PrivacySolved provides leading expertise in information security strategy, cybersecurity awareness, data protection, data breach planning and data breach response. October is European Cybersecurity Month #CyberSecMonth. It is also Cybersecurity Awareness Month #CybersecurityAwarenessMonth which is celebrated in North America and all around the world. Listed below is a collection of trusted information security resources, cybersecurity insights and tools to inform, engage and inspire the information security community, businesses and organisations. This information is also very useful for our clients, partners, colleagues and network contacts around the world. We aim to stay connected to drive excellence in information security, cybersecurity and data protection and to respond to emerging security threats and risks.
For help, advice, support, information strategy, cybersecurity consulting, policies, procedures and data breach response services, contact PrivacySolved:
Dublin +353 1 960 9370
London +44 207 175 9771
Email: contact@privacysolved.com
The information security and cybersecurity threat landscapes are always changing. Threat actors are becoming more sophisticated and threat surfaces are expanding. Exploitable gaps in new technologies are increasing and cybercrime business models are also growing. Added to this mix, are the fragile geopolitical situation in many parts of the world, a tightening of the global economy and simple opportunism. Here are three new and emerging cyber threats to know about, monitor and guard against:
Geopolitics
Geopolitics describes how politics, geography, demography and economics affect foreign policy and the relationships between countries. Recent wars and civil wars, the 2007/2008 global financial crisis, the Covid-19 Coronavirus pandemic, and the effect of climate change has reshaped the competition for global resources and created new political and economic alliances. Some countries are increasingly active in offensive cyberattacks and information security beaches to advance their political and economic goals. Russia, Belarus, North Korea, Iran and China have been identified as countries involved in sophisticated cybersecurity operations, many aimed at critical national infrastructure targets. Most countries have defensive cybersecurity capabilities. Hacktivism has also grown, some political, some environmental and some related to cybercrime and money laundering.
For many companies and organisations, the threat landscape has become complex and sophisticated. There is a need to grow threat intelligence capabilities, monitor key geopolitical events and understand that cyberattacks are not always targeted on their operations specifically, but often cause knock-on effects. Cyberattacks can affect businesses and organisations because they are part of a targeted supply chain, are based in a country, use certain IT services, supply critical infrastructure services or trade with certain foreign states.
Deep Fakes
A deep fake is media such as images, videos, or audio recordings that have been recreated or altered by manipulating a person’s appearance, actions or voice using artificial intelligence techniques such as deep learning. Some deep fakes have included politicians, business leaders and celebrities saying and doing things they would not normally do. Deep fakes may be used to initiate state-related espionage, cybercrime, sophisticated social engineering or traditional crimes like blackmail and extortion. Companies and organisations should educate themselves, develop techniques to spot deep fakes and identify the most likely sources. They should also use technologies to limit its impact and report incidents to National Cyber Security bodies or CERTS, so that trends can be monitored and high-level responses and best practices can be developed.
Vishing (Voice Phishing)
Vishing uses fraudulent phone numbers, voice-altering software, text messages, and social engineering to trick users into divulging sensitive information. Vishing generally uses voice data to trick users. Smishing, is a related form of phishing that uses SMS text messages to trick users. This smishing technique can be used alongside voice calls, depending on the attacker’s preferences and objectives. Businesses and organisations should control and monitor the use of voice data, especially among senior officials. Public disclosures of voice data should be kept to a minimum and 2-factor authentication techniques should be used to avoid impersonation, social engineering, fraud and identity theft.
Conclusion
Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), Chief Privacy Officers (CPOs), Chief Data Officers (CDOs) and Senior Leaders should ensure that they receive detailed and diverse sources of threat intelligence. They should aim to understand evolving analysis and attack-pattern information that they receive. Leaders should try to share information with trusted parties and partners to build resilience and reduce the risks and impacts of cyberattacks. Businesses and organisations should update their cybersecurity insurance policies to make sure that they are sufficiently covered for new and emerging cyberattacks. Above all, leaders should be continuously learning and display high levels of curiosity and analysis.
For help, advice, consulting and strategy support services, data protection reviews, GDPR gap analysis, cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
Email: contact@privacysolved.com
PS082022
Ireland should be a cybersecurity powerhouse. However, the nation takes a cautious approach. The country is a preferred destination for California’s Silicon Valley technology giants and other foreign technology investments. The island is home to around 30% of Europe’s data centres. It has artfully managed its strategic relationships with the European Union and the United States of America. Technology and cybersecurity clusters in Dublin, Cork, Galway and Shannon continue to grow and attract investment. Cyber Ireland, the national cybersecurity cluster, is seeking to join up and mature the local ecosystems. Headline-grabbing cyberattacks such WannaCry (2017), NotPetya (2017) and the Health Service Executive (HSE) ransomware attack in May 2021 were significant warnings to Ireland to significantly upgrade its national information security resilience. In 2021, it was estimated that cybercrime cost Ireland €9.6 billion a year. Ireland public sector remains stoic, pragmatic and relatively low spending. In contrast, the private sector is developing a growing appetite for cybersecurity services and solutions.
