Friday, 11:47 PM. An IT administrator at a mid-sized manufacturing company near Wrocław receives a phone call: servers encrypted, production systems down, screens displaying a demand for EUR 50,000 in Bitcoin. 72 employees unable to work. The company is losing PLN 180,000 per day. Backup? The last full backup — three weeks ago. Security policy? A document from 2019, never updated.

This story repeats itself in Polish companies more often than anyone would like to admit. CERT Polska recorded over 116,000 security incidents in 2025 — a 34% year-over-year increase. The median time from breach to detection? 197 days. Nearly seven months of an attacker’s invisible presence within a company’s systems.

IT security is no longer an optional add-on to the IT budget. It is a foundational element of business operations — just as critical as fire insurance or physical office security. And yet, according to EY research, 68% of mid-sized Polish companies do not have a dedicated cybersecurity budget.

Read also: Phishing in the AI Era 2026: How to Recognize and Defend Against Advanced Attacks — our pillar article on the most rapidly growing threat

What Is IT Security and Why Is It Critical in 2026?

IT security is a set of practices, technologies, and processes that protect information systems, networks, and data from unauthorized access, damage, or theft. In 2026, this definition encompasses far more than firewalls and antivirus software.

The three pillars of information security — the CIA triad — remain the foundation:

Confidentiality — only authorized individuals have access to data. This includes encryption, access control, and data classification. In the context of GDPR and NIS2, confidentiality is not optional — it is a legal requirement with penalties of up to EUR 10 million.

Integrity — data has not been modified in an unauthorized manner. Hash sums, digital signatures, audit trails. Integrity is critical in regulated sectors — finance, healthcare, critical infrastructure.

Availability — systems function when they are needed. Redundancy, disaster recovery, load balancing. Every hour of downtime means real losses — from PLN 10,000 in a small company to millions in a large corporation.

In 2026, new dimensions are added to the CIA triad:

  • Authenticity — certainty that a message comes from the declared sender (critical in the deepfake era)
  • Non-repudiation — the ability to prove who performed a given action in the system
  • Privacy — control over personal data in compliance with GDPR, NIS2, and sector-specific regulations

Why is 2026 a turning point? Three trends are converging simultaneously:

  1. AI in the hands of attackers — generative AI lowers the barrier to entry. Phishing emails indistinguishable from real ones, automated vulnerability scanning, polymorphic malware. The cost of a successful attack has dropped by an order of magnitude.

  2. Regulatory revolution — NIS2 extends cybersecurity obligations to thousands of Polish companies that were previously unregulated. DORA for the financial sector. The National Cybersecurity System (KSC) with mandatory reporting.

  3. Growing attack surface — hybrid work, IoT, edge computing, multi-cloud. Every new endpoint is a potential vector. The average company now has 3x more devices connected to the network than in 2020.

Key Threats to Polish Companies in 2026

Ransomware — Digital Extortion on an Industrial Scale

Ransomware has evolved from simple encryption to a double and triple extortion model. Attackers don’t just encrypt data — they steal it first, then threaten to publish it. Some groups additionally attack the victim’s clients and partners.

Statistics for the Polish market:

  • 37% of Polish companies experienced a ransomware attack attempt in 2025
  • Average ransom: PLN 340,000 (but the real costs are 5–10x more — downtime, recovery, reputation)
  • 60% of companies that pay the ransom are attacked again within 12 months
  • The SME sector (50–250 employees) is targeted in 43% of attacks — large enough to pay, too small for a dedicated SOC

AI-Enhanced Phishing

Phishing accounts for 91% of successful cyberattacks as the initial vector. In 2026, the traditional advice “check for spelling errors” is useless — AI writes flawlessly in any language, personalizing messages based on LinkedIn and social media data.

New vectors: deepfake voice (cloning the CEO’s voice from corporate recordings), real-time face swap in video calls, automatically generated login pages pixel-perfect from the original. You can find more about these threats in our dedicated article on AI phishing.

Supply Chain Attacks

SolarWinds, Kaseya, MOVEit — each successive supply chain attack demonstrates the scale of the problem. Attackers compromise a single link — a software vendor, an open-source library, an update service — and gain access to thousands of organizations.

For Polish companies, the problem is particularly acute:

  • Dependence on global software vendors
  • Limited control over external component code
  • Lack of security verification for subcontractors and consultants
  • NIS2 explicitly requires supply chain risk management

Identity Theft and Credential Stuffing

Billions of compromised login credentials circulate on the dark web. Automated tools test them against hundreds of services simultaneously. 65% of people use the same password across multiple sites.

In a corporate context: an employee using their work email to register on a forum, the forum gets compromised → login credentials in a breach → attackers test them against the company’s VPN, Office 365, Jira, Confluence.

Zero-Day Exploits and Software Vulnerabilities

Log4Shell, Spring4Shell, MOVEit — zero-day vulnerabilities are being discovered and exploited faster than ever. The average time from CVE publication to the first exploit has dropped from 45 days (2020) to 15 days (2025). For critical vulnerabilities — hours.

How to Build an IT Security Strategy?

