Cybersecurity is no longer an optional aspect of doing business, but a necessary precondition for safeguarding data, ensuring business continuity, and maintaining legal certainty. Modern companies, institutions, and organizations heavily rely on digital systems—not only for data storage, but also for carrying out everyday operations. However, this very digital dependence opens the door to various forms of abuse and cyberattacks.
In practice, incidents such as unauthorized access to systems, customer data leaks, service outages, or phishing scams are no longer uncommon. The domestic landscape has not been spared from major cyberattacks either. According to the 2024 report of the National CERT, more than 100 million security incidents were recorded within the monitoring of ICT systems of special importance.
Among the most exposed sectors are digital infrastructure and information society services, with a total of 8,545,368 and 8,533,170 incidents reported, respectively.
The most frequent types of incidents included:
- Port scanning – automated attempts by attackers to identify open entry points in systems,
- Exploitation of vulnerabilities – taking advantage of security flaws in software and systems,
- Credential theft attempts – including brute-force attacks and fake login pages.
This clearly demonstrates the growing level of cyber risk in Serbia. These attacks range from extortion attempts and the spread of malware, to situations where employees, through negligence, grant access to confidential information. Such incidents not only bring reputational and operational consequences but also carry significant legal risks.
Inadequate protection of information systems can result in liability toward customers, partners, employees, and even regulatory authorities. For example, if a personal data breach occurs due to insufficient security measures, the data controller may be sanctioned under the Law on Personal Data Protection. A similar framework applies in the field of information technology, where obligations are defined by the Law on Information Security. Moreover, recent legal developments increasingly introduce mandatory security standards, and non-compliance is treated not only as a technical failure but also as a misdemeanor—or even as grounds for compensation claims.
In addition, a significant number of attacks begin by exploiting the weaknesses of the human factor. Social engineering—manipulating employees into unintentionally revealing confidential information or granting access to systems—remains the most common attack method. No matter how strong the technical safeguards may be, they can be compromised with a single click on a malicious link, which clearly highlights the importance of employee training and a strong security culture within the organization.
Finally, current trends show that the costs of cyber incidents are steadily rising and that, in addition to technical solutions, organizational and legal safeguards are also essential. For this reason, it is crucial for every organization, regardless of its size, to understand the importance of preventive action and to implement measures that will protect it from the risks of the digital age.
What protective measures are essential for effective cybersecurity?
For information systems to be truly secure, it is necessary to apply a combination of different measures—not only technical, but also organizational, personnel, and legal. This is not a single solution, but a comprehensive approach that covers every level: from infrastructure and software tools, through internal rules and employee responsibilities, all the way to contractual, regulatory, and insurance mechanisms.
Domestic regulations in the fields of data protection and information security clearly require organizations to ensure the security of their systems. This means implementing technical, organizational, and personnel measures that are tailored to the type of data being processed and the risks the organization faces.
This approach is also confirmed by European guidelines, such as the technical implementation guidance issued by ENISA, which identifies key areas of security: from access control and employee training to incident management and business continuity planning. These guidelines were developed to support the practical implementation of the NIS2 Directive, and they provide organizations delivering digital services or operating critical activities with a clear framework for managing cyber risks.
In addition to technical and organizational aspects, legal mechanisms of protection play an equally important role. Even when a security incident occurs, well-structured confidentiality agreements, internal data protection policies, or cyber insurance can mitigate the consequences, enable a prompt response, and reduce the company’s liability. This is why the legal aspect of protection should not be seen as an afterthought, but as an integral part of a comprehensive security strategy.
In the following sections, we present the most important technical, organizational, personnel, and legal measures of protection, along with practical examples, recommendations, and best practices. Particular emphasis is placed on legal mechanisms, which can provide organizations not only with better internal control but also with legal certainty in the event of incidents—often a decisive factor in preserving both business continuity and reputation.
Technical protection measures – the first line of defense against cyber threats
Technical measures represent the first and most visible layer of protection within cybersecurity. However, their effectiveness depends not only on the quality of the solutions an organization uses, but also on how carefully those solutions are implemented, regularly updated, and tailored to specific risks. In other words, it is not enough to simply have “antivirus software” if it is not properly configured, updated, and monitored.
