CEE countries may need to strengthen or update their national cybersecurity strategies to address new and evolving threats adequately.
The cybersecurity landscape in Central and Eastern Europe (CEE) has evolved rapidly over the past decade as digital transformation has swept through societies and economies in the region. Both individuals and organisations now face a complex threat landscape as more activities and data move online.
Analysts and security experts agree that the rise of new technologies and the growing value of online data in CEE has resulted in a riskier environment. Both public and private sectors have had to evolve their approaches and capabilities to contend with increasingly dangerous state and non-state threats in cyberspace.
- Cybersecurity: Moving from backroom issue to boardroom priority
- Governments are the catalyst for digitalisation in CEE
- Made in Emerging Europe: From Vilnius, a solution for crypto compliance
“CEE countries, like many others globally, have introduced or updated cybersecurity regulations to address the growing threat landscape,” says Marton Domokos, Senior Counsel, CMS Hungary and Head of CEE Data Protection.
“The EU’s General Data Protection Regulation (GDPR) had a significant impact on data protection and cybersecurity practices across the region. Cybercrime has also been on the rise in the CEE region, with a particular focus on financial fraud, ransomware attacks, and identity theft. This has led to greater demand for cybersecurity solutions among businesses and individuals. The protection of critical infrastructure from cyber threats has become a top concern for governments. Efforts have been made to enhance the security of energy, transportation, and healthcare systems.”
In its latest Global Digital Trust Insights Survey, PwC’s long-standing cybersecurity survey conducted among business, IT and security leaders, business and tech leaders in CEE ranked cyber risks at fourth place—behind inflation, macroeconomic volatility, and geopolitical risks. CEE-based respondents listed hack-and-leak operations, business email compromise/account takeovers, and attacks on connected devices among the top threats stemming from the cyber domain.
“Naturally, the cybersecurity landscape has evolved parallel to increased digitalisation,” says Peter Durojaiye, PwC’s CEE cyber lead. “Malicious actors have been efficient in picking up on the opportunities provided by emerging tools and technologies to advance their tactics and techniques. For example, the rise of Generative AI has enabled the launch of complex cyber-attacks at scale. Services such as WormGPT and FraudGPT are enabling credential phishing and highly personalised business email compromise in social engineering attacks which have already been recognised as becoming more sophisticated and harder to detect.”
One of the main challenges for all stakeholders is the growing sophistication of cyber-attacks. Criminal groups are employing more advanced techniques like ransomware and targeted phishing campaigns to steal data and disrupt operations.
State-sponsored actors also pose a serious threat as many seek to conduct espionage or influence geopolitical issues through cyber means. Ordinary users, meanwhile, must guard against risks like identity theft as they engage in online banking, shopping and social media.
“The CEE region’s geographic proximity to multiple countries and its position within the European Union can make it a target for cross-border cyber threats, requiring international cooperation and information sharing,” adds Domokos. “As supply chains become increasingly interconnected, organisations face risks related to third-party vendors and suppliers that may have weak cybersecurity practices.”
PwC’s Durojaiye suggests that we are witnessing a stellar growth of large-scale, high-profile cybersecurity threats, and yet basic cybersecurity hygiene principles are still ignored at the individual, organisational and sometimes even national level.
“In addition to discussing the impact and cascading effects of front-page cybersecurity incidents, we need to enforce narratives of what basic steps could have been taken to prevent these, not just focusing on the consequences,” he says.
“Awareness raising therefore needs to be implemented and enforced at all levels. Front end employees need to be able to recognise potentially malicious content and attempts to establish contact. Functions such as research and development, procurement and risk management need to embed cybersecurity in their approaches.
“Importantly, management and decision makers need to understand basic cybersecurity concepts and challenges. This can be achieved only through weaving cybersecurity into standard operations of each target audience in the context of their everyday lives. Empowering individuals to approach cybersecurity with greater confidence not only benefits the organisations they work for, but simultaneously supports greater national resilience and enables them to lead more secure digital lives as individuals.”
Domokos agrees, saying that cybersecurity training and awareness programmes about common threats, safe online practices, and how to recognise phishing attempts are crucially important.
