The growing number of cyberattacks targeting industrial sectors and critical infrastructure underscores the fact that corporate security has become an integral part of national security. According to Eurostat, Poland ranks second in the European Union for the number of cyber incidents affecting businesses. In 2024 alone, 32% of Polish companies experienced a cyberattack. Yet, despite this alarming trend, Poland has not yet implemented the NIS2 directive, the EU’s updated framework for critical infrastructure protection. EY’s latest report, “Trends and Challenges in Cybersecurity”, outlines key steps organizations should take to improve their digital defenses.
OT: The Overlooked Vulnerability
Most sectors of the modern economy rely heavily on digital technologies. While many companies have strengthened their IT infrastructure against threats like phishing, they continue to overlook Operational Technology (OT) – the systems responsible for running industrial operations and essential services such as waterworks, power plants, and chemical installations. Neglecting OT security can have serious consequences.
In 2024, national CSIRTs recorded 111,660 confirmed security incidents, a 23% increase year-over-year. Many of these attacks targeted critical infrastructure. The Ministry of Digital Affairs reported 18 cyberattacks on water supply companies across Poland in just a few days. According to Eurostat, Poland is now second among EU member states in terms of cyber incidents reported by companies.
“Today, an entire facility can be paralyzed or shut down by hacking into a device worth less than a dollar – like a thermometer – if it’s not properly secured. OT is the ‘soft underbelly’ of companies, and companies themselves are the ‘soft underbelly’ of the economy,” said Piotr Ciepiela, EY Partner and Global Leader for Security Architecture and Emerging Technologies.
“The frontline of modern warfare is increasingly digital, and that’s evident from the growing number of attacks, even on sensitive institutions like hospitals. Denmark, not even a frontline state, recently experienced a coordinated cyberattack on its power grid. That gives us a glimpse into how vulnerable our own critical infrastructure might be,” he added.
Still Waiting on NIS2
Poland has yet to implement the updated National Cybersecurity System Act, which would align local regulations with the EU’s NIS2 directive. These rules are meant to counter the increasing number of cyberattacks and protect vital sectors. The draft version of the law expands the number of Polish entities covered by the directive from 400 to as many as 38,000.
So far, only 12 out of 27 EU countries have implemented NIS2. Many Polish companies may not even realize that they now fall under its scope. NIS2 imposes obligations such as incident reporting, cyber risk assessment, implementation of safeguards, and employee training. Noncompliance can lead not only to increased risk of attacks but also financial penalties.
“NIS2 is a key component of improving the EU’s digital resilience. One of its main goals is to end the practice of sweeping security incidents under the rug, which prevents us from seeing the true scale of the threat,” said Patryk Gęborys, EY Partner in the Information and Technology Security Team.
“Importantly, the directive covers not just large organizations, but also medium-sized companies, which often have weaker security. A coordinated attack on many small entities can be just as – or even more – damaging to the economy as one targeting a major company,” he added.
Do You Know What You Own?
A key insight from the EY Cybersecurity Trends and Challenges 2025 report is the need to balance cybersecurity with business agility. Companies must start by identifying and prioritizing their most critical assets. From there, they should assess vulnerabilities – including technical flaws, misconfigurations, and gaps in tools, processes, or staffing – using widely accepted standards like NIST and CERT resources.
“A recurring challenge in OT environments is that many companies don’t know what systems and devices they own. Inventories are often outdated or nonexistent,” said Leszek Mróz, EY Partner and Head of EY’s OT/IoT Security Competence Center.
“How can a company protect itself if it doesn’t know what hardware and software it runs, or who has access to it? There’s also a lack of structured security architectures, such as those based on ‘Zero Trust’ principles. And too often, security responsibilities fall solely on IT personnel, when in reality, dedicated security teams are essential for protecting critical industrial systems,” he added.
Collaboration and Workforce Training Are Key
Effective cybersecurity requires cooperation not only within the organization but also between companies, equipment manufacturers, and system integrators. Vendors can adopt a “security by design” approach, while integrators ensure safe deployment and provide appropriate training for operational staff.
A critical step is involving employees in cybersecurity training, especially for crisis response and change management. This minimizes human error – a common entry point for attacks – and helps organizations maintain operations even during incidents. Experts also recommend engaging professionals outside the IT/security departments (e.g., HR, legal, operations) to ensure a human-centered, interdisciplinary approach.
“In Poland, cybersecurity solutions are usually implemented by IT departments, but they should be interdisciplinary by design,” said Bartosz Nieróbca, Senior Manager and Head of EY Poland’s OT Cybersecurity and Security Engineering Lab.
“We still lack a broad perspective, sufficient budgets, recovery plans, and awareness. That makes the consequences of attacks particularly severe. The global average cost of a cyberattack is measured in millions of dollars. And one successful breach usually means more are on the way,” he concluded.
Source: ceo.com.pl