Ireland’s National Cyber Security Strategy 2019-2024
Ireland’s current National Cyber Security Strategy was published in 2019 and covers the five years from 2019 – 2024. Ireland’s National Cyber Security Centre (NCSC) is the main body responsible for the Strategy and many of the measures set out in the document. The NCSC is also accountable for Ireland’ Critical National Infrastructure information security and enforcing the EU’s Networks and Information Systems Directive (NIS Directive). NCSC has been designated as Ireland’s Cyber Security Incident Response Team (CSIRT-IE). See PrivacySolved Insights Briefing Cybersecurity: Focus on Ireland’s National Cyber Strategy for more details on the Strategy.
Cautious New Funding for the National Cyber Security Centre (NCSC)
Ireland’s digital economy has been valued at USD $14 billion and is increasingly facing cybersecurity threats that have led to increases in cybersecurity spending in the private and public sectors. In July 2021, two months after the HSE ransomware attack, the Irish Government announced a doubling of staff numbers at the NCSC over the following 18 months. This was estimated to cost €2.5m in the first year. Twenty (20) new roles would be added to the existing 25 already working at the NCSC. The longer-term plan is to reach 70 employees within five years (by 2026). A new headquarters building, new graduate training programme and a new head of the NCSC have also been added.
There are growing calls for the NCSC to receive more funding as a good investment and to reflect the spending priorities of Ireland’s European neighbours like the UK, France, Netherlands, Belgium and Germany. Evidence given to the Irish Parliament’s Joint Oireachtas Committee on Transport and Communications in May 2021 suggested that the NCSC should receive a ten times budget uplift from £5 million a year to £50 million a year. Ireland is informally called “data island” because of its considerable market share of European data centres, yet the NCSC’s £5 million budget is relatively low. For context, the NCSC’s budget is said to be a third of the spending by the public relations (PR) team in the Department of the Taoiseach (the Irish Prime Minister’s Department) which was about €16.9 million in 2020. A former Chief Executive of the HSE suggested in 2021 that the HSE’s expenditure on IT security was about a quarter of what would be expected when compared with other health systems. On closer analysis, there is evidence of underinvestment in government and public sector information security. By contrast, the $300 million Irish market for cybersecurity solutions and services (mainly private sector) is growing.
Cyber Security Baseline Standards (Public Sector)
In January 2022, the NCSC and the Office of the Government Chief Information Officer (OGCIO) published their jointly developed Cyber Security Baseline Standards for Irish Public Sector bodies. The Standards are intended to create an acceptable security standard, build a more resilient security environment and form a broad framework for measures which can be revised over time. The standards will help organisations improve the management of cybersecurity risks, allowing Public Service bodies to better identify, protect, detect, respond to, and recover from cybersecurity attacks. This will minimise damage and adverse impacts.
The Standard includes a Cyber Incident Response Plan (CIRP) checklist and checklists for a range of other activities such as Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. It is a minimum set of standards and requires organisations to expand upon these depending on their activities and risk profiles.
Data Protection Commission Ireland’s data breach enforcement efforts
Data Protection Commission Ireland (DPC Ireland) is Ireland’s data protection and GDPR regulator. Since May 2018 it has not developed a significant and high- profile case work on major cyberattack response and data breaches. So far, DPC Ireland’s position on major data breaches remains underdeveloped. However, in October 2021, DPC Ireland fined Twitter €450,000 for reporting a data breach late, which breached GDPR. DPC Ireland’s Annual Reports 2021 suggests a high level of engagement and high rates for resolving personal data breach notifications and referrals. In 2021, the Commission it received 6,549 personal data breach notifications and concluded its work on 95% (6.274) in the same year. In October 2021, DPC Ireland received a budget increase of 22% (€4.1 million), from the year before, to €23.2 million for the next year. At present, DPC Ireland, receives nearly five times the annual budget of the NCSC. DPC Ireland has 190 staff, four times more than the recently enlarged NCSC.
Future Developments
The key future developments to look for are more public sector cybersecurity funding and specific new investment and resources for the NCSC. The growth and maturity of the NCSC will be demonstrated by a larger staff pool, more IT and technical specialists and more involvement in critical national infrastructure initiatives. The NCSC is beginning to work more fully with the EU’s Agency for Cybersecurity (ENISA), the UK’s National Cybersecurity Centre (UK NCSC), the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA). Together they respond to coordinated threat alerts and cyberattack responses. Future high impact cross-border activities will also imply maturity, growth and development. DPC Ireland’s increased enforcement activities, especially in the area of large data breaches, sophisticated cyberattacks and GDPR non-compliance in large systems will signal a more confident future for Ireland’s cybersecurity, data protection, trust and national security resilience efforts.
For help, advice, consulting and strategy for Irish Data Protection compliance, GDPR gap analysis, Cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:
Dublin +353 1 960 9370
London +44 207 175 9771
Email: contact@privacysolved.com
PS042022
New technologies, emerging digital innovations and trends in data, data analytics and cybersecurity are developing at a rapid pace. These will shape the future of business, trade, politics, the economy and society. Chief Executive Officers (CEOs), Data Protection Officers (DPOs), Chief Data Officers (CDOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Boards and Senior Leaders must understand these developments, assess their competitive advantages, manage inherent risks and track the evolving governance and security implications. Automation, Artificial Intelligence (AI) Ethics, Blockchain, Data Bias, Differential Privacy, Digital Twins, Edge Computing, the Metaverse, Ransomware and Zero Trust Architecture and Security will increasingly lead the conversations in technology. These are set to grow exponentially, diversify and create lasting impacts. Here are the definitions of these key technologies, innovations and digital trends:
Automation describes the increased use of sophisticated technologies that minimise or eliminate human input. This includes business process automation (BPA), IT automation, robotics and personal applications such as the automation of private homes and self-driving cars. Automation is driven by a range of technological features and applications of data science, engineering, algorithms, blockchain, machine learning, deep learning, industrialised robotics and artificial intelligence.
