In 2023, 66% of companies in Poland recorded at least one security breach, and 34% noticed an increase in the intensity of attempted cyber-attacks. Half of the organizations point out difficulties related to recruitment and retention of qualified employees as the biggest problem in achieving the appropriate security level. A study from KPMG in Poland indicates a decrease in company concerns related to the activities of organized cybercriminal groups, which are recognized as the greatest network threat. At the same time, for a vast majority of organizations, GDPR is a priority standard for IT compliance and personal data protection.
In 2023, 66% of companies in Poland surveyed by KPMG noted incidents of security breaches, which represents an increase of 8 percentage points compared to 2022. One out of ten surveyed organizations recorded over 30 cyber incidents in the previous year. In this group, almost one-third were large companies employing over 250 workers. One-third of companies observed a significant increase in the number of attempted cyber-attacks in 2023. 60% of companies believe that their number remained at a similar level compared to 2022.
Despite a greater number of observed security breaches in 2023, this year’s edition of the study reveals a decrease in company fears related to threats from various cybercriminals. Concerns about the activities of organized cybercriminal groups, which remain the largest network threat in the eyes of respondents, decreased by 17 percentage points (53% of indications). Meanwhile, the proportion of companies fearing cyberterrorists decreased by 14 percentage points. Half of the respondents are afraid of threats resulting from the activities of individual hackers. Nearly a quarter of the companies perceive threats from the activities of disgruntled or bribed employees. In the context of the ongoing war in Ukraine, the proportion of companies indicating a threat from groups supported by foreign states has decreased from 38% to 24%.
“The decrease in concerns of Polish companies towards sophisticated cybercriminal groups is highly alarming. Given the current geopolitical situation, intensification of cyberattacks from groups supported by foreign states is highly probable. Cyberwarfare is ongoing. Operators of key services are particularly vulnerable to cyberattacks. Today, it is necessary to increase vigilance and ensure full readiness of cybersecurity teams. Detecting advanced hackers, who may already be on the network, requires proactive actions and support with modern tools,” says Michał Kurek, a Partner in Consulting, Head of the Cybersecurity Team at KPMG in Poland and Central and Eastern Europe.
Companies are most afraid of phishing
Companies participating in the KPMG survey declared that the biggest cyber threats for them are phishing and data breaches through malicious software (malware). The organizations also list the theft of data by employees and advanced attacks by professionals (Advanced Persistent Threat) among the top threats. More than one-third of companies consider attacks on the supply chain through business partners to be completely irrelevant digital dangers.
One fifth of respondents declared full maturity of their security in most areas analyzed – a result that is 6 percentage points better compared to the previous edition of the study. Organizations report the highest security level in the field of internet contact safety, protection against malware, and response to security incidents. Network security is also highly rated and recognized as a fully mature area by over 40% of the surveyed parties.
Lack of employees the biggest barrier in building IT security
The biggest challenge for companies in achieving the right level of security is currently difficulties related to the recruitment and retention of qualified employees, as indicated by 53% of organizations. Lack of sufficient budgets, while still significant, fell to second place (43% of indications). Additionally, on a similar level, there are other challenges: lack of clearly defined indicators and lack of full engagement of the business and top management. One quarter of respondents also pointed out the lack of proper assignment of responsibility in the area of security.
The majority of companies surveyed by KPMG outsource various aspects of data security to external providers. In 2023, 84% of organizations used outsourcing services. The most commonly outsourced tasks include employee awareness programs (42% of indications), support in responding to cyber-attacks (40% of indications), and malware analysis (39% of indications).
GDPR is the priority IT compliance standard for most companies
IT compliance and data privacy standards play a key role in the digital world, providing a framework for effective information protection and privacy regulation compliance. 85% of the surveyed companies declared that GDPR is the most important aspect of their organizational structure (95% of indications for the largest companies). The national cyber security system law, indicated by 59% of companies, came next. Meanwhile, regulations regarding the classification of artificial intelligence systems according to risk and introducing differentiated requirements for their development and use (AI Act), as well as the European Parliament and Council regulation regarding the operational digital resilience of the financial sector (DORA), seem less significant to the respondents.
“In response to growing cyber threats, the European Union introduces regulatory initiatives, such as the NIS2 directive and the DORA regulation, aimed at increasing the region’s cyber resilience. DORA introduces supervision over key ICT service providers, standardizing the level of security across the entire supply chain in the financial sector, while NIS2 extends protection to new sectors of the economy, underlining the strategic importance of cybersecurity. The implementation of these regulations can be challenging for companies, requiring adaptation to new requirements and preparation for dynamic changes in cybersecurity regulations in Europe,” says Marcin Kieszkowski, Senior Manager in Consulting in the Cybersecurity Team at KPMG in Poland.
Engagement in the new GDPR industry code of practice in the context of cybersecurity is part of the process of adapting to personal data protection regulations and raising security standards. In response to this challenge, 82% of organizations declared their engagement in this process.
“Personal data security, due to the ubiquity of GDPR regulations, has been the most important challenge for several years that entrepreneurs have to face. Support in achieving compliance can be provided by industry codes of conduct. Most of these documents are still in the drafting stage, but examples of already approved codes and the great interest in engaging in new initiatives attest to the significance of this tool,” says Piotr Burzyk, Senior Manager in Consulting in the Cybersecurity Team at KPMG in Poland.
An essential element supporting the organization in maintaining a high level of IT security and meeting mandatory standards and regulations is monitoring and reporting compliance with IT requirements. Over three quarters of respondents indicated internal tools, and more than half opted for external audits as the most effective data protection methods. At the same time, 45% of organizations are convinced that they are very well or well prepared for changing regulations.
Smart (Polish) company after damage?
Companies that have experienced IT compliance breaches in the past declare that as part of their corrective actions, they primarily organized training for employees (44% of indications). 39% of organizations strengthened their IT security, and one-third of companies introduced completely new security procedures or updated existing security policies. It is surprising that 32% of the respondents did nothing after detecting an IT compliance violation.
In ensuring cybersecurity, it is also essential to ensure secure partnerships with other companies. KPMG’s study in Poland shows that companies apply diverse strategies and procedures aimed at effectively verifying and supervising their subcontractors. The most common method is a data protection questionnaire filled out at the supplier choice stage or upon signing the agreement (51% of indications). Other popular verification tools include a security questionnaire (42% of indications) and an information security audit at the subcontractor (34% of indications).
ABOUT THE REPORT:
KPMG’s report in Poland titled “Cybersecurity Barometer. Riding the wave or lost in a maze of regulations?” is based on a survey conducted among 100 organizations in Poland with revenues over PLN 50 million. It is the seventh edition of the study conducted by KPMG in Poland, aiming to understand the dynamics and characteristics of cyber attacks and companies’ readiness for them. The study was conducted by phone interviews with individuals responsible for IT security in companies (board members, security directors, presidents, IT directors or other persons responsible for this area) at the turn of 2023 and 2024 by Norstat Poland.