The biggest challenges related to cybersecurity are still deepening geopolitical tensions, high dynamics of changes and the degree of complexity of supply chains, as well as a lack of talents on the labor market. Hacker attacks, run by criminal groups and sponsored by specific countries and their services, are constantly professional.
The regulations sometimes do not make it easier
Legal regulations are important in ensuring cyber security. Adaptation to them can be particularly difficult for global companies operating in many countries, because the introduced regulations may differ significantly. During the discussion, Jonathan Quesney, director of global management and response to threats at Pepsico, where he manages the Cyber Fusion centers in Warsaw and Sydney, drew attention
– In our company, we adapt to the changes introduced, in Poland, Europe and globally. Of course, there are some similarities, but each country has its own rules, sometimes specific to different places – said Jonathan Quesney.
He pointed out that, for example, the GDPR requires a cyber attack within 72 hours, during in India the rules give 6 hours to notify about the incident.
The representative of Pepsico emphasized that his company has a global policy regarding all cybersecurity regulations. According to it, Pepsico approaches the introduced changes step by step, checks whether its actions are in accordance with national regulations and what influence influences the functioning of the company, as well as whether the national regulations are not contrary to the principles used in Pepsico.
The problem is the not very precise nature of certain cybersecurity provisions, which makes it difficult to implement and apply them.
– Sometimes we have general concepts about what should be done, what it should look like, but it is difficult to implement and translate into specific actions. What does it mean, for example, that we are to report an incident within 6 hours? Is from the moment of the incident or from the detection of the attack? It is really hard to understand sometimes what is contained in the regulations Jonathan Quesney commented.
And he pointed out that close cooperation between entrepreneurs with those, which is created by cybersecurity regulations, was needed. Not only to understand and properly use them, but also to check and change them on an ongoing basis if necessary.
Safety in the supply chain
For a company like Pepsico, the safety of the supply chain and meticulous checking of suppliers are extremely important.
– We work with thousands of partners, these are entities of different sizes, in many different locations – said Jonathan Quesney.
In his opinion, it is very important to find an effective method of ensuring a safe partnership, especially when it comes to critical suppliers to counteract undesirable events.
– We try to know who we are working with. We have some policies on risk analysis, we have control procedures, we must introduce segmentation when it comes to OT (Operational Technology – ed.) And IT. If we have any two -sided relationships, we must, for example, make sure that the application is safe – enumerated the representative of Pepsico.
In his opinion, ensuring cyber security is a complicated journey, during which you have to go back to the basics all the time, make sure that the company is doing difficulties and problems. In his opinion, it is worth trying to return to paper and pencil for a few days to see if you can function when the computer network stops working.
– It is not about whether the incidents in cybersecurity will happen, but about when it will happen. We need to know, make sure that business units are prepared for such incidents. We must have resistance, resilience, all procedures must be implemented so that we can have at least an average impact on the cyber attack against us – summed up Jonathan Quesney.
Participants of the debate “cyber security in business” emphasized that while large companies are aware of threats and take specific actions to prevent them, small enterprises underestimate the importance of the problem, but also exaggerated their safety. And the weakest link are employees who unknowingly break the basic rules in the field of safe access to IT systems.