Artificial Intelligence (AI) Ethics are a group of values, principles, and techniques that apply widely accepted standards to guide ethical and moral conduct in the development, use and outcomes of AI systems. These disciplines seek to address the individual and societal harms AI systems might cause. AI ethics mitigates these harms by offering leaders, developers, engineers and project teams the values, principles, and techniques needed to produce more ethical, fairer, and safer AI applications.
Blockchain is a decentralised, distributed, and often public, digital ledger made up of records called blocks that are used to record transactions across many computers so that each block cannot be later altered, without changing all other blocks. This allows the participants to verify and audit transactions independently and relatively cheaply. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. Blocks contain information about the blocks preceding it, forming a chain, each additional block reinforces the ones before it. A blockchain database is managed autonomously using a peer-to-peer network and a distributed timestamping server. They are authenticated by mass collaboration, powered by collective self-interests. Blockchains are growing in popularity through cryptocurrencies, especially using the Ethereum blockchain, and via the creation, sale, collection and distribution of Non-Fungible Tokens (NFTs).
Data Bias is any trend or deviation from the truth in data collection, data analysis, interpretation and publication which can cause false conclusions. Bias can occur intentionally or unintentionally. A biased dataset, for example in machine learning, does not accurately represent a model’s use case, resulting in skewed outcomes, low accuracy levels, and analytical errors. Types of bias include association bias, exclusion bias, measurement bias, observer (confirmation) bias, recall bias, racial bias, sample bias and sexual (gender) bias.
Differential Privacy is a mathematical technique of adding a degree of controlled randomness to a dataset to prevent the release or extraction of information about individuals in the dataset. This allows researchers and analysts to extract useful insights from datasets containing personal information while also offering stronger data privacy protections.
Digital Twins are digital replicas or representations of physical objects, such as a machine or person, or an intangible system, like a business process, that can be examined, altered and tested without interacting with it in the real world and avoiding negative consequences. The Digital Twin often spans the lifecycle of the object, person or system, is updated from real-time data, and uses simulation, machine learning and reasoning to aid decision-making.
Edge Computing is a distributed computing architecture framework where an organisation’s applications are closer to data sources such as Internet of Things (IoT) devices or local edge servers. The closeness to data at its source can deliver strong business benefits, faster insights, improved response times and better use of bandwidth.
The Metaverse is a unified way for people, data and things to interact in the virtual, physical and spacial environments. It is a collection of systems and interfaces combining computer screens, avatars, virtual reality, augmented reality, internet of things, robotics, artificial intelligence and automation. The term originates from science fiction, specifically from Neal Stephenson in Snow Crash in 1992 and the work of William Gibson.
Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems or networks. This is accompanied by a demand for financial ransom payments to restore access to systems, unencrypt databases or return data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening email attachments, clicking on advertisements, clicking on hyperlinks or visiting a website that has been deliberately infected with malware. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware attacks can be initiated by state actors and by opportunistic hacktivism. In most cases, ransomware is part of international cybercrime and organised crime.
Zero Trust Architecture and Security uses zero trust principles to plan business, industrial and enterprise infrastructure and workflows. Zero trust architecture is created on the premise “never trust, always verify.” Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical attributes, presence on the network or asset type. Authentication and authorisation of individuals and devices are discrete functions performed continuously before access to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), working from home, and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust Security is a cybersecurity strategy in which information security policy is applied based on context established through least-privileged access controls and strict user authentication. Trust is not assumed. A mature best-of-breed zero trust architecture can create a simpler network infrastructure, better user experience, and improved cyber defence.
PrivacySolved has a well-established track record of advising and leading projects for Consumer Relationship Management (CRM) systems, ecommerce, e-government, CCTV systems, cloud computing, fintech, artificial intelligence data, big data and data analytics. Contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)
Email: contact@privacysolved.com
PS012022
In November 2021, major vulnerabilities were discovered in Log4j. Log4j is an open-source Java logging library developed by the Apache Foundation. It is used in many custom applications, off-the-shelf software, security products and cloud applications like Steam and Apple iCloud. The Log4j library is present in many enterprise Java software and Apache frameworks. Other large projects including Netty, MyBatis and the Spring Framework also use the library. A range of vulnerabilities have been discovered in multiple versions of Apache Log4j. Scanning and attempted exploitations have been found globally. National Cyber Security Centres have discovered exploited vulnerabilities in VMware Horizon, MobileIron and Ubiquiti Unifi Network Application, among others. Vulnerabilities allow remote code execution and information disclosure, if exploited. Denial of Service exploits, bypassing mitigations to Log4shell and Conti ransomware operators gaining access through vulnerabilities, are all risks. Vulnerabilities also allow exfiltration of sensitive data. The list of applications impacted by these vulnerabilities is vast and so all organisations must proactively audit, test, review and respond to patching and updates.
