Cybersecurity: Act Before It’s Too Late

Cybersecurity: Act Before It’s Too Late

Are Luxembourg companies prepared for cybersecurity incidents?

Many companies have implemented cybersecurity strategies at different levels, but with significant disparities. Indeed, 51% of surveyed companies say they have a global security strategy. This rises to 61% for incident response strategies, and 66% report having a defined incident response plan in case of a security breach.

We observe that companies are more focused on recovery than on a comprehensive strategy. They adopt a highly reactive approach: instead of building an overall security framework, they focus on their ability to restore operations after an attack.

However, among the 66% of companies with a response plan, only 44% have tested it. Trust does not exclude control: it is essential to test these plans to be prepared for real attacks.

What prevents companies from implementing a global cybersecurity strategy?

The main obstacle is the lack of management support. Yet it is crucial to involve leadership in defining any cybersecurity strategy.

While cybersecurity is often seen as a cost center — and sometimes even as a constraint for operational and business teams — the risks and potential losses in the event of an incident are far greater.

In recent years, many companies have improved by implementing Business Continuity (BCP) and Disaster Recovery (DRP) plans, but security often remains the poor relation in these approaches.

According to Dell EMC Global Data Protection Index, the number of companies unable to recover their data after a security breach has almost doubled since 2016.

In Luxembourg, our study shows that 84% of security incidents over the past 12 months were social engineering attacks (phishing, cryptolocker, ransomware) targeting company data.

Cyber risk is therefore very real. Top management must place cybersecurity at the heart of their strategy to ensure business continuity. With the rise of public cloud, this is even more critical, as IT environments become more complex and shadow IT is increasing.

To improve this situation and gain more management support, cybersecurity experts must shift the conversation toward business risk rather than technical solutions. And above all: communicate, communicate, communicate. Cybersecurity remains a closed world, and companies often hesitate to disclose incidents due to reputational concerns — which unfortunately slows down collective defense capabilities.

What are the causes of these incidents?

According to our study, 84% of companies have faced incidents caused by the exploitation of human weakness, such as social engineering. Instead of hacking systems directly, attackers often rely on phishing attempts.

Then, 48% of companies experienced incidents linked to human error — unintentional actions such as sending an email to the wrong recipient, configuration mistakes, or lack of attention.

Finally, only 18% of incidents resulted from external attacks with clear malicious intent, such as data theft attempts, DDoS attacks, website blocking, or ransomware campaigns.

These attacks aim either to disrupt business operations (e.g., DDoS) or to steal and resell confidential data — or even encrypt it to demand ransom.

How can companies better protect themselves?

Just like firefighters who prevent, train, and extinguish different types of fires, cybersecurity strategy must combine prevention, protection, and incident response.

Companies facing a lack of security resources or expertise should not remain alone. Cybersecurity professionals are there to help them focus on their core business.

Once a strategy is defined — closely aligned with the business (a sine qua non condition for securing management support and budget) — it must be tested regularly, as this is a constantly evolving field.

We also encourage companies to communicate and share information about incidents so that the entire Luxembourg ecosystem can improve its resilience.