Cybersecurity today: from an option to a need for companies

Due to the increasingly pervasive digitization, cybersecurity is no longer an option: it has become a necessity. Indeed, the expansion of digital technologies and services means that the attack surface for cybercriminals is increasing exponentially, and the most serious issue is that users are not always fully aware of this. According to the most recent CLUSIT Report, 3,541 serious cyber-attacks were recorded globally in 2024, the highest number ever recorded, with a 27% growth compared to the previous year[1]. In Italy, the picture is particularly alarming: the country suffered 10% of global attacks, despite representing only 1.8% of global GDP. With 357 known serious attacks in 2024, Italy is permanently in the signs of cyber criminals. Cybercrime is responsible for approximately 86% of cyber-attacks globally, a phenomenon that is constantly growing. Among the main factors fuelling this trend is the spread of low-cost “as-a-Service” tools on the dark web, which make illicit activities accessible even to individuals with limited technical skills.

Cybersecurity governance represents a coordinated set of policies, standards, organizational arrangements and compliance mechanisms aimed at ensuring a rigorous supervision of digital security. Areas such as energy, healthcare, finance, telecommunications and transport are recurrent targets of increasingly complex and persistent cyber threats. Moreover, it is not only large corporations or critical infrastructures that are affected, but also and above all small and medium-sized enterprises, which are often less structured and therefore more vulnerable. An effective governance model creates a protected digital environment, protects sensitive information, ensures continuity of essential services, and contributes to economic stability. Because of its systemic impact, cybersecurity is now increasingly recognized as a priority: governments and regulatory authorities have for some years now been promoting the application of international regulations and standards, which serve as a reference for the development of mature and sustainable security strategies.

These were the topics discussed during the meeting held in Milan, 14-16 May, between the cybersecurity teams of the member firms of the Grant Thornton international network. The event represented an important opportunity for discussing and sharing different perspectives and operational experiences, focusing on the main current cybersecurity challenges. Among the most discussed topics, the NIS2 (Network Information Security) Directive and the ISO/IEC 27001:2022 standard were particularly relevant, confirming their importance in the definition of effective and scalable cyber governance models.

The first NIS Directive (2016/1148) defined an EU-wide regulatory framework designed to improve supranational coordination in the management of network and information system security, with the aim of protecting services that are essential for the functioning of the EU economy and society[2]. Following the rapid evolution of the digital ecosystem, the European Commission initiated a review process that led to the adoption of the NIS2 Directive, which came into force in January 2023. Member states were required to transpose the new directive into their national legislation by 17 October 2024[3]. NIS2 aims to standardise and further strengthen cybersecurity within the European Union by introducing more stringent risk management and incident reporting requirements and extending them to a larger number of public and private entities (NIS affected around 300 Italian companies, NIS2 involves over ten thousand). Furthermore, the Directive lays down rules to improve cooperation between Member States, to promote information sharing and to ensure a more effective application of protection measures at national and European level[4].

At the same time, many companies are choosing to voluntarily adopt international standards such as ISO/IEC 27001:2022, which defines an information security management model (ISMS). This approach makes it possible to map risks, plan countermeasures, monitor the effectiveness of controls and pursue continuous improvement. The ISO/IEC 27002:2022 standard, complementary to 27001, provides detailed operational guidance for the implementation of security controls. The integration of these standards within business processes is often seen as best practice, strengthening security, improving stakeholder confidence and facilitating compliance with regulations such as NIS2 and GDPR.

 
[1] Ibid, pages 30–31.
[2] European Commission, Questions and answers on NIS directive – Strengthening network and information system security in the EU, n.d.
[3] National Cybersecurity Agency (ACN), NIS Directive, n.d.
[4] European Commission, NIS2 Directive, n.d.