Most organizations today understand that a cyberattack is not just a technical incident, but a serious business problem. However, there is still a wide gap between awareness of threats and actual operational readiness. Today’s attacks rarely begin spectacularly, and even more rarely do they immediately reveal their true intent. That is precisely why security teams must recognize a pattern from a series of seemingly small and unrelated deviations.
Cyberattacks have long ceased to be reserved for financial institutions, critical infrastructure, or global corporations. Every organization with a network, data, and users is a potential target – and in practice, that means almost everyone. For ICTbusiness Media – ICTbusiness.info, Dragan Bednarčuk, cybersecurity solutions architect at KING ICT, describes that reality not as alarmism, but as a starting point for a discussion about what it actually means to be prepared.
The Croatian and regional markets are seeing growing awareness of security risks, but Bednarčuk warns that awareness and operational readiness are not the same thing. An organization can have a firewall, antivirus protection, and multi-factor authentication and still not be able to notice an attack that has already been underway for days. It is precisely this difference between possessing tools and possessing visibility over infrastructure that is the central theme of this conversation. In that context, KING ICT is not just a supplier of security solutions, but a company with reference projects that include multi-year cooperation with NATO on the implementation of advanced security architectures.
How prepared are Croatian and regional companies today for cyberattacks?
The good news is that awareness of cybersecurity is much higher today than it was five or ten years ago. Most organizations understand that a cyberattack is not just an IT problem, but something that can seriously affect business operations, reputation, and client trust. On the other hand, we often see that awareness is growing faster than actual readiness. Companies have a firewall, antivirus protection, perhaps even multi-factor authentication, but they do not have continuous monitoring of their systems or people who actively track what is happening on the network. In practice, this means that an attack can last for days, sometimes even weeks, before someone notices it. That is precisely why more and more organizations are introducing a CSOC (Cyber Security Operations Center) or at least some form of constant security monitoring. Once you start monitoring what is really happening on the network, you often discover things that were not visible at all before.
Which cyberattack from practice surprised you the most, or particularly stayed in your memory?
One example often mentioned in the security community took place in a casino in Las Vegas. The attackers did not go after financial systems or server infrastructure, but an aquarium. More precisely, it was a smart thermostat that regulated the water temperature in the aquarium in the hotel lobby. That device was connected to the internal network and had a weak security configuration. Through that small IoT device, the attackers gained access to the network and then gradually moved through the infrastructure until they reached systems containing business data. It is an excellent example of how complex IT environments can be today and how sometimes an attack comes from the place you least expect it. Today, practically every device connected to the network, from cameras to sensors, can become an entry point if it is not properly configured.
What does a typical cyberattack actually look like today, for example, from the first phishing message to system compromise?
In a large number of cases, everything starts very simply, with a phishing message. Someone clicks on a link, opens a document, or enters their credentials on a fake page. Once the attacker gains access to one user account, they begin exploring the infrastructure. They look at which systems the user can see, and try to find servers, shared resources, or administrator accounts. After that comes what we call lateral movement, that is, moving through the network. Attackers often use legitimate tools such as PowerShell or Remote Desktop, so their activity can look like the normal work of an administrator. Only when they reach critical systems or sensitive data does the final phase of the attack begin, for example, data theft or the activation of ransomware.
What do security teams most often notice first when an attack is already underway?
Interestingly, the first sign of an attack rarely looks dramatic. Most often, it is some small irregularity. For example, a user logs in from a country from which they have never connected before. Or an account suddenly begins accessing resources for which it normally has no business need at all. Sometimes logins also appear at unusual times during the night. In other cases, it is atypical network traffic or suspicious communication with external servers. CSOC teams try to connect such seemingly insignificant traces. A single event may mean nothing, but when several of them come together, a pattern begins to form that may point to an attack. In practice, we have repeatedly seen situations with clients where the combination of those small, almost imperceptible deviations revealed an attack that was already underway. It was precisely thanks to CSOC monitoring and data correlation that we managed to recognize attempts at lateral movement and system compromise at a very early stage. Such examples clearly show how crucial it is to have continuous monitoring, because without it, these activities could very easily remain under the radar.
When an organization realizes it needs a CSOC, is it usually already too late?
Honestly, quite a lot of organizations start thinking about a CSOC only after an incident. When something happens, it suddenly becomes clear how difficult it is to understand what actually happened in the system. But the real value of a CSOC lies precisely in early detection. If you have continuous monitoring of your infrastructure, there is a much greater chance that you will notice suspicious activity while the attack is still in its early phase. In other words, a CSOC does not guarantee that there will be no attacks, but it significantly increases the chance that you will detect one before it causes serious damage.
What does a CSOC team actually do during a day or night shift?
A large part of a CSOC team’s work is actually the analysis of events and alerts coming from different security systems. These can be logs from network equipment, servers, applications, or endpoint devices. Analysts check whether it is a real threat or something benign. Sometimes it is a quick check, and sometimes it requires more serious analysis. In addition, CSOC teams often conduct threat hunting, that is, proactive searching for signs of compromise in the system. When an incident is confirmed, the response process is launched, including system isolation and further analysis of the attack.