Information security specialists say that the Log4j vulnerability may be one of the most serious in the last ten years. Over time, it may become the most impactful vulnerability in the history of modern cyber security. Known vulnerabilities, patched vulnerabilities, half-day and zero-day exploits in the open-source code libraries can result in major future data breaches, supply chain attacks and ransomware attacks. Companies and organisations should locate and upgrade all instances of log4j and mitigate threats. This Resources Page is a dashboard of the most useful information and guidance.
PrivacySolved has years of expertise in data protection, cybersecurity strategy and data breach response. For advice, support, projects and programmes, contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)
Email: contact@privacysolved.com
Briefing
Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems and networks. This is accompanied by a demand for a financial ransom payment to restore access to systems, unencrypt databases or return data. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware. Globally, across all sectors, these attacks have increased in scope, frequency, sophistication and the levels of financial payments demanded. It is now a major component of global cybercrime. Combatting these cyberattacks can be complex, especially for the largest businesses and organisations.
A Sophos poll of 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East and Africa found startling results. The total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 USD in 2020 to $1.85 million USD in 2021. The average ransom paid is $170,404 USD. Only 8% of organisations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.
Here are five steps that all businesses and organisations can take to improve their resilience, their offensive capabilities and their defensive success:
Strategic, Systematic and Regular Backups
Ransomware should be treated at a strategic and existential threat. An attack should be regarded as inevitable. Organisations should create backups to build resilience. These are crucial for recovering data after an attack. The industry standard approach is called 3:2:1. Three sets of backups, using two different media, one of which must be kept offline. Backups should be programmed to be completed regularly.
2. Prevent Malware from being Delivered and Running on Systems
Businesses and organisations can reduce malware and ransomware reaching your devices by filtering to only allow file types that they expect to receive, and blocking known malicious websites. Content can be actively inspected, and signatures can be used to block known malicious code. Network services are used to fulfil these tasks and tools include intercepting proxies, internet security gateways, safe browsing lists and mail and spam filtering. Disabling Remote Desktop Protocol (RDP) if it is not needed, enabling Multi-Factor Authentication (MFA) at all remote access points into the network and using a secure Virtual Private Network (VPN) can provide effective responses to the most modern ransomware deployment practices.
A defence in depth approach should be in place. This assumes that malware will reach your devices. Businesses should take steps to prevent malware from running by using device-level security features. Organisations should centrally manage devices to only permit applications trusted by the enterprise to run on devices and use up-to-date enterprise antivirus or anti-malware products. Scripting environments and macros should be disabled or restricted by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy. Also, systems can be protected from malicious Microsoft Office macros and autorun for mounted (activated) media can be disabled.
To avoid attackers forcing their malicious code to execute by exploiting vulnerabilities in devices, these must be well-configured and kept up to date. Security updates should be installed as soon as they become available to fix exploitable bugs, enable automatic updates for Operating Systems, applications, and firmware (if possible). Using the latest versions of Operating Systems and applications to access the latest security features is advisable. Host-based and network firewalls should be configured to bar inbound connections by default.
3. If Attacked: To Pay, or Not to Pay the Ransom?
A wide range of law enforcement agencies around the world discourage the payment of ransom demands. However, sometimes payments must be made as a pragmatic response and to aid business continuity. At all times, organisations must avoid committing a criminal offence by sending payments to sanctioned individuals, entities or organisations or those involved in money laundering. Companies should liaise with their insurers, lawyers and risk professionals. Even after payments are made, confidential personal data could still be published online, breaching data protection and global privacy laws. There is no guarantee that organisations will regain access to their data, computer systems or networks. An IT system may still be infected long after the ransomware attack. Repairing, recovering and remediating the systems can be expensive and take many weeks or months.
4. Train Staff and Prepare for Incidents
Businesses and organisations should develop a corporate training strategy, on a rolling basis, that is updated to include the latest developments in malware, ransomware and information security threats. Different types of staff will need varying depths of training and awareness.
Organisations should identify their critical assets and determine the impact if these were affected by a malware attack. This is a very important preparatory step. Preparation also includes developing an internal and external communication strategy (including any impacts from collateral third-party malware not intended for the organisation). Incident management plans should be rehearsed and reviewed. This helps to clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. War-games and hackathons to rebuild virtual environments, servers, files, physical servers and rebuilds from offline backups, under pressure, should be included. Developing a plan to continue to operate critical business services or a minimum viable service or product, is also essential.
5. Report and Share Intelligence
There are legal obligations to report certain cyberattacks and data breaches to personal data regulators, governments, information services regulators, financial services regulators and market regulators. These reports should be done quickly, to receive help and to reduce liability. There is a growing drive to voluntarily report ransomware to government agencies and law enforcement. This should be considered because they may hold information that could be useful for the organisation’s response. Reports also help them to better understand the level of the threat and can deploy offensive and defensive capabilities to protect a sector or group of companies. The most difficult and controversial decision will be whether to report ransomware attacks to sector groups, fellow businesses and potential competitors. This is increasingly being encouraged, but will rely heavily on mutual trust, non-disclosure agreements and clear memorandums of understanding to protect each party. The more information and intelligence about ransomware that can be collected and skilfully used, will reduce the impacts and costs of ransomware.
