattacks that caused tangible, real-world damage to OT systems, with 80% involving ransomware. Even more troubling, hacktivist attacks on critical sectors like energy, manufacturing, and healthcare are increasing. For today’s CEOs and CFOs, this data highlights a critical truth: cybersecurity isn’t just a technical issue; it’s a strategic priority with far-reaching business implications.
In my experience, the costs of inaction can be severe, from operational disruptions and financial losses to lasting reputational damage. Forward-thinking companies are taking notice and are making cybersecurity a top priority.
The Regulatory Shift: NIS2 and the Cyber Resilience Act
Europe’s regulatory landscape is shifting in ways that bring cybersecurity squarely into the boardroom. New regulations, including the NIS2 directive and the Cyber Resilience Act (CRA), emphasize the need for an integrated approach. NIS2, for instance, mandates not only compliance but also a strong focus on securing supply chains, managing risks, and holding senior executives accountable.
For companies, this means that cybersecurity is no longer the sole responsibility of the IT team—it’s a company-wide effort. Those that are proactive in aligning with these frameworks by implementing strong security measures and continuous training are better protected and better prepared.
The Hallmarks of Forward-Thinking Organizations
So, what sets proactive, security-minded companies apart? From what I’ve observed, forward-thinking organisations focus on three core strategies:
1. Building a Culture of Security: Everyone, from the boardroom to the frontlines, needs to understand the risks and their role in mitigation. This kind of awareness empowers employees to act as a human firewall, which is often the first line of defense.
2. Adopting Strong Risk Management Practices: By establishing clear, actionable risk management processes, companies create a resilient framework that is less vulnerable to unexpected threats.
3. Preparing for Incidents: In today’s world, it’s not about if a cyber incident will occur but when. Having an incident response plan ensures that when the time comes, the team can respond swiftly and effectively.
Through these actions, companies aren’t just meeting regulatory requirements; they’re positioning themselves to thrive in a rapidly evolving digital world.
With the right blend of technology and a proactive culture, I believe that companies can meet today’s cybersecurity challenges with confidence and set themselves up for long-term success.