Cybersecurity is one of the preconditions of economic security. In a recent European Union Agency for Cybersecurity (ENISA) survey, 57% of European SMEs said they fear going out of business in the first week after a cyberattack. The threat scenario is not in the least reassuring: with an exponential rise in breaches, more than two-thirds of which (68%) involve human error. More sophisticated supply chain attacks and cyberattacks using valid user credentials are on the surge, while bank fraud is a big concern, and the growing recourse to deep fakes and impersonation technology can only make matters worse.
All this explains why the issue is a top priority in Europe with a host of recent legislative and non-legislative actions focused on harmonizing standards, procedures for incident notification, or collaborative preventive measures. The European Commission is now laser-focused on implementation. Risk assessments are thus key, and the drive for stronger coordination in the EU is real.
At this week’s Round Table on the Cyber and Economic Security Nexus hosted by the EPC, a fascinating discussion took place on how to prioritise what is done in the next five-year EU cycle. Pressing needs exist primarily in the area of skills, given the shortage of 260,000 – 500,00 cybersecurity specialists in Europe. While the Cyber Skills Academy aiming to coordinate existing skills initiatives around Europe can help solve the problem, the target is moving. What is more, the race for talent has become global, while a historical flaw still needs to be corrected, that of treating security as an afterthought.
SMEs need support in getting better equipped for what is coming. The cost of compliance reporting should be reduced to the maximum so as not to take funding away from security solutions. Establishing a single-entry point for all notifications required under the NIS2, the GDPR and the e-Privacy Directive is therefore essential.
Moreover, the EU must consider cybersecurity to be a systemic problem. For every company that is cyber-proofing its system, there are suppliers, in most cases of smaller size, that cannot afford such costs and eventually endanger the whole network. At the same time, cybersecurity standards cannot lag behind the disruptive technological progress in fields like quantum, whose superb computing capacity would challenge any existing cryptographic keys.
Overall, the EU needs to scale up its approach because it is not only about doing the right thing but also about acting in the right proportion. The economic security angle helps by providing the overarching policy umbrella, leading to greater coordination of actions by different departments and agencies and enabling a foresight capacity that must be at the core of any cybersecurity approach.