For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy or Information Security Training, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
Email: contact@privacysolved.com
PS112021
Briefing
The Netherlands has strong information technology capabilities. According to the World Economic Forum, the country ranks 6th in the world as one of the most advanced and technology-enabled nations. In 2018, the Netherlands imported €61.2 billion euros worth of ICT goods and services. In the same year, exports of ICT-related goods and services (including re-exports) stood at €74.6 billion euros. The Netherlands’ technological environment is anchored by a robust digital infrastructure. The Dutch rank 2nd in the world for online connectivity, with over 98% of households having broadband connection. The Netherlands is a leading cybersecurity hub in Europe, home to Europe’s largest security cluster, The Hague Security Delta (HSD). HSD is a national network of more than 300 public and private organisations working together to accelerate cybersecurity solutions. The Netherlands is home to one of the largest internet exchanges in the world, the Amsterdam Internet Exchange (AMS-IX), and has one of the highest rates of internet connectivity in the world. The Amsterdam region houses nearly a third of Europe’s data centres, with growth expanding to Groningen and Middenmeer. The country is also home to Europol’s European Cyber Crime Center (EC3), NATO Communications and Information (NCI) Agency and the Global Forum for Cyber Expertise (GFCE) in The Hague.
The Netherlands ranks 4th out of 28 countries (27 EU member states and the UK), in the European Commission Digital Economy and Society Index (DESI) 2020. This ranking is based on pre-coronavirus pandemic analysis. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in the country, including key data centres. Demonstrating cybersecurity resilience in the country’s networks, information systems, private sector and public services is very important for national security, economic growth, investment, trust, and innovation. Companies and organisations can also use this information to set expectations and risk levels.
Putting Cybersecurity on the Agenda
In 2018, the Dutch National Cybersecurity Agenda was adopted to allow the Netherlands to benefit from the economic and social opportunities of digitalisation in a secure way and to protect national security in the digital world. Seven ambitions were outlined to allow the Netherlands to:
1. Have strong digital capabilities to detect, mitigate and respond decisively to cyber threats;
2. Contribute to international peace and security in the digital space;
3. Be at the forefront of digitally secure hardware and software;
4. Have resilient digital processes and a robust infrastructure;
5. Have successful barriers against cybercrime;
6. Lead the way in the field of cybersecurity knowledge development; and
7. Have an integrated and strong public-private approach to cybersecurity.
From Agenda to Reality: Key Points from Cyber Security Assessment Netherlands 2021
The Netherlands has moved from setting agendas and ambitions to becoming more proactive in European (and global) cybersecurity efforts. It also seeks to assess the national picture every year so that stakeholders can know the trends, risks, threats, strengths and areas for improvement. This shows both a proactive and transparent approach. The Cyber Security Assessment Netherlands 2021 (CSAN 2021 / CSAN) explains the active cyber threats, the likely impacts, resilience approaches and the risks. CSAN focuses on national security, which is defined annually by the National Coordinator for Security and Counterterrorism (NCTV) and the National Cyber Security Centre (NCSC NL).
The NCTV is the central government body responsible for counterterrorism, cybersecurity, national security, crisis management and state threats. NCTV’s core focus is to prevent and minimise social disruption. The NCSC NL is the central information hub and centre for expertise for cybersecurity in the Netherlands. NCSC NL helps to boost cyber resilience in society, specifically within central government and among critical providers.
Risks to National Security
Four risks to national security have been identified in CSAN:
1. Unauthorised access to information and its publication, particularly through espionage. For example, espionage targeting communications within the central government or the development of innovative technologies.
2. The inability to access processes, due to sabotage or the use of ransomware. For example, the infiltration of processes that ensure the distribution of electricity.
3. Major security breaches, such as through the abuse of global IT supply chains.
4. Large-scale outages: for example, where one or more processes are disrupted due to natural activity, technical interference or unintentional human action.
Differences in the Levels of Resilience
The CSAN reveals that there are significant differences in levels of resilience in the Netherlands. Large companies can invest in cybersecurity knowledge and skills. Suppliers of essential services and digital service providers also have a statutory duty of care, set out in the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni). However, small businesses, including small and medium-sized enterprises (SMEs), often lack the expertise and resources to substantially upgrade their resilience efforts. SMEs are often targeted by sophisticated actors. This resilience gap has been identified as a work in progress to be solved, in part, by greater capacity building and information sharing.
Key Messages from CSAN
There is a clear acknowledgement that cyber incidents can paralyse society, and in particular:
Cybersecurity is a precondition for the functioning of society.
The digital threat is permanent.
Digital resilience is not yet in order everywhere because of the lack of basic measures.
Boosting resilience is the most important tool for managing cyber risks.
A complete and accurate picture of the resilience of critical processes is still missing.
Cyber risks are as great as ever and cannot be separated from other risks.
The Netherlands’ dependence on countries with offensive cyber programmes is a risk-increasing factor.
The main risks to national security are sabotage and espionage by states and the failure of systems. Also, cyberattacks by criminals (cybercrime).
The Covid-19 Effect
CSAN notes that since the start of the coronavirus pandemic, several COVID-19 themed cyberattacks have been observed, using a range of tool and tactics. Cyberattacks have been carried out on hospitals, research institutes and the World Health Organisation (WHO). Not only has the healthcare sector been targeted, but governments and companies had to deal with various attacks. The Police, the Public Prosecutor’s Office and Europol warned of the various forms of misuse, ranging from cybercriminal attacks to distribution of disinformation. COVID-19 also lends itself to social engineering attacks.
