Security: "Never underestimate the human factor"

Cybersecurity is a complex, and sometimes even intimidating, topic that is still too often overlooked by businesses. Yet cybersecurity risks are a concrete reality faced by all organisations today, regardless of their size or sector.

Through the Luxembourg Digital Innovation Hub, and in cooperation with theLuxembourg House of Cybersecurity, companies can benefit from cybersecurity maturity assessments. These assessments provide a clear and realistic overview of a company’s cybersecurity posture in a simple, pragmatic and structured way.

Here are the perspectives of Anitha Arulrajakuma, Information Security Analyst at the Luxembourg House of Cybersecurity, and Mickael Desloges, Senior Advisor – Assessments & Roadmaps at Luxinnovation.

Why is data protection still a crucial issue today?

Anitha Arulrajakuma – In a hyperconnected digital world, data—especially personal and business data—has become a critical asset. Numerous examples have shown how data breaches can severely damage trust in brands. It is therefore essential to protect data as effectively as possible.

Mickael Desloges – Data has become the new black gold. Collecting, managing and using data helps companies increase productivity, reduce costs, optimise processes and improve decision-making. If this data suddenly becomes unavailable or corrupted, companies may be forced to halt operations or make poor decisions. Moreover, if sensitive data falls into the hands of competitors, it can provide them with a decisive strategic advantage.

What different risks need to be taken into account (cyberattacks, environment, fire, personnel, etc.)?

MD – All of them. The primary risk, especially for SMEs, is believing they are too small to attract the attention of cybercriminals, or assuming that technology alone will provide sufficient protection. The human factor should never be underestimated. Beyond cyber risks, every organisation must also comply with security standards at all levels, including logistical and organisational aspects.

Legislation provides for fines when data is not adequately protected. Anitha Arulrajakuma, Luxembourg House of Cybersecurity

AA – Compromised operational technologies (OT) can lead to production disruptions, physical damage, environmental incidents and even risks to human safety. Regular security checks of these systems allow organisations to identify vulnerabilities before they are exploited by cybercriminals or affected by external factors such as extreme weather conditions. It is also important to note that legislation provides for fines when data is not adequately protected.

What are cybersecurity maturity assessments?

AA – A cybersecurity maturity assessment is an online evaluation that helps companies identify potential weaknesses, particularly in systems that store critical data and in their surrounding environment. Knowing where vulnerabilities exist—whether potential or actual—enables organisations to act proactively to secure their information.

MD – It is a valuable opportunity for companies to step back and ask themselves the right questions—often the ones they would not normally consider. It also helps them assess the current level of their cybersecurity protection. In short, it answers a key question: “Are you really where you think you are?”

How does the process work?

AA – The first step is to gather all relevant team members to ensure that the questions are answered as accurately and transparently as possible, based on documentation and factual data. The assessment then generates a maturity score and a set of recommendations in a detailed report, providing a 360-degree view of the company’s information security and cybersecurity posture. The scoring methodology is based on industry standards. The assessment covers 18 security domains and evaluates 59 control points.

The primary risk, especially for SMEs, is believing they are too small to attract the attention of cybercriminals. Mickael Desloges, Luxinnovation.

MD – This report allows us to define an initial set of concrete and appropriate measures to strengthen the security of the existing infrastructure.

What are the next steps once the report is completed?

AA – Companies can first review the report internally. They can then engage with Luxembourg Digital Innovation Hub (L-DIH) experts to discuss specific use cases and plan implementation. For example, companies may subscribe to the Cybersecurity Value package, which includes full-scale cyberattack simulations in the Room 42 simulator, as well as cybersecurity awareness and training sessions for staff. Room42 is a crisis management exercise that will help you better prepare for one.

MD – One of the key advantages of this approach is that no specific preparation is required. The outcome is a set of personalised recommendations for services and support tools, tailored to the company’s cybersecurity strategy and maturity level.