Technical measures cover a wide range of tools and practices. They start with the basics, such as antivirus programs and firewalls, and extend to more advanced solutions like data encryption, multi-factor authentication, and threat detection and response systems. Their purpose is to prevent intrusions, protect confidential data, preserve system integrity, and ensure rapid recovery in the event of an incident.
Commonly used technical measures:
- Encryption – protects data even if it falls into the hands of unauthorized parties. Without the proper key, the information remains unreadable.
- Multi-factor authentication (MFA) – adds an extra layer of account protection, making unauthorized access more difficult even if passwords are compromised.
- Firewalls and antivirus software – the foundation of network and endpoint protection.
- EDR/XDR systems – advanced tools for real-time detection of and response to intrusions.
- VPN and domain protection – secure access to networks and safeguarding the organization’s online identity.
- Regular data backups – essential for fast recovery and business continuity after an incident.
- Penetration testing and vulnerability scanning – proactive methods for identifying weaknesses in systems.
The absence of adequate technical measures can have serious consequences for a company, as illustrated by the following case: Ransomware attack on the gaming industry – the Capcom incident.
In November 2020, Japanese company Capcom, a global leader in video game development (known for titles such as Resident Evil and Street Fighter), fell victim to a sophisticated ransomware attack. The attackers exploited an outdated VPN server at one of the company’s branches to infiltrate the network, stealing around 1 terabyte of data and encrypting critical IT systems.
The ransom demand amounted to 11 million dollars, which Capcom, in cooperation with the authorities, refused to pay. As a result, the sensitive data of more than 15,000 individuals (employees, partners, and users) was published online. The incident forced the temporary shutdown of email servers and other systems, leading to significant reputational damage. Only after the attack did the company implement modern security measures such as SOC monitoring and EDR solutions, thereby increasing its resilience.
This case demonstrates that even technology giants are not immune to cyber threats and that prevention, up-to-date infrastructure, and legal resilience form the foundation of an effective incident response.
Organizational and personnel measures – people and procedures as the cornerstone of system stability
While technical measures are often seen as the core of cybersecurity, experience shows that it is the human factor and internal organizational weaknesses that most often open the door to attacks. No matter how sophisticated the technology, a single poor judgment, negligence in handling confidential data, or failure to react to a suspicious event can compromise the entire system.
This is why information security must not be viewed solely as the responsibility of the IT department, but rather as an integral part of organizational culture and business strategy.
Key organizational and personnel measures
- Information security policies and procedures – formalized documents that clearly define system access rules, data classification and protection, as well as employee conduct in the event of an incident.
- Employee training and awareness-raising – regular education of all staff about risks (e.g., phishing), how to recognize suspicious behavior, and rules for the secure use of company resources. Simulated attacks (e.g., test phishing emails) are particularly valuable.
- Personnel policy – background checks during recruitment (especially for positions with access to sensitive systems), inclusion of confidentiality clauses in employment contracts, as well as access control and rights management based on the “least privilege” principle.
- Incident response plan – clearly defined procedures for reporting, handling, and documenting security incidents, along with defined responsibilities (e.g., a designated Incident Response Team).
- Access control and audit policy – regular review of user privileges, logging of activities, and maintaining records of access to sensitive data and systems.
Legal perspective: ensuring the sustainability of security measures
Organizational and personnel measures in the field of cybersecurity require not only operational, but also legal attention. Establishing security policies, setting out employee obligations, and regulating relationships with external partners must be based on clear, precise, and enforceable documentation.
The necessity of proper organizational and personnel measures is best illustrated by a real-life case in which a “single wrong click” paralyzed a hospital system in the United States.
In May 2024, one careless click by an employee in the American healthcare system, Ascension—a network of around 140 hospitals—was enough to trigger a ransomware attack with serious consequences. A malicious email attachment gave attackers access to the internal network, leading to the compromise of critical servers and systems.