Disrupting Ransomware
CSAN sets out a robust strategy for dealing with all forms of ransomware. It suggests that the most promising solution lies in structurally increasing the costs to the criminals against the benefits gained from ransomware attacks. It suggests that this can only be done if the Police, NCSC NL, the Public Prosecution Service, the public services, private partners and potential victims, unite and stand together. These stakeholders should proactively work together and share information and insights in a targeted manner. Information sharing is the key.
Cloud Services and Virtualisation: Questions for Companies and Organisations
In a unique approach, CSAN directedly addresses companies and organisations with key questions about digital transformation and the emerging risks. It focuses on cloud services and the cybersecurity risks associated with virtualisation. The key questions it asks are:
When designing your cloud environment, did you take the failure of this infrastructure into account (design for failure)?
What activities does your organisation perform in the cloud environment and how sensitive are these processes to interruption?
How is the data processed in the cloud environment stored? For complex or sensitive data processing, has replication at multiple data centre locations or ‘availability zones’ been considered? Note: Replication can ensure that important data are not lost in the event of disruption at one location but remains available at another location.
Do you know the basis upon which your organisation chose a public, private or hybrid cloud environment? Does this include the complex data processing and sensitive or unique data that plays a role in your organisational processes?
By asking these questions of all companies and organisations, NCTV and NCSC NL spark a debate but also places the onus on each entity to actively reduce their cyber risks and build resilience. It asks questions of individual entities, so that collective and national data security resilience can be increased.
Action Plan: Monitor the Cybersecurity threat landscape, Participate in Public/Private Cybersecurity efforts and Review Annual Assessments to influence corporate strategy
Companies, organisations, the public sector and investors must monitor the development of the Cybersecurity Agenda and the annual Dutch CSAN analysis. The Netherlands is vital for European data flows, global information technology and international supply chains. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should also be constantly assessed as this has been highlighted in the CSAN. NCSC NL has a strong reputation at home and abroad, especially working with the UK, Germany, USA and bodies such and the European Union Agency for Cybersecurity (ENISA), EUROPOL and NATO.
The Netherland’s data protection approach should also be monitored in conjunction with the National Cyber Security Agenda and CSAN. This completes the information security and data governance picture. Autoriteit Persoonsgegevens (also called The Dutch DPA), is the data protection and General Data Protection Regulation (GDPR) regulator. It is relatively large, sufficiently funded, consistent and adopts an analytical risk-based approach. It leads with education, guidance and recommendations but will issue fines where it considers these are appropriate. Recently, it has used its strongest penalties to respond to data breaches, data about children, health data (including Covid-19 data), intrusive new technologies and surveillance.
The Netherlands stands as a good example of a transparent, effective and active cybersecurity strategy. The agenda and strategy have been operationalised and is assessed annually. The country has championed the multidisciplinary and cross-sector approach to building resilience. Its data protection regulatory system is also stable, consistent and set to expand to respond to new technology, European co-operation, global initiatives and the intensifying cybersecurity landscape.
Briefing
The coronavirus pandemic has created an explosion in information security awareness and a sense of hyper vigilance. Cybersecurity attacks have increased, especially malware, phishing, vishing and ransomware. As cyber awareness increases, boards, leadership teams and individuals need access to the most reliable sources of information and advice. Excellence, expertise and the ability to communicate security threats, risks, priorities, trends and effective responses are crucial. These trusted insights are vital for companies and organisations.
Leading Data Security Sources: Centres of Excellence
The organisations below have consistently helped companies, organisations and individuals to identify threats, improve controls, increase training and reduce the risk of cybersecurity breaches and loss of reputation. Covid-19 has reinforced their importance. They understand the national and international security landscape. Their experience spans many sectors. Several of the organisations play a key role in national cybersecurity strategies and so are trusted by governments and the public services. The organisations raise awareness, issue threat alerts, produce guidance, publish analysis, create training materials, lead certification activities, respond to data breaches, secure critical national infrastructure and work with companies and organisations to improve their cyber resilience.
The NCSC was created in 2016 and spun out of the UK’s GCHQ. It combines the CESG (GCHQ’s information security arm), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related work of the Centre for the Protection of National Infrastructure (CPNI). It has responsibilities across government, for critical national infrastructure protection and the national cyber security strategy. Its guidance, standards-setting, alerts, website, social media, work with all sectors make it a leader in information security.
NIST is non-regulatory agency of the United States Department of Commerce with a central role of promoting innovation and industrial competitiveness. Its main laboratory programmes include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. For cybersecurity and data privacy, its standards and frameworks are very popular and underpin the information systems of organisations around the world. This work is supported by the Computer Security Resource Center (CSRC). Its guidance, standards, measurements, publications, website and social media output are authoritative.
ENISA is an agency of the European Union, created in 2005 and located in Athens and Heraklion in Greece. The agency works with EU Members States to advise, offer solutions and improve cybersecurity capabilities. It builds capacity to respond to large cross-border cybersecurity incidents or crises. It has developed cybersecurity certification schemes since 2015. ENISA acts as a key centre of expertise for member states, EU institutions and private organisations on network and information security. Its guidance, CERT co-ordination, standards, certification schemes, publications, website and social media output are highly influential.
