Cybersec Update #4: Cybersecurity training – an obligation that can save your company

Two types of mandatory training under NIS2 and KSC2

The directive, and the Polish act following it, introduce obligations to conduct two kinds of training.

The first is an explicit requirement for the organization’s management to undergo cybersecurity training — at least once a year.

The second is an obligation to conduct awareness-raising activities among staff, aimed at improving cybersecurity awareness, teaching threat recognition, incident response, and promoting basic cyber hygiene. In this second case, no specific time interval is defined, but that does not mean the requirement may be ignored. Quite the opposite.

Management training – what you need to know about NIS2

The requirement for management training reflects the principle that cybersecurity is the responsibility of all levels of leadership. As the saying goes, “with great power comes great responsibility.” For the management of essential and important entities, this means at least one training session per year — though many organizations aim for higher standards.

Such training should cover not only technical threats but also topics related to risk management, incident reporting, and legal accountability.

Raising staff awareness – the weakest link in the chain

A chain is only as strong as its weakest link, and in cybersecurity that link is often the human factor. That’s why employee training is so critical. Staff who cannot recognize a suspicious message, don’t know how to respond to an incident, or are unfamiliar with basic cyber hygiene represent a potential threat to the entire organization.

Awareness-raising activities should include:

• recognizing phishing and social engineering attacks
• proper handling of sensitive data
• reporting threats
• safe password practices and multi-factor authentication
• procedures to follow when an incident is suspected

A deepfake at Ferrari – a story that shows why training matters

The importance of cybersecurity awareness is well illustrated by the failed deepfake attack on Ferrari. One of the company’s executives first received WhatsApp messages from an account impersonating his boss, Ferrari CEO Benedetto Vigna. He then received a call where he heard “Vigna’s” voice.

It later turned out that the voice was artificially generated — convincingly imitating the boss’s characteristic accent. The attackers copied everything: the soft, natural tone, the subtle smiling modulation — all designed to lower the employee’s guard.

Fortunately, the executive stayed vigilant. He noticed several suspicious details and decided to verify the caller. He asked about a book his boss had recently recommended, forcing the scammers to hang up. The attack failed.

A good investment – training as protection against attacks

This story shows not only that a good book and casual workplace conversations can save an organization, but above all, how valuable proper training can be.

No NIS2-compliant implementation is complete without ensuring that staff actually understand and can apply the policies and procedures. Technology alone is not enough — we need to build a cybersecurity culture in which every employee understands their role in protecting the organization.

Training is not a cost — it’s an investment in your company’s security, reputation, and above all, in the protection of the data entrusted to your organization.