Cybersecurity – taking care of security for tomorrow

The digital environment today is no longer a separate part of a company or organization's operations - customer data, financial flows, internal communication, production and logistics are based on technology. Therefore, cybersecurity is not only a matter for IT department employees, but also the responsibility of company management and a prerequisite for the sustainable development of business.

Today, the digital environment is no longer a separate component of a company or organization's operations - customer data, financial flows, internal communication, production and logistics are based on technology. Therefore, cybersecurity is not only a matter for IT department employees, but also the responsibility of company management and a prerequisite for the sustainable development of business activities. In the current geopolitical conditions, the question is not whether a cyberattack will occur, but when it will occur and how prepared the company and its employees will be for it. Cybersecurity has become an element of national security, which is why every company needs a well-thought-out, structured and long-term cybersecurity strategy.

Why you should think about cybersecurity before an incident occurs

Companies that invest in cybersecurity gain more than just protection. They gain compliance with regulatory requirements, higher resilience in crisis situations, as well as a more stable reputation and customer trust. Customers and partners choose to cooperate with those who guarantee the security of their data. Therefore, investments in strengthening cybersecurity are also an investment in the future of the company.

Often, people only start thinking about security after the first serious incident – sensitive data leaks, computer system disruptions and even financial losses. In the event of a cyber attack, the company may experience downtime, which can cause serious costs, such as lost profits during the time the systems were not working. Reputation loss can also be calculated in monetary terms. Nowadays, cyber insurance is no longer just an additional option, but an essential risk management tool that serves as a financial safety cushion. Insurance usually covers losses caused to the company itself, as well as if compensation has to be paid to third parties, for example, for data leaks, for legal services, etc.

It should be remembered that in the digital age, data is a new type of currency that interests cyber attackers just like real money in bank or company safes. Furthermore, the leakage of sensitive personal data can lead to legal sanctions and penalties. Therefore, responding after the fact almost always costs more than preventive measures. In turn, a preventive approach  Strengthening cybersecurity allows:

• to identify vulnerabilities in computer systems in a timely manner,
• to reduce the likelihood of risks occurring,
• to reduce the impact of incidents,
• to ensure business continuity, because without access to IT systems, a company's operations can  disrupted,
• demonstrate responsible management to partners and customers.

Given the regular warnings from state institutions about the increased risk of cyber threats, companies must take systematic measures to determine and improve their cybersecurity level. 

It is important for a company to develop a comprehensive strategy that determines how the company will continue to operate during a crisis. Its goal is to ensure that critical functions, such as customer service,  continue even if the data center is unavailable. If email is not working due to a cyber attack, alternative communication channels should be provided, such as encrypted messaging apps or phone calls.

One component of the plan is crisis response, which focuses on the company's technological infrastructure. It is a technical plan for restoring data and systems after an incident so that the business can use its digital tools again.

In times of crisis, resources (time, employees, server capacity) are limited, so it is important to know what to save first. This is determined by a business impact analysis. The priority levels and the time at which the crisis may occur must be assessed. Systems must be identified without which immediate financial losses or legal violations occur (such as payment processing). This is followed by processes that are essential but can temporarily stop, such as the operation of an internal customer relationship management system (CRM). The plan should also identify functions that can wait days or weeks, such as access to company archive files.

Cybersecurity aspects to consider

To effectively identify cybersecurity aspects, it is important to understand that a cyber threat is the possibility that something bad can happen, such as sensitive information being leaked. Vulnerabilities, on the other hand, are shortcomings that can reduce the security of a computer network or infrastructure. They should be eliminated in a timely manner. In turn, a cybersecurity incident or cyber incident threatens the availability, authenticity, integrity or confidentiality of network or IT system data or services.

In Latvia, the most common type of cyber threat is fraud, followed by malicious software (malware) that infects computers, steals information or performs other harmful actions. Attempts to break into computer systems, email compromise, phishing campaigns, etc. are often detected.  That is why comprehensive cybersecurity is so important, which is based on three interrelated elements – people, processes and technologies. 

A large part of incidents begin with human error – opening a phishing email or giving a password to third parties. Attacks are increasingly occurring through cooperation partners. The company should assess whether suppliers and service providers comply with appropriate cybersecurity requirements. 

A company is only as secure as its weakest link, and the impact of external service providers – IT support, cloud services, accounting platforms – on data security is often underestimated. Therefore, it is necessary to conduct a third-party security assessment. It is recommended to ask questions about how the cooperation partner or supplier stores data, what is their backup policy, and whether the supplier has internationally recognized security certificates? Have there been any serious data leakage incidents in recent years? Larger transactions and supply chains should require a system security audit. 