“Organisations can also conduct simulated phishing exercises to test employees’ ability to recognise phishing attempts. They should encourage the use of strong, unique passwords and the adoption of multi-factor authentication (MFA) to enhance security as well,” he says.
The role of governments
Governments play an important role in establishing baseline security policies and regulations. Laws addressing data protection, critical infrastructure security and incident reporting help provide a safer foundation. However, some argue more could be done to incentivise adherence to standards and facilitate public-private collaboration. International cooperation is also essential given the cross-border nature of cyber threats.
“Policymakers may encourage or require adherence to international cybersecurity standards, promoting a higher level of security across industries,” believes Domokos. “Government policies should also promote cooperation between public and private sectors and international entities to share threat intelligence and respond effectively to cyber threats.
“CEE countries may need to strengthen or update their national cybersecurity strategies to address new and evolving threats adequately. Governments should prioritise the development of secure and user-friendly digital identity solutions.”
According to PwC’s Peter Durojaiye, four types of regulation can be considered to be most important in securing the future growth of organisations, both at the global and CEE level. These are—regulation of AI, harmonisation of cyber and data protection laws, mandatory reporting of cyber risk management, strategy and governance and operational resilience requirements.
“However, despite the proliferation of regulations aimed at ensuring a secure digital environment, there are common challenges shared by CEE countries and those further afield,” he adds.
“The first challenge is implementation. Even the best regulations need to be enacted and moved beyond the conceptual stage and put into practice and normalised as a pattern of behaviour at all levels. For example, in the private sector context, efforts aimed at strengthening resilience are often introduced in silos and each business unit’s risk profile is approached separately. New requirements such as the Digital Operational Resilience Act (DORA) will challenge this approach, increasingly insisting on integrated resilience with core elements that make an organisation adaptive, flexible and stronger after every disruptive event.”
Other challenges include the lack of skilled resources on the market, closely followed by the challenge of finding the right approach—be it supportive, collaborative or authoritative—to enforcement.
“Overall, those on the implementing side should carefully consider how this new regulatory environment might be turned into a source of competitive advantage, while striking the right balance between leaving space for innovation and complying with regulatory security and privacy requirements,” adds Durojaiye.
Determination and collaboration
Public-private partnerships at both the national and regional level are equally important to leverage knowledge and resources from all sides. With determination and teamwork, the countries of this region can make major strides in ensuring citizens and businesses can pursue digital opportunities safely and securely.
“CEE countries should strengthen regional information sharing mechanisms and Computer Security Incident Response Teams (CSIRTs) to exchange threat intelligence and cybersecurity incident data in real-time,” says Domokos of CMS.
“This will also promote the sharing of threat indicators, attack patterns, and best practices among CEE countries to collectively improve incident detection and response. Countries should also foster collaboration between governments and private sector organisations, to pool resources, expertise, and technologies to enhance overall cybersecurity resilience.”
Durojaiye agrees, saying that Central and Eastern European countries should focus on working together through the many mainly EU established cybersecurity forums and working groups they are already involved in. CEE countries should also cooperate with other international organisations such as the UN, OSCE and ITU.
“Timely and transparent cross-border information sharing is key if we are to have a chance in the fight against organised transnational cybercrime which already operates as a global criminal entrepreneurial network, he suggests.
“Information sharing not only supports mitigating cybersecurity risks and threats as these arise, but also contributes to knowledge and experience sharing in times of peace. We can learn from the experience of others and learn how certain risks can be reduced or avoided.”
Finally, he says, cross-border cooperation and collaboration should be practised to ensure coordination in emergency situations. “Exercises, ranging from table-top, simulations and “capture the flag”, should be implemented at operational and decision-making levels as the best way of fostering communication and collaboration between those at the first line of cyber defence.”
It is clear that cybersecurity awareness must be increased at all levels of society. Public education campaigns can help individuals protect themselves online, while training programmes in the public and private sectors can boost organisational resilience.
By prioritising cybersecurity capacity building, threat prevention, and response coordination, Central and Eastern European countries can work together to ensure the region’s digital transformation remains secure and beneficial for all.
A collaborative, multi-pronged strategy will be the best path towards a safer and more sustainable cyber future across this strategically important region.
Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.
You can contribute here. Thank you.