Imagine waking up to find that all your company’s data has been locked – this is the new reality for many business leaders. Would your business survive a sophisticated cyber attack?
In today’s highly digitized world, where technology and data are key to business, cybersecurity has become a top priority for most organizations. Hacking attacks, once sporadic incidents, are now frequent and pose a serious threat to business continuity.
In Croatia, we have recently faced a wave of cyber attacks. KBC Rebro, Split Airport, HANFA, HZZO, and Zagrebački holding are just some publicly known victims. The actual number of attacked organizations is much higher, but many attacks remain unknown due to the fear of the stigma that revealing information about the attack could cause.
Critical infrastructures, such as energy networks, telecommunications, financial systems, and healthcare services, represent the backbone of every community. Their security and uninterrupted operation are crucial for the normal functioning of society and the economy. Hacking attacks on these sectors can have catastrophic consequences, not only for the affected organizations but also for the wider community. Recent compromises of hospitals, airports, and other elements of national critical infrastructure raise concerns, and many questions are rightly being asked in public.
But is it shameful to be a victim of a hacking attack?
The Nature of Hacking Attacks
With the development of technology, hacking attacks have become extremely sophisticated. They have evolved from simple attempts to breach systems to highly complex operations that use cutting-edge technologies and tactics. They involve malicious individuals, organized groups, and even state structures. The reasons for attacks vary from financial gain and industrial espionage to politically motivated cyber attacks. The application of various security controls significantly reduces the risk of attacks, but the fact remains that even the most protected systems are not completely immune to breaches.
Impact on Victims and Business Continuity
Being a victim of a hacking attack can have far-reaching consequences for a business. Financial losses can be enormous, not only due to direct damage but also due to lost business opportunities and recovery costs. Confidential data, including personal client information, trade secrets, and intellectual property, can be compromised. This loss of trust can be irreparable, especially if the attack is not addressed transparently and effectively. However, despite the seriousness of these consequences, it is essential to emphasize that victims are not necessarily to blame for the attack. Attacks are often so sophisticated that they are difficult, if not impossible, to prevent entirely.
Every organization must implement appropriate security controls and other protective measures to reduce risks and increase resilience to attacks. These measures include regularly updating software, using advanced security solutions, conducting regular security checks, educating employees, and developing recovery plans. The recently adopted Cybersecurity Act, along with the Regulation that will soon come into force, will for the first time clearly and unequivocally prescribe specific cybersecurity measures and compel the law’s subjects to implement them. The Republic of Croatia is one of the first countries in the European Union to transpose the NIS 2 directive into national legislation in this way.
Regardless of the law, everyone has an obligation to behave responsibly and take appropriate and adequate protective measures, but the biggest culprits are always the malicious individuals and groups that carry out these attacks. Therefore, public condemnation should always be directed at the attacker, not the victim. Similarly, we can consider the responsibility of a person who contracts an infectious disease like the flu, despite taking usual and appropriate protective measures. This victim-blaming attitude is not only unfair but also counterproductive in promoting a safer digital environment. Instead of supporting victims, we leave them ashamed and humiliated, making them hesitant to report the crime. As a result, many incidents remain unreported, allowing cybercriminals to continue their illegal activities undetected.
The responsibility of organizations lies not only in detecting and stopping cyber attacks but also in how the organization recovers and what measures it takes to prevent future incidents. The key issue is not that an organization or individual has become a victim of an attack, but how they cope with the consequences and what steps they take for the future. A quick and effective response, the existence of developed recovery plans, transparency towards all stakeholders, cooperation with relevant authorities, and the implementation of improved security measures are key elements of a responsible approach. Employee education, regular security checks, and adopting best practices can significantly reduce the risk of a repeat attack. From the perspective of maintaining business continuity, it is important to understand that a cyber attack does not have to mean the end of a business. The key is the organization’s ability to recover and continue operations as quickly as possible.
A good practice example is the response of Maersk to the NotPetya ransomware attack in 2017. Although the attack paralyzed their operations and caused damage of approximately $300 million, Maersk responded quickly, informed the public, and took significant steps to improve its cybersecurity. Their transparency and proactive measures helped restore client trust.
Changing Public Perception
The shame associated with hacking attacks is often a result of social perception, not the actual blame of the victims. Public opinion can be harsh, especially if it is believed that the attack could have been prevented with better security measures. However, it is necessary to understand that hacking attacks often surpass even the most advanced defense systems. Educating the public and changing perceptions are key to reducing the stigma associated with hacking attacks. Being a victim of an attack is not always a result of negligence or incompetence, but rather a consequence of increasingly sophisticated threats faced by the entire world.
If appropriate protective measures are implemented, being a victim of a hacking attack is not shameful. In a world where cyber threats are ubiquitous and increasingly sophisticated, it is essential to focus on risk reduction through the implementation of adequate security controls and the ability to recover after an attack through effective business continuity strategies. Transparency, responsible response, and continuous education are key to reducing risks and restoring trust. Changing societal perception and increasing awareness of the true nature of hacking attacks will help in reducing stigma and building a safer digital environment for all.