An effective IT security strategy doesn’t start with purchasing tools — it starts with understanding risk. Comparing popular frameworks helps choose the right approach.

FrameworkBest forComplexityCertificationImplementation Cost (SME)
NIST CSFFlexible startMediumNoPLN 100–300k
ISO 27001Regulated industriesHighYes (accredited)PLN 200–500k
CIS ControlsQuick winsLowNo (benchmark)PLN 50–150k
COBITIT governanceVery highYesPLN 300–800k
NIS2 (mandatory)Essential/important entitiesMedium–HighRegulatory auditPLN 150–400k

Phased Approach — Recommendation for Polish SMEs

Phase 1 (months 1–3): Foundations

  • Asset inventory (what are we protecting?)
  • Risk analysis (what are we protecting against?)
  • Implementing CIS Controls — Implementation Group 1 (43 baseline controls)
  • MFA on all critical systems
  • 3-2-1 backup with recovery testing

Phase 2 (months 4–6): Detection and Response

  • EDR on all endpoints
  • Log centralization (SIEM or managed SIEM)
  • Incident response plan + tabletop exercises
  • Network segmentation
  • Employee training (security awareness)

Phase 3 (months 7–12): Maturity

  • Vulnerability management (regular scanning + patching)
  • Penetration testing (annual + after changes)
  • ISO 27001 — if required by clients or regulations
  • SOC — internal or outsourced (MSSP)
  • Business continuity and disaster recovery testing

Phase 4 (continuous): Optimization

  • Threat intelligence
  • Red team / blue team exercises
  • Security operations automation (SOAR)
  • Zero Trust Architecture — gradual implementation

Standards and Regulations — NIS2, GDPR, ISO 27001

NIS2 — New Obligations Since 2024

The NIS2 Directive (Network and Information Security 2) fundamentally changes the cybersecurity regulatory landscape in Poland. Compared to NIS1, it broadens the scope of regulated entities, increases penalties, and introduces personal liability for management boards.

Who does NIS2 apply to?

Essential entities:

  • Energy, transport, banking, financial infrastructure
  • Healthcare, drinking water, wastewater
  • Digital infrastructure, ICT service management
  • Public administration, space

Important entities:

  • Postal and courier services
  • Waste management, chemical production
  • Food production, medical device manufacturing
  • Digital service providers (marketplaces, search engines, social media)
  • IT service and outsourcing providers — critical for companies using body leasing

Penalties for non-compliance:

  • Essential entities: up to EUR 10 million or 2% of annual turnover
  • Important entities: up to EUR 7 million or 1.4% of annual turnover
  • Personal liability of management — ban on holding managerial positions

Obligations:

  • Cybersecurity risk management
  • Incident reporting: initial within 24 hours, full within 72 hours
  • Supply chain security
  • Business continuity and disaster recovery
  • Cybersecurity training for management boards

GDPR — The Foundation of Personal Data Protection

GDPR has been in effect since 2018, but many companies still do not meet all requirements. Key cybersecurity areas arising from GDPR:

  • Encryption of personal data (at rest and in transit)
  • Pseudonymization where possible
  • Privacy by design and by default
  • Data Protection Impact Assessment (DPIA) for high-risk operations
  • Obligation to report breaches to the supervisory authority within 72 hours

ISO 27001:2022 — The Gold Standard

ISO 27001 is an international standard for Information Security Management Systems (ISMS). The 2022 version introduces 11 new controls, including:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking and data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

ISO 27001 certification is increasingly required in tenders and by corporate clients — particularly in the financial and public sectors.

IT Security Audit and Monitoring

Anatomy of a Security Audit

An IT security audit is a systematic assessment of an organization’s security posture. It is not a one-time activity — it is a cyclical process that should be conducted at least once a year.

Stage 1: Asset Inventory

  • Infrastructure mapping (servers, networks, applications, data)
  • Data classification (public → confidential → top secret)
  • Identification of asset owners
  • Mapping data flows between systems

Stage 2: Risk Analysis

  • Threat identification (threat modeling)
  • Vulnerability assessment
  • Risk calculation: probability × impact
  • Prioritization: which risks to address first

Stage 3: Technical Testing

  • Vulnerability scanning (Nessus, Qualys, OpenVAS)
  • Penetration testing (external + internal)
  • Configuration review (hardening check)
  • Code review (for critical applications)

Stage 4: Procedural Review

  • Security policies — do they exist, are they current
  • Incident response procedures — are they tested
  • Access management — who has access to what
  • Training — are employees aware of threats

Stage 5: Report and Remediation Plan

  • Identified vulnerabilities with criticality ratings (CVSS)
  • Remediation recommendations with priorities
  • Implementation timeline for fixes
  • Metrics for tracking progress

Continuous Monitoring — Don’t Wait for the Next Audit

An audit is a snapshot — an image of the security posture at a single point in time. Between audits, continuous monitoring is needed:

SIEM (Security Information and Event Management) — centralization and correlation of logs from across the entire infrastructure. Anomaly detection, alerting, compliance reporting. Popular solutions: Splunk, Microsoft Sentinel, Elastic SIEM.