It is important to strengthen security legally so that in the event of a cyber incident, there are clear consequences and liability. Therefore, contracts should include the following requirements:

• the supplier is obliged to report a cyber-attack on their systems (e.g. within 24 hours) if it may affect your data;
• the contract should include a clause that allows you or an independent auditor to audit the supplier's security processes;
• it is clearly defined where the data is stored (e.g. only within the EU/EEA) and how it is encrypted;
• specified requirements for system availability and recovery times after an incident;
• it is clear what happens to the data after the contract is terminated (secure deletion or return).

It is also necessary to conduct cybersecurity audits and tests regarding the technical infrastructure - review documentation, start an inventory of systems, because there are companies that are not familiar with all the IT equipment at their disposal - network-connected smart devices (IoT), including televisions, sensor equipment and other Internet-connected devices, because they are all potentially subject to cyberattacks. As indicated in the CERT.LV review, several attacks targeting smart TVs (especially with Android OS) have already been registered in Latvia. 

Training opportunities

Employee training in cybersecurity issues is an essential part of a company's daily routine, and it should be planned in the long term. It is desirable to determine the type and content of training in accordance with the education, work experience and professional abilities of employees, as well as the specifics of their job duties. Training for new employees should be carried out within 30 days of starting work, while regular training for all employees should be organized once a year. It would certainly be necessary to discuss and test employee knowledge if new vulnerabilities are discovered, significant changes have been made to IT infrastructure, software or business processes, as well as when regulatory regulations change in the country. 

Training can take place in various forms:

• management-level seminars on risk management and responsibility,
• practical employee training and phishing simulations,
• in-depth training for IT specialists on current threats,
• certification programs (e.g. ISO 27001, risk management, incident management),
• industry-specific courses for financial critical infrastructure companies.

Regular training not only mitigates risks, but also demonstrates a company's serious attitude towards security. In Latvia, support and educational information materials are also offered by the cyber incident prevention institution Cert.lv and the National Cybersecurity Center.

NIS2 Directive, DORA and the National Cybersecurity Law - what does it mean for entrepreneurs

Segmentation of cybersecurity by company size and field of operation is essential, because one solution does not fit all. Small businesses often lack resources, so they must ensure at least minimum cybersecurity measures, such as two-factor authentication for access to the company's computer network and cloud services. In turn, a completely different level of minimum cybersecurity requirements has already been set by regulatory enactments for providers of essential services, providers of important services and owners or legal holders of critical ICT infrastructure. 

Cybersecurity is one of the priorities in the European Union (EU), and the requirements for companies are becoming increasingly strict. The NIS2 Directive (Network and Information Security Directive) is an EU legal act aimed at achieving a high common level of cybersecurity and introducing a cybersecurity hygiene standard. It expands the range of sectors subject to particularly stringent cybersecurity requirements (energy, transport, health, digital infrastructure, etc.), providing for specific risk management requirements, mandatory incident reporting, management responsibility for ensuring security, as well as significant penalties for non-compliance.

DORA (Digital Operational Resilience Act) is an EU regulation that applies to the financial sector and sets very specific and strict requirements for how financial institutions manage IT risks. They must establish a comprehensive system to identify and classify  IT risks, regularly test their systems to ensure that they will withstand serious cyberattacks, etc. DORA has been applicable since 17 January 2025, and  the supervisory authority in the country is the Bank of Latvia.

The National Cybersecurity Law, which has been in force since 1 September 2024, incorporates the requirements of NIS2. The law establishes specific obligations for companies operating in essential or critical sectors. Previously, the regulation on cybersecurity only affected critical infrastructure, but now it applies to a much larger number of companies and organizations in both the public and private sectors. An online test is available on the website of the Ministry of Defence to find out which category a company belongs to. 

The Cabinet of Ministers Regulation No. 397 of 25 June 2025 “Minimum Cybersecurity Requirements” was issued on the basis of the law. Their aim is to promote the resilience of essential and important service providers and ICT critical infrastructure against cybersecurity threats. The regulation establishes minimum cybersecurity requirements that must be implemented within the company's risk management framework.

Cyber risk assessment - where to start?

Cybersecurity is not a one-time project, but a continuous process. In order to understand at what level of cyber risk  company is located and how to move towards a safer one, it is recommended to:

1. conduct an asset inventory, identifying the most important company data, systems and processes;
2. identify potential threats: phishing, ransomware, insider threats, vulnerabilities, etc.;
3. assess the impact  – how significant the losses would be if the risk were to occur;
4. develop an action plan that prioritizes security measures according to the level of risk;
5. involve management so that cybersecurity implementation is not just a technical project, but a strategic priority for the company.