Electronic patient records, diagnostic platforms, and other digital services became unavailable, forcing medical staff to switch to manual record-keeping, which further endangered the treatment process and patient safety.
This case clearly shows that technology alone is not enough—continuous employee training, the implementation of accountability policies, and incident response planning are all essential to ensure threats are detected and contained before they cause serious disruption.
The expert team at Zunic Law assists clients in:
- drafting or revising internal information security policies,
- properly formulating data protection and liability clauses in employment contracts or agreements with external partners,
- aligning internal documentation with the Law on Personal Data Protection and IT regulations.
In this way, companies obtain a legal framework that supports their technical and organizational measures, thereby strengthening their overall resilience to risks.
Legal protection mechanisms: contracts, trade secrets, and insurance
Although often overlooked in the context of cybersecurity, legal mechanisms represent a crucial layer of protection—not only for prevention, but also for effectively managing the consequences of incidents. Contracts, internal acts, and insurance form the foundation for clearly defining responsibilities, obligations, and legal consequences in the event of an information security breach.
A) Contractual obligations – protection through business relationships
Every organization should ensure that its contracts with employees, external partners, and IT vendors include clauses covering:
- obligations related to the protection of confidential data, including the prohibition of unauthorized access and use,
- incident notification clauses – clear rules on reporting security incidents,
- precisely defined liability for damages arising from information system breaches.
For example, contracts with IT providers and cloud services should contain clear SLA (Service Level Agreement) clauses regulating response times to incidents, the scope of support, and the security standards the provider must meet.
Imagine Company A, a domestic IT provider, engaged by international Company B to deliver cloud hosting for an e-commerce platform. Over a weekend, the platform was hit by a major DDoS attack, leaving the client’s system unavailable for several hours, which resulted in financial losses and threats of contract termination.
In such a case, the key safeguard would be an SLA clearly defining the maximum response time, the obligation to promptly notify the client, and the exact scope of support the provider must deliver. If these obligations are fulfilled, the provider can demonstrate compliance with the contract and protect itself from unfounded compensation claims.
By contrast, without an SLA—or with one that is vague or incomplete—the provider would be in a far weaker position. In that situation, the burden of liability could fall entirely on them, with no contractual limitation or protection, significantly increasing not only financial risks but also reputational damage.
Case study: Petya/NotPetya – when an update becomes a weapon
In June 2017, a global cyberattack broke out with the ransomware virus Petya. It was later determined, however, that this was in fact a sophisticated, destructive malware—NotPetya—whose real aim was not ransom, but the deletion of data and the disabling of systems.
The malware spread through a compromised update of the Ukrainian accounting software M.E.Doc, exploiting a weakness in the supply chain. Many organizations, believing it was a legitimate update, installed the software without suspicion—allowing the malicious code to spread quickly and widely.
The attack had global repercussions, striking multinational companies such as Maersk, Merck, and FedEx, and causing damages measured in the billions of dollars. Although users initially believed it was a typical ransomware attack, subsequent technical analyses showed that there was no way to recover the encrypted data. This reclassified the incident as an act of digital sabotage rather than extortion.
This case demonstrates the importance not only of strong technical safeguards but also of contractually regulated relationships with software vendors, with clearly defined security standards and obligations—since even legitimate supply chains can become the entry point for a serious incident.
b) Confidentiality and trade secrets – controlling access through contractual obligations
In today’s digital environment, where access to data is often granted to different categories of individuals—from employees and external collaborators to subcontractors, partners, and IT service providers—legally regulated confidentiality is one of the cornerstones of cybersecurity. Technical safeguards may be robust, but if information “leaks” through poorly defined contractual relationships, the consequences for a company can be severe—reputational, legal, and financial.
This is why implementing non-disclosure agreements (NDAs) is an indispensable step in data protection, especially in sectors that rely on digital services, software, IT development, and the processing of sensitive information.
Practice shows that it is crucial to distinguish between several categories of contractual relationships that require tailored NDA arrangements:
- IT sector and digital solution development – In the context of digital services and software development, it is particularly important to regulate access to source code, system architecture, databases, and internal technical specifications. In such cases, NDA clauses are often part of broader IT contracts, but they can also be standalone documents that clearly set the boundaries of use, the obligation to maintain confidentiality, and the prohibition of disclosing technical information.