EDR (Endpoint Detection and Response) — monitoring and responding to threats on endpoints. Behavioral analysis, threat hunting, automated response. CrowdStrike, Microsoft Defender for Endpoint, SentinelOne.

NDR (Network Detection and Response) — network traffic analysis. Detecting lateral movement, C2 communication, data exfiltration. Darktrace, Vectra AI, ExtraHop.

Vulnerability Management — continuous scanning and prioritization of vulnerabilities. Scanning alone is not enough — you need a patching process with SLAs: critical within 24 hours, high within 7 days, medium within 30 days.

IT Security and Outsourcing — Data Protection in External Collaboration

IT outsourcing — body leasing, managed services, dedicated projects — is standard in the Polish market. But every external specialist is a potential attack vector. How do you use outsourcing securely?

Vendor Verification (Due Diligence)

Before signing a contract, verify:

  • Certifications — ISO 27001, SOC 2 Type II, Cyber Essentials
  • Security policies — does the vendor have documented procedures
  • Incident response — does the vendor have an incident response plan
  • Background checks — does the vendor verify its employees
  • Insurance — cyber insurance with an appropriate limit

Managing External Specialists’ Access

Least privilege principle — an external developer receives access only to the resources necessary to complete the task. Not to the entire repository, not to production, not to the customer database.

Just-in-time access — access granted for the duration of the task, automatically expiring. Tools: Azure PIM, HashiCorp Vault, CyberArk.

Activity monitoring — what is the external specialist doing in our systems? Session recording (Teleport, BeyondTrust), audit logs, alerting on unusual actions.

Environment segregation — development ≠ staging ≠ production. External specialists work on dev/staging with test data (anonymized). Access to production — only in justified cases, with additional authorization.

Offboarding — Just as Important as Onboarding

When a project ends or a specialist leaves:

  • Immediate revocation of all access (checklist!)
  • Verification that no active sessions, API tokens, or SSH keys remain
  • Review of activity logs from the last 30 days
  • Confirmation of deletion of company data from personal devices

ARDURA Consulting applies these practices in each of its more than 211 completed projects. Every specialist undergoes security onboarding, signs an NDA, and access is managed centrally with a full audit trail.

IT Security Budgeting for CTOs and CISOs

How much should a company spend on cybersecurity? There is no single answer, but benchmarks exist.

Budget Benchmarks

Company size% of IT budget on securityAnnual amount (estimate)
Small (up to 50)10–15%PLN 50–150k
Medium (50–250)12–18%PLN 150–500k
Large (250–1,000)15–20%PLN 500k–2M
Enterprise (1,000+)10–15%PLN 2–10M+

Budget Structure — Where to Spend

Category% of security budgetExamples
Tools and technologies35–40%EDR, SIEM, firewall, MFA, backup
People (team/outsourcing)30–35%SOC, incident response, security engineering
Training and awareness10–15%E-learning platforms, phishing simulations, certifications
Audits and compliance10–15%Pentests, ISO audits, regulatory consulting
Incident reserve5–10%Forensics, crisis management, communication

Security ROI — How to Justify the Budget to the Board

The board doesn’t think in terms of “vulnerability score” — it thinks in money. Arguments:

Cost of incident vs. cost of prevention. The average cost of a ransomware incident in a mid-sized Polish company: PLN 1.2–3.5M (downtime + recovery + penalties + reputation). Annual prevention budget: PLN 200–500k. The ROI is obvious.

Regulatory requirements. NIS2 — penalties up to EUR 10M. GDPR — penalties up to EUR 20M or 4% of turnover. Lack of compliance is not a risk — it is a certainty of penalty upon the first incident.

Client requirements. Corporate clients increasingly require ISO 27001, SOC 2, or at least a security questionnaire. No certificate = lost contract.

Cyber insurance. Insurers require baseline security controls. No MFA, backup, endpoint protection = denial of claim payout.

How ARDURA Consulting Supports Security in IT Projects

IT security is not just about tools — it’s about people with the right competencies. ARDURA Consulting, with over 500 seniors in its network and 211+ completed projects, understands that every specialist working at a client site must be part of the security ecosystem.

Security by default in every project. Regardless of whether a client orders a Java developer, an automation tester, or a cloud architect — every ARDURA Consulting specialist:

  • Undergoes security verification (background check)
  • Signs an NDA with cybersecurity clauses
  • Receives access based on the least privilege principle
  • Works in accordance with the client’s security policies

Security specialists on demand. Need a pentester for 2 weeks? A security architect for 3 months? CISO as a Service? ARDURA Consulting has access to cybersecurity specialists ready to work within 2 weeks — with 99% project retention and 40% cost savings compared to full-time employment.

Compliance support. Implementing NIS2 or ISO 27001? Our consultants help with gap analysis, building security policies, and preparing for certification audits.

IT security in 2026 is not a project with an end date — it is a continuous process. Threats evolve, regulations tighten, and the attack surface grows. But the fundamentals remain the same: understand the risk, build a strategy, implement gradually, monitor continuously, respond quickly.

The best time to build an IT security strategy was yesterday. The second best — today.

Need support in building your IT security? Contact us — we’ll help you find cybersecurity specialists tailored to your needs and budget.