One of the first tasks could be to create a cybersecurity checklist for employees, as their daily activities and habits significantly affect the overall level of security for the company:

• Passwords and access: it is recommended to use a unique and complex password for each account, as well as wherever possible, I use two-factor authentication (2FA). Passwords should not be disclosed to others, not even to IT support. It is advisable to lock the computer screen when leaving the workplace.
• Email and links: Before clicking on links, check the sender's address. Do not open attachments from unknown or suspicious senders, but report suspicious emails to the IT department.
• Devices and software: Regularly update software and avoid connecting unknown USB devices. When working outside the office, use only a secure VPN connection, do not connect to public WiFi networks unnecessarily. 
• Data security: work files should be stored only in company-approved e-environments, do not send sensitive information over unencrypted channels. Destroy physical documents only in a secure manner. 

Incident management and recovery readiness

Cyber incident management is necessary for a company to be ready to detect, respond to, contain and recover from cybersecurity incidents, near-misses and vulnerabilities. For this purpose, it is necessary to develop an incident management plan - a structured document that describes how to act in the event of a cybersecurity incident. It includes a list of identified cyber risks, specific measures to manage these cyber risks, those responsible for implementing and controlling the measures, as well as the deadlines for implementing these measures or their periodicity.

The plan should also include a classification of incidents (e.g. low, medium, high impact); response steps - incident identification, containment, prevention and recovery; a communication plan - internal and external communication; actions to preserve and document evidence; analysis of what happened and the implementation of further preventive measures.

This plan can be created as a single document or a set of several thematically related documents. The National Cybersecurity Center has developed recommended templates for cybersecurity management documentation, offering ready-made templates and guidelines (https://www.cyber.gov.lv/lv/minimalas-kiberdrosibas-prasibas-un-nis2/kiberdrosibas-parvaldibas-dokumentacijas-paraugi). 

The division of roles is also critically important in a company so that there is no confusion during an incident and areas of responsibility are defined:

• incident manager – coordinates the response and makes operational decisions;
• IT and security specialists – perform technical analysis and prevent the incident;
• management – makes strategic decisions, assesses the impact on the business;
• person responsible for communication – ensures the flow of information with customers, partners and media;
• data protection specialist, company legal department – assesses regulatory obligations and risks.

The company is recommended to regularly update the contact information of these responsible persons and ensure that everyone understands their responsibilities and knows how to act in a given situation.

When a cyber incident is detected, the company must take all necessary actions to prevent the incident, as well as immediately report the incident to the The competent cyber incident prevention institution (CERT.LV) must be informed of the incident and the instructions provided by it must be followed. 

With the implementation of the NIS2 Directive, reporting requirements for companies and organizations falling within the scope of the directive have become even stricter. In the event of a significant cyber incident  is:

• immediately, but no later than within 24 hours, to electronically submit an early warning of a significant cyber incident;
• no later than within 72 hours (for a trust service provider — within 24 hours) to electronically submit an initial report of a significant cyber incident.
• within one month of the above-mentioned report, a final report on the resolution of the significant cyber incident must be submitted. During this time, an in-depth analysis of the situation must be carried out and the preventive measures taken must be indicated. If it has not been possible to resolve the incident within this period, a progress report must be submitted on the progress of resolving the significant cyber incident. 

In the event of a significant cyber incident or significant cyber threat, the company must immediately inform the recipients of its services, including users of the electronic communications network or information system, about possible cybersecurity measures or means that the recipients of the services can use to prevent the cyber incident or mitigate the cyber threat. 

CERT.LV also reminds that it is possible to voluntarily report every detected or nearly occurred incident or threat, as competent authorities can help prevent them and involve operational authorities as necessary.

It is equally important to regularly perform vulnerability scans of IT systems, tests and internal audits, and check the speed and integrity of backup restoration. To assess the reaction of employees, this can be, for example, a mock-up of cyber incident scenarios at a theoretical level, thus checking how prepared they are for decision-making. Control measures can also be taken, for example, to check how employees respond to phishing emails.

Finally - three steps you can take today

1. Conduct an initial cyber risk self-assessment within your company.
2. Designate a person responsible for cybersecurity at management level.
3. If internal resources are lacking, engage an independent expert audit.

Companies that act in a timely and systematic manner not only mitigate risks, but also strengthen competitiveness and reputation in the long term.

The creation of the platform is being implemented within the framework of the European Union Recovery and Resilience Mechanism investment 2.1.2.1. “Digital Services Platform business.gov.lv”, in close cooperation with state institutions and business representatives.
Its development is taking place gradually - by testing solutions, improving usability and adapting the platform to the real needs of entrepreneurs. Special attention has been paid to user experience in the development process – entrepreneurs are actively involved in testing and provide feedback on the ease of use of the platform.
The project “Digital Services Platform for Promoting Business Development” is implemented with funding from the European Union's Recovery and Resilience Mechanism (NextGenerationEU).