Awareness of Cyber risks

The first things you have to ask yourself is do I am aware of the security risks; I have to face in the near future?

Well let me try to explain what is actually all involved of being aware of the current threats, the risks and responsibilities of a vulnerability and security breach…

Speaking about awareness check out in real time the current threats all over the world.

See below an overview of different network maps:

·     Global Network

·     BOTNET

·     Digital Attack Map, Top daily DDoS attacks worldwide

·     Kaspersky CYBER THREAT REAL-TIME MAP

·     FireEye

·     CSO Online Daily Dashboard

·     Norse Attack Map

The Importance of the Human Element

While confidentiality, integrity and availability represent what aspects of information and information assets are being protected; people, process and technology describe how this protection occurs. All three factors of people, process and technology play an equally important role in information security. However, technical controls, such as firewalls, often receive all of the attention and people and process are overlooked. While firewalls and other security controls provide a very necessary baseline of protection, they can be rendered useless if a user either deliberately or unintentionally misuses their access or fails to protect resources within their control. Consider the scenario that a user is tricked into giving out their ID and password to an unauthorized person over the phone. It does not sound like a huge security breach. It is just one tiny mistake, right? Unfortunately, that is not the case. This mistake creates vulnerability in the security architecture that could result in a substantial loss if exploited. It only takes one open door to create an opportunity for an attacker. Although a shared password was the only violation used in this example, it is important to understand that there are many ways that users can become a security weakness. In addition, when the number of authorized users is considered, then the overall potential exposure is, astounding. This is why people are a major factor in the success or failure of an information security program.

Security Awareness Goals and Objectives

The primary objective of a security awareness program is to educate users on their responsibility to help protect the confidentiality, availability and integrity of their organization’s information and information assets. Information security is everyone’s responsibility, not just the IT security department. It is critical that users understand not only on how to protect the organization’s information, but why it is important to protect that information. “People are often the weakest link in a security chain, because they are not trained or generally aware of what security is all about. Employees must understand how their actions can greatly impact the overall security position of an organization”. An awareness program should reinforce security policy and other information security practices that are supported by the organization. Security awareness “helps minimize the cost of security incidents, helps accelerate the development of new application systems, and helps assure the consistent implementation of controls across an organization’s information systems”.

The goal of awareness is to raise the collective awareness of the importance of security and security controls. Awareness messages should be simple, clear and presented in a format that is easily understood by the audience. The goal of training is to facilitate a more in depth level of user understanding. Some tactics include, but are not limited to formal classroom training, one-on-one training and educational packets.

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

This is the first in a series of articles addressing the top 10 operational impacts of the GDPR.

First of al we start with awareness, and ask yourself the following things:

1.  What are the current Security data processing standards (1) within my company?
2.  Personal data breach notification standards
3.  Are all the threats secured?
4.  How much time do you spend daily to resolve / fix threats
5.  What is the total budget you spend yearly? You want to reduce these costs ASAP?

Recourses

1)    It is precisely the manufacturing capacity, or access of SMEs to appropriate infrastructures such as pilot lines, and the development of such infrastructures, that this combined funding can support. For innovative SMEs in particular, it is important to ensure a full involvement in industrial value chains, and access to pilot lines and RTOs, or technology infrastructures offering services to SMEs, allowing them to design, prototype, test and ultimately produce their innovations.

2)    The exploitation strategy should be realistic and identify obstacles, requirements and necessary actions involved in reaching higher TRLs, such as

a.     Improved material/product robustness and reliability;

b.     Addressing European value chains;

c.     Securing an industrial integrator to adapt the new technologies to industrial scale;

d.     Availability of large-scale testing, pilot and manufacturing facilities;

e.     Standardization;

f.      Product approval by regulatory and/or relevant international bodies;

g.     Sustainability of financing (after the EU funding).

Strategic orientation on innovative technologies closer to the market

A great number of activities aim to develop innovative technologies bringing them closer to the markets, including a progress towards higher Technology Readiness Levels (TRLs).5 This will help the manufacturing sectors to adapt to global competitive pressure by improving their technological base. As proposed in the European KET Strategy, the KET parts of this work Programme use TRLs where relevant. This Work Programme addresses TRLs from 3-4 up to 7, with an overall centre of gravity in the range from 5-6, with the highest level reserved for cases where there is strong industrial commitment.

To optimize impact, the following aspects should be considered by proposals wherever appropriate:

a) Well-targeted value chains enable to capture value to Europe – this aspect should be reflected in the quality of the consortium and the work plan to ensure optimal structure to maximize impact.

b) Adequate balance of industrial and research partners for the delivery of the expected outcome beyond the end of the project.

c) In order to facilitate up-scaling, aspects such as demonstration, transfer and piloting should be included as a part of the R&D&I actions. Where standardization needs are identified, they should be followed up.

d) The integration of business development, time to market, and market understanding, together with the understanding and exploitation of customized and personalized products and services in the business-to-business context is necessary to meet innovation needs in the range TRL 5-7.

e) Proof-of-concept prototypes, demonstration, assessments, platform-building activities, and pilots help to overcome the acceptance barrier, increase trust and convince potential users, express additional value benefits for diversified communities, provide seeds for new projects of the proposers also in other parts of Horizon 2020, and develop mechanisms for facilitating value creation in the real economy.

f) Non-technical and regulatory issues regarding health, safety and the environment should accompany the development of industrial applications, especially in fields such as nanotechnologies, where potential risks and public concerns have been identified.

(1) Enhancing your environment with the GDPR Enhances Data Security and Breach Notification Standards

Data security plays a prominent role in the new General Data Protection Regulation (GDPR) reflecting its symbiotic relationship with modern comprehensive privacy regimes.

Compared to Directive 95/46/EC, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts for the first time specific breach notification guidelines.

Security of data processing standards

The GDRP separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.

Under Article 32, similarly to the Directive’s Article 17, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” Unlike the Directive, however, the GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

a)    The Pseudonymization and encryption of personal data.

b)    The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

c)    The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

d)    A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism — as described in Article 40 and Article 42 — may use these tools to demonstrate compliance with the GDPR’s security standards.

For additional guidance on security standards, controllers and processors may consider the Recitals, in particular Recitals 49 and 71, which allow for processing of personal data in ways that may otherwise be improper when necessary to ensure network security and reliability.

“Personal data breach” notification standards

Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

“Personal data” is defined in both the Directive and the GDPR as “any information relating to an identified or identifiable natural person (“data subject”).” Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information.

In the event of a personal data breach, data controllers must notify the supervisory authority “competent under Article 55” which is most likely (looking to Article 56(1)) the supervisory authority of the member state where the controller has its main establishment or only establishment, although this is not entirely clear. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification.

A notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.

When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.

If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 34, this must be done “without undue delay.”

The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.

Assuming the controller has notified the appropriate supervisory authority of a personal data breach, its discretion to notify data subjects is limited by the DPA’s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances.

Harmonization

Data breach notification is possibly most firmly established globally in the U.S. There, “reasonable” security standards are still being defined and nearly every U.S. state has a different breach notification law, which has led to some consternation among privacy professionals. The GDPR’s uniform application across EU member states should at least provide predictability and thus efficiencies to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 member states. Nonetheless, the GDPR’s reference to a “competent supervisory authority” suggests notification may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as “undue delay,” likelihood of risk to rights and freedoms,” and “disproportionate effort” all remain to be further clarified and defined in practice.