US-CERT analyses and reduces cyber threats, vulnerabilities, disseminates cyber threat warnings and coordinates incident response activities. It uses advanced network and digital media analysis to identify malicious activity targeting networks in the United States and abroad. US-CERT is part of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Its work includes threat analysis and information sharing, digital analytics, operations, communications and international work. Its publications, advisories, alerts, analysis, advice, website and social media output are respected. Its unique selling point is to analyse and disseminate information about the most persistent international cybersecurity threats.
Created in 2002, the FBI’s Cyber Division leads US national effort to investigate and prosecute internet crimes, cyber based terrorism, espionage, computer intrusions and major cyber fraud. It proactively informs the public about current trends in cybercrime. Its three key priorities are computer intrusion, identity theft and cyber fraud. It works with other agencies and takes part in cross-border initiatives.
Other Influential Data Security Organisations, include:
The FinTech sector was valued at €140 billion globally in 2018 and is estimated to more than double in size to €431 billion by 2022. In the EU, FinTech investments increased by nearly 300% in 2018 from the previous year, to €37 billion. The FinTech sector’s aims of transforming financial services delivery and offering innovative data-rich services makes it highly attractive for venture capital. As the sector expands, the risks of hacking, cybercrime, cybersecurity incidents, and personal data breaches increases. FinTech faces unique cybersecurity challenges but with the application of standards, tools, and strategies the sector can remain proactive and cyber resilient.
FinTech’s Unique Cybersecurity Landscape
The FinTech sector is a series of related financial technologies. The sector is, by nature, innovative and data-driven, with ever expanding boundaries. The ecosystem includes large traditional banks, financial services providers, challenger banks, and a wide range of start-ups. Key FinTech services include payments, alternative finance, smartphone-based mobile retail banking, currency exchange services, investing services, and cryptocurrencies. The edges of FinTech stretches into ‘InsurTech’ and the more multifaceted ‘RegTech’ sector. FinTech’s growth, innovative use of data, and user-focus makes it a unique target for cybercrime and cybersecurity threats.
FinTech actively uses new technologies, data analytics, Big Data, artificial intelligence, robotic process automation (RPA), blockchain, and biometrics. The sector is an evolving mix of diverse data points and a large footprint of endpoints and devices. The sector is home to various data sets, including financial transactions, payment card, credit report, geolocation, and special categories of personal and other sensitive data. As a result, it is an increasing target for cybercriminals, cybersecurity incidents, and personal data breaches. Distributed denial-of-service attacks are increasingly common. Ransomware, malware and phishing attacks are also growing.
A Mix of Rules and Regulations
In the EU, FinTech as a combined sector is not highly regulated. However, depending on the type of FinTech organisation, types of technologies deployed, or the types of data used, various laws and rules will apply data security norms. Traditional banks, challenger banks, and smartphone-based financial services providers face the most demanding cybersecurity rules. The EU’s Payment Services Directive (EU 2015/2366) (‘PSD2′) lead the way for open banking by allowing banks to make their customers’ personal or business current-account information accessible to external third-party providers. The PSD2 supercharged the growth of EU FinTech. FinTech’s are also governed by a mixture of EU banking authorities, EU financial services laws, central banks, and national financial services regulators. Organisations that are part of critical national infrastructure fall within the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) (‘the NIS Directive’). Their supply chains, which can include FinTechs, are indirectly regulated by these cybersecurity standards. FinTechs that use direct marketing tools, cookies, and similar technologies must comply with the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (‘the ePrivacy Directive’) and the related national laws in each EU country.
The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) provides overarching rules to encourage cybersecurity and data protection compliance. The GDPR’s rules on transparency, accountability, security of data processing, personal data breach notifications to regulators and individuals, Privacy by Design, Privacy by Default, Data Protection Impact Assessments (‘DPIAs’), and the appointment of data protection officers, offer FinTechs a baseline for compliance, which they must build on to reflect their specific context and risk-profile.
EU public policy has acknowledged the need to make cybersecurity the number one priority in FinTech planning. The European Commission adopted the EU FinTech Action Plan (‘the Action Plan’) in 2018 with the clear aim of placing cybersecurity and integrity at the heart of FinTech growth and development. The Action Plan encourages a security by design approach. The European Banking Authority also published a FinTech Roadmap to set out its priorities for 2018/2019. The European Union Agency for Cybersecurity (‘ENISA’), is, at the time of publication, working on an EU certification framework for ICT security products and services, increasing access to threat intelligence and information sharing, encouraging penetration and resilience testing, as well as increasing cybersecurity training and awareness. In 2019, the European Supervisory Authorities published advice to the European Commission on the strengthening of EU cyber and IT security regulation in the financial sector. A key recommendation was to develop an EU oversight framework for third party providers active in financial services, especially cloud service providers. Another recommendation was to develop an EU-wide framework for testing the cyber resilience of important financial institutions. Globally, at an intergovernmental level, the G7, the G20, the Organisation for Economic Co-operation and Development, the International Monetary Fund, and the World Bank are also working on FinTech cybersecurity and information security for financial services.
FinTech Cybersecurity and Cyber Resilience Standards and Tools
Security by design (and security engineering) should underpin FinTech infrastructure, services, software, and applications, so that security is built-in by default, allowing a secure environment at the core and the endpoints.
International Information Security Standards, such as ISO 27001, allow FinTechs to create and manage high quality information systems. However, newer standards, such as ISO 27032:2012 for improving the state of cybersecurity and ISO 27701:2019 for extending privacy information management system standards, can be used to mature the level of compliance. FinTechs should also seek to apply the Payment Card Industry Data Security Standard, if applicable, the National Institute on Information Standards and Technology (‘NIST’) Cybersecurity Framework, financial services IT standards, and other sectors norms in the countries in which the FinTech operates.
