State Defense Against Cyber Threats is Impressive, Companies are Still Lagging Behind

While Croatia has achieved an impressive level in state defense against cyber threats, companies and the private sector continue to lag in this area, primarily due to the entrenched belief that attacks ‘won’t happen to us’.

This was emphasized by Nikola Dujmović, CEO of Span, during today’s presentation of Span’s Cybersecurity Center, which is evolving into an Adult Education Institution due to the growing need for cybersecurity experts.

However, the situation has changed compared to previous years as companies now have a legal obligation to care for cybersecurity and employee education, as stipulated by the new Cybersecurity Act.

Namely, Croatia is among the first EU member states to transpose the European NIS2 directive into its legislation, explained Neven Zitek, Span’s Director for Business Solutions in Cybersecurity.

However, the greatest risk for any cyber attack remains the human component, and it often involves unintentional and non-malicious behavior by employees, Zitek added. He particularly reflected on Span’s experience during its IPO in 2021. That period was the most vulnerable for potential threats. Extra attention was paid to all security aspects to prevent a potential attack.

Regarding the massive European investments in defense and security, including cybersecurity (cyber defence), Dujmović explained that agencies like SOA and the Ministry of Defense of the Republic of Croatia primarily handle this, while private companies like Span focus on the cybersecurity of other companies (cyber security). In his assessment, Croatia has been one of the pioneers of cyber defense compared to other countries.

– For cyber defense, especially in the EU, inter-state cooperation is crucial. You cannot leave the state’s cyber defense to the cheapest supplier. Private companies can be subcontractors, but the main contractors must be state organizations because confidential information and cooperation occur in channels that are not publicly accessible, Dujmović explained.

When asked whether it is in Span’s interest to collaborate on such projects, Dujmović answered affirmatively, but it depends on the projects in question. He acknowledges that there is communication about this and that there have been cases when they were asked for help in cybersecurity.

Additionally, Span has been participating for years, along with other companies, educational and state institutions, in NATO’s cybersecurity exercises, where real scenarios of potential attacks are practiced.

Too Few Experts

Now, as part of the Cybersecurity Center, Span organizes training and education for company management, as well as specialized technical training for micro-qualification of individuals.

According to research by the leading global organization for cybersecurity professionals ISC2, there is a need for as many as 4.8 million of these experts in 2024. Dujmović estimates that there is currently a shortage of 1.7 to 3 million cybersecurity experts in Europe alone.

– We need to educate both engineers and future technicians, as well as future users. Seventy percent of all attacks occur due to mistakes or malicious actions by people within the company, so they also need to be educated, Dujmović stated.

The cybersecurity profession is not recognized.

Since educational capacities in Croatia cannot keep up with the demand for cybersecurity experts, Span has recognized the importance of developing targeted programs for future cybersecurity professionals, noted Marinko Žagar, Director of the Span Cybersecurity Center.

– In the Span Cybersecurity Center, experts from the real sector share their knowledge and practical experience with participants so that they can start or continue their careers in this field as soon as possible, Žagar added.

As cyber attacks become increasingly sophisticated, instructors, mostly consisting of Span’s experts, continuously update the content and practical examples in the training. So far, more than two and a half thousand participants have completed training for cybersecurity analysts and cloud security specialists. These micro-qualifications are recorded in the e-workbook, and it is also possible to obtain co-financing through HZZ vouchers.