- External collaborators and contractors – Freelancers, consultants, and specialized vendors often have limited-term but deep access to an organization’s systems. Here, it is especially important to define by contract what constitutes confidential information, how it must be protected during and after the engagement, and the consequences of breaching confidentiality. Such agreements provide a clear framework in situations where there is no standard employment relationship, but a high level of trust is required.
- Employees with access to sensitive information – Employment contracts should include specific confidentiality clauses, particularly when employees have access to customer data, internal analyses, development plans, or system-level privileges. NDAs with employees allow the company, in the event of an incident or data leak, to clearly identify the breach of obligation and seek accountability—whether the breach was intentional or due to negligence.
In all these scenarios, carefully structured confidentiality agreements not only help prevent risks but also serve as critical evidence in the event of a dispute and as a strong internal control mechanism.
c) Cyber insurance – a mechanism for mitigating the consequences of attacks
No matter how carefully technical, organizational, and legal measures are designed, no system is completely immune to cyber incidents. For this reason, more and more organizations are turning to an additional layer of protection—cyber insurance, which helps reduce the harmful consequences of an attack, whether financial, reputational, or legal.
Cyber insurance policies may cover:
- the costs of investigation and recovery (including digital forensics),
- business interruption and revenue loss resulting from the attack,
- liability to third parties—including compensation for clients whose data was compromised,
- legal expenses and regulatory fines (e.g., in cases of personal data breaches),
- as well as ransom payments demanded in ransomware attacks.
However, coverage for ransom payments can also have negative side effects. If insurance includes ransom payments, attackers may be more likely to target such organizations, expecting that they will agree to pay more easily. This aspect, therefore, requires careful strategic consideration when negotiating cyber insurance policies and defining the scope of coverage.
That is why it is recommended that organizations include this form of protection as part of a broader cybersecurity strategy, with legal support during the process of reviewing and negotiating terms with the insurer. Well-drafted policy conditions, aligned with the organization’s legal obligations, can be critical at the moment an incident occurs.
ISO standards – aligning operational measures and legal obligations
ISO standards in the field of information security (most notably ISO 27001) provide an internationally recognized framework for establishing an information security management system (ISMS). Their role is to give organizations clear rules, procedures, and records so that security becomes part of everyday business operations, not just a collection of technical tools.
In practice, ISO standards cover:
- defining data protection policies and procedures (who has access rights, how information is stored and classified, how backup and recovery are organized),
- risk management and keeping records of the measures applied,
- clearly assigning roles and responsibilities to employees in the event of security incidents,
- ensuring continuous review and improvement of existing measures, along with employee training.
Why ISO standards matter for business
ISO frameworks significantly simplify the process of demonstrating that an organization has implemented “reasonable protection.” In business relations, this means that a company can more easily:
- respond to security questionnaires and audits from potential partners,
- prove compliance with regulatory requirements,
- meet contractual obligations toward clients and vendors (e.g., through SLAs – Service Level Agreements and DPAs – Data Processing Agreements).
In this way, ISO standards serve as a bridge between technical and organizational measures on the one hand, and legal and contractual obligations on the other. As a result, organizations enhance their level of cybersecurity and gain a verifiable framework that facilitates cooperation with clients, partners, and regulators.
Cybersecurity as a strategic priority
Cybersecurity is no longer a matter of choice—it is a necessity. In an era where digital systems form the backbone of business, the question is not if an attack will happen, but when and how an organization will respond. A combination of technical, organizational, and legal measures not only protects data and infrastructure but also demonstrates the maturity and accountability of a business toward its clients, partners, and regulators.
Security is not built on technology alone—it is established through rules, contracts, training, response plans, and strategic preparation. This is why engaging experts who understand both the IT and legal frameworks is essential, not only for prevention but also for effective incident management.
In today’s digital reality, where every weakness can become a target, implementing strong protective mechanisms in a timely manner is the only sustainable strategy.
