Global experience in combating cyber threats: what businesses need to know

With the development of digital technologies, cybersecurity plays an increasingly important role in the long-term prosperity of businesses, as well as directly affecting their reputation and financial stability. In a new article for the Economichna Pravda, Dmytro Popinako, CEO of Innoware, an expert in implementing international ERP systems, explains how leading countries around the world are fighting cyber threats and why Ukrainian companies need to adopt international experience right now.

Why some Ukrainian companies still relying on russian IT products and what they should do about it?

Modern business is not just about jobs, manufacturing products or providing services. It is also about the software that helps manage enterprises: accounting systems, electronic document management, CRM, which are targeted by cybercriminals to steal or destroy information.

According to Microsoft, in 2024, russia is one of the leading sources of cyberattacks globally, along with China and Iran. The company reports more than 600 million daily incidents related to hacker attacks, phishing, malware, and other methods of gaining access to systems and taking control over them.

It is not surprising that under these conditions, about 60% of organizations report the impact of geopolitical tensions on their cybersecurity strategy.

Three factors affecting cybersecurity

Firstly, complex supply chains and the lack of transparency and control over suppliers’ security have become a major cyber risk for companies. The main issues lie in the vulnerabilities of third-party software. This is the view of 54% of large organizations

Secondly, cybersecurity is not exclusively an IT task. It is a priority for executives that requires collaboration across all company departments and strong leadership. Data protection will remain one of the key issues for global businesses in 2025.

Thirdly, the constant updating of the regulatory ecosystem creates additional challenges. On the one hand, government regulation is an important factor in improving cybersecurity. On the other hand, differences in regulation across countries affect the ability of companies, especially international ones, to comply with new requirements.

Governments are tightening regulations to protect against the devastating effects of cyberattacks. However, a lack of consistency across jurisdictions creates challenges for organizations. This is confirmed by over 76% of Chief Information Security Officers (CISO) surveyed at the World Economic Forum on cybersecurity in 2024.

Regulation in the European Union

On October 18, 2024, the NIS 2 cybersecurity directive came into effect, establishing unified standards across the EU. It requires companies to document cybersecurity strategies and report cyber incidents to government authorities. Companies will be fined up to €20 million for violations. Additionally, executives are personally financially liable for failing to comply with legal requirements

The European Union’s Cyber ​​Resilience Act (CRA) expands on NIS 2 and establishes mandatory requirements for manufacturers and retailers of products with a digital component: from baby monitors to smartwatches. The law came into effect on December 10, 2024, and obliges manufacturers and retailers to ensure cybersecurity throughout the entire lifecycle of such products.

In addition, under the EU’s 12th sanctions package from December 2023, it is prohibited to sell, supply, transfer, export, or provide enterprise management software (CRM, ERP, EDW, PLM, etc.) to russian companies and subsidiaries of European companies in russia.

According to the analytical center at the Kyiv School of Economics, more than 450 European Union companies continue to operate in russia.

Regulation in the USA

In the US, individual states and industry regulators, such as the Federal Trade Commission (FTC) or the Securities and Exchange Commission (SEC), are increasingly requiring the implementation of reliable cybersecurity. Under the Cyber ​​Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, companies in critical sectors are obligated to report security breaches.

On June 12, 2024, the U.S. Department of the Treasury decided similar to the EU sanctions package. It restricts the providing of IT and software services to russia, including ERP, CRM, EDW, and other systems.

In response to international restrictions, the russian developer of similar software is actively encouraging international companies that remain in russia to switch to the 1C system and related products.

Regulation in Ukraine

Ukraine is integrating with the EU, so domestic companies will soon need to adapt to international security standards to keep their competitiveness.

So far, Ukraine’s regulatory framework does not facilitate the elimination of obvious threats associated with the widespread use of 1C and BAS. For Ukrainian businesses and state institutions that depend on russian software, maintaining the status quo seems easier, but «easier» does not mean «safer».

On January 8, 2025, the Verkhovna Rada adopted the draft law No. 11290, which plans to establish a professional network of cybersecurity experts in all government institutions that process important data of Ukrainians. This will be part of the «Pentagon for state registries».

On January 14, the Cabinet of Ministers approved the «Digital Innovation Development Strategy through 2030», aiming, among other things, to strengthen the country’s cybersecurity.

It is also important to note the draft law No. 11492, registered by the government in August 2024, which prohibits the use of russian software, including in the private sector. However, the draft law has not progressed to the next stage yet.

The only decision currently banning russian software (although it does not provide penalties for non-compliance) was adopted by the National Security and Defense Council of Ukraine on September 2, 2024. This decision extends the ban introduced in 2017 on the sale, support, and distribution of 1C, BAS, “UA-budget” and their software products.

However, some Ukrainian companies still rely on these products, purchasing them abroad or using pirated or cloned versions.

Ukraine is gradually integrating into the European Union’s financial space, which has different requirements for reporting, production control standards, and consumer data protection. Pirated versions of systems, which are not supported and updated, will not be able to ensure business compliance with these standards.

The consequences for business can be critical. Even updated versions are also dangerous. Cybercriminals can use them to access data of strategic enterprises, delete information and disable information systems.

Further use of banned software in Ukraine will create even more problems – including the need to change solutions urgently, without proper preparation and with the possible loss of all data.

Recommendations for improving cybersecurity

If organizations do not start updating their security systems, they will be at risk of cyber incidents. Staying with a supplier, even if it creates risks, may seem like an easier solution than implementing safer alternatives, until the use of risky software is prohibited by law.

However, new vulnerabilities emerge every day and legislation may not keep up with such rapid changes. Company executives and owners should ask themselves whether their cybersecurity tools are reliable enough.

It is worth starting by studying the European Union information security standards and getting ISO 27001 or SOC 2 certification. This is available to all enterprises – both large and small. Those still using 1C or BAS should abandon them, as they pose high risks to companies and the economy.

Original article: Світовий досвід у боротьбі з кіберзагрозами: що потрібно знати бізнесу – Економічна правда