A zero-trust approach and continuous testing allow FinTechs to significantly fortify their networks, endpoints, and level of resilience. Zero-trust architecture and zero-trust networks are based on the principle that actors, systems, or services operating from within the security perimeter should not be automatically trusted, but must be verified to initiate access and continue access to IT services.
DPIAs allow FinTechs to better understand their personal data use and demonstrate GDPR compliance. DPIAs focus on high-risk data processing and enable risk identification, remediation, risk acceptance, risk reduction, and risk management. At the system design stage, DPIAs can help FinTechs to identify and adopt Privacy by Design.
Supply chain cybersecurity compliance, strength, and resilience are vital for business continuity and disaster recovery. FinTechs should build-in IT flexibility and backup options, especially for cloud services. Supply chain partners must be held to high standards of cybersecurity compliance. They should also display cybersecurity agility and responsiveness to react to threats, risks, near-misses, and breaches.
Proactive Cyber Resilience
The language of cybersecurity can often appear binary and prosaic to developers, FinTech founders, senior leaders, and boards. Cybersecurity is often presented as a problem to be fixed to allow growth and profits to take place uninterrupted. In truth, cybersecurity is fluid, it is an enabler, and an adept partner to FinTech’s most ingenious innovations. In today’s complex global supply chains, with its aggressive and evolving threat landscape, cybersecurity must be aligned with proactive cyber resilience.
NIST defines cyber resilience as ‘the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.’ Proactive cyber resilience is a more suitable and beneficial aim, allowing organisations to promote a broader application of cybersecurity to include disaster recovery, business continuity, intelligent cyber insurance, and supply chain strength and flexibility. FinTech’s dynamism, complexity, and expanding boundaries require security engineering and cybersecurity to be core competences within the sector’s ecosystem and where the watchword is always resilience.
Ireland is an important player in the global digital economy. According to the Commission for Communications Regulation (“ComReg”) and other estimates, 30% of the European Union’s data are hosted in Ireland. The Republic of Ireland ranks 7th out of 28 EU member states in the European Commission Digital Economy and Society Index (DESI) 2019. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in Ireland, where many of their data centres are located. At the end of 2019, the Irish government published its second National Cyber Security Strategy for 2019 – 2024, to increase its cybersecurity readiness and resilience. Security of Ireland’s network and information systems is important for economic growth, investment, trust, national security and innovation.
A cybersecurity Journey
A key proposal is to develop Ireland’s National Cyber Security Centre (NCSC), increase incident monitoring, respond to incidents and threats and work with the Defence Forces and the Gardai (Police) on critical national infrastructure issues. There is also a growing realisation that cybersecurity resilience, national security and critical national infrastructure should embrace new partnerships between the public sector and private sector. ComReg recommends allowing intelligence on threats to national security to be shared between Irish state agencies and the private sector. Access by private companies to intelligence on national security risks is seen as the best way to guarantee and secure telecoms networks in Ireland.
Key elements of Ireland’s National Cyber Security Strategy 2019-2022
The strategy’s main objectives are to:
Continue to improve Ireland’s ability to respond to and manage cybersecurity incidents, including those involving national security
Identify and protect critical national infrastructure by increasing its resilience to cyber attacks and ensure that operators of essential services have appropriate incident response plans to reduce and manage disruptions to services
Improve the resilience and security of public sector IT systems to better protect data and the services that people rely on
Invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers
Increase business awareness of the need to secure their networks, devices and information and to drive research and development in cyber security in Ireland, including new technology investment
Continue to engage with international partners and international organisations to ensure that cyberspace remains open, secure, unitary, free and able to facilitate economic and social development
Increase the general level of skills and awareness among private individuals about basic cyber hygiene and support them with information and training.
The strategy’s other key deliverables include the appointment of Cyber Attachés to Ireland’s key foreign diplomatic missions, ratification of the Budapest Convention on Cybercrime, expanding the current Threat Sharing Group (TSG), refining existing arrangements with the UK on information sharing and incident response and providing support to Cyber Ireland to develop a Cyber Security Cluster of industry, academia and government.
Action Plan: Monitor
progress, review outputs and evaluate results
Companies, organisations, the public sector and investors must monitor the implementation of the strategy. The Irish government’s overall budget for this strategy has not been published. Priorities within the strategy for each major objective has not been fully outlined. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should be monitored as this is underdeveloped in the strategy. The key question is whether Ireland’s NCSC will become a larger, more confident and technically well-resourced cybersecurity champion in the coming years.
Ireland’s data protection approach should also be monitored in conjunction with the National Cyber Security Strategy. Ireland’s Data Protection Commission (DPC Ireland), the data protection and General Data Protection Regulation (GDPR) regulator received a total budget allocation of €16.9 million for 2020, which included a less than requested budget increase. The quadruple challenges of Brexit, coronavirus covid-19, the post-election uncertain government and a cooling Irish economy in the second half of 2020 will directly affect the immediate implementation of the strategy.
We use cookies for necessary website functionality and to optimise user experience. Analytics, social media and advertising cookies are also used. See our Cookies Notice to manage cookies and make choices.
Functional cookies
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.