Artificial Intelligence (AI) is increasingly entering the field of cybersecurity. Is it currently being used more by attackers or by defense?
Artificial Intelligence is now being used on both sides. Attackers use it to automate phishing campaigns, generate more convincing messages, or analyze vulnerabilities in systems. What previously required a lot of time and technical knowledge can now be automated with the help of AI tools. On the other hand, security teams also use Artificial Intelligence to more easily analyze enormous quantities of security data. CSOC systems generate millions of events every day, and without a certain level of automation, it would be almost impossible to spot anomalies that may indicate an attack. AI can help identify unusual user behavior, suspicious network traffic, or attempts at privilege escalation. However, it is still not a replacement for security analysts. Human expertise is crucial in order to understand the context and assess whether it is a real attack or a legitimate activity that only appears unusual. In practice, the most successful defense models are those that combine automation and the experience of security experts. AI can significantly accelerate analysis and detection, but final decisions are still made by people.
How often do organizations think they are secure until a penetration test shows otherwise?
That happens more often than many would expect. An organization may have modern security tools, but a combination of smaller configuration errors can sometimes open the way for an attacker. Penetration tests try to think like an attacker. The goal is not only to find a vulnerability, but to show how it can be exploited in a real scenario. It often turns out that several smaller weaknesses together can enable access to the system. That is why such tests are very valuable, because they give an organization a realistic picture of its own security.
Tabletop exercises are being mentioned more and more often in cybersecurity. What are they, and why are they important for organizations?
Tabletop exercises are actually simulations of a security incident. Teams go through a pre-prepared attack scenario and try to respond as if the incident were really happening at that moment. It can be, for example, a ransomware attack, the compromise of user accounts, or a data leak. These exercises do not involve only the IT or security team. Management, the legal department, the communications team, and even public relations departments are often included, because a cyber incident can very quickly become a business or reputational crisis as well. Such exercises are extremely useful because they reveal things that often look simple in theory, but can be problematic in practice. Sometimes it turns out that the technical part works well, but it is not clear who makes decisions, who communicates with users, or when regulatory bodies are brought in. That is precisely why tabletop exercises help organizations rehearse coordination and decision-making before a real incident.
How much is the human factor still the weakest link in security?
Unfortunately, still to a large extent. Technology is quite advanced today, but attackers often target people, not systems. Phishing campaigns are still among the most successful methods of attack precisely because they use psychology, and that usually means a sense of urgency, fear, or curiosity. That is why employee education is extremely important. Organizations that regularly conduct security training and simulated phishing campaigns usually have significantly fewer successful attacks.
What is the biggest mistake organizations make after implementing security tools?
The biggest mistake is believing that the tool will solve the problem on its own. Security tools generate a lot of alerts, but someone has to analyze them. If there is no team monitoring those events, many signals of an attack can pass completely unnoticed. Security is not a product that you buy once, and the job is done. It is a process that requires constant monitoring, adjustment, and improvement.
If you had to single out one thing that every organization should do already today to be safer, what would it be?
If I had to single out one thing, it would be visibility into what is happening in the system. In cybersecurity, the rule very often applies: if you cannot see what is happening on the network, it is very difficult to notice an attack in time. This means that organizations must collect and analyze security events from different systems: from network infrastructure and servers to applications and endpoint devices.
That is precisely where the role of the CSOC, that is, the security operations center, comes to the fore, because it enables continuous monitoring and analysis of that data. CSOC teams use different tools for event correlation and the recognition of anomalies that may indicate a potential attack. These are often small signals such as unusual user logins, unusual network traffic, or attempts to access sensitive systems, which individually may not look alarming, but together can point to a security incident. Organizations that have that level of visibility over their infrastructure usually recognize suspicious activities much faster and react before the attack causes serious damage. In other words, the goal is not only to prevent attacks, because there will always be attempts, but to detect them as early as possible and respond in time. That is exactly where the greatest value of the CSOC approach to cybersecurity lies.
From our experience, especially in working with larger and regulated organizations, visibility and systems integration make the greatest difference. For several years now, we have been cooperating with NATO, where, through several projects, we worked on the design, implementation, and integration of advanced security solutions in a complex environment. The key was in connecting those solutions with existing CSOC capacities and establishing centralized monitoring, but also in coordinating different teams within the organization. Such projects are long-term and based on trust, and that is precisely one of the most important elements in cybersecurity today.
How long would an average organization hold out if an attack started today?
That depends greatly on the organization’s level of security maturity. In environments without continuous monitoring, attackers can often remain in the system for days or even weeks before someone notices them. During that time, they can explore the infrastructure, compromise additional systems, and prepare for the final phase of the attack. Organizations with a CSOC, or at least a robust monitoring system, usually detect such activities much faster. And in cybersecurity, the speed of detection is often what determines whether an incident will be a small problem or a major crisis.
Most organizations today understand that a cyberattack is not just a technical incident, but a serious business problem. However, there is still a wide gap between awareness of threats and actual operational readiness.
Meta Platforms unveiled two models of Ray-Ban prescription smart glasses in the US.
The telecom industry is entering a phase in which quantum security is no longer a laboratory topic but an operational and strategic issue for networks, supply chains, and regulation.
