Cybersecurity in focus
The cybersecurity industry is evolving after years of actions often under pressure, governments, meta-government (such as the EU) and private players are undergoing a structuration phase.
The EU cybersecurity certification framework for ICT products, has officially been announced as a policy supported by the EU Commission. The objective of the certification framework is to provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. The scheme builds upon the already defined basic, substantial, and high level of assurance in order to inform customers of the security of each product. They are supposed to be assessed along with the intended use of the product, service or process, in terms of probability and impact of an accident.
The EU cybersecurity certification framework will deliver certificates that will be recognized in all EU Member States. The implementation of this certification framework will be in the hands of Stakeholder Cybersecurity Certification Group. This group includes up to 50 members from various organizations, including, inter alia, academic institutions, consumer associations, conformity assessment bodies, standard developing groups, companies and trade associations and other membership organizations. Among members, one may name: BusinessEurope, Deutsche Telekom, European Banking Federation, European Telecommunications Standards Institute (ETSI), Eurosmart, GSMA, Infineon, International Organisation for Standardisation (ISO), International Telecommunication Union (ITU), OVH, Robert Bosch, and Thales, among many others.
On the other side of the Atlantic Ocean, the PCI Security Standards Council (PCI SSC) has launched actions with the National Cybersecurity Alliance and issued a joint bulletin on the increasing threat of ransomware attacks. According to PCI SSC, it is estimated that ransomware attacks cost the world US$ 20 billion (EUR 18 billion) in 2021 and hit 37% of all businesses and organizations. PCI SSC focuses on ransomware attacks related to payment security as payment card data is often a preferred target of a cyber-attack. The bulletin insists on prevention of ransomware, thanks to employees training and system testing. Also, the focus is on slowing down cybercriminals thanks to maintaining a secure network and applying patches. And final aspect is to detect and respond thanks to monitoring and maintaining backups of one's systems.
On a local level, the French Agence nationale de la sécurité des systèmes d'information (ANSSI - French National Agency for the Security of Information Systems) states as its mission statement "to foster a coordinated, ambitious, pro-active response to cybersecurity issues in France, to drive raising-awareness actions, as well as to spread French vision and expertise, and European values, abroad."
Besides specifications, the ANSSI regularly publishes documents with an educational purpose. One of the latest documents is a "cyberattack survival guide," which aims a giving corporations, especially SMEs, the means to reply to cyberattacks. Of course, the #1 recommendation is to anticipate and to prevent potential cyberattacks. The ANSSI defines poor cyberhygiene as the use of weak passwords, unprotected Wi-Fi network, lack of VPN or failure to update firewalls regularly. During the attack, the ANSSI recommends to isolate compromised systems rather than to shut down one's network, to try to identify backdoors that could be used by hackers to access the systems again. But to be more global, the ANSSI recommends to all enterprises, big and small, to forge partnerships with reliable suppliers of cybersecurity, and especially to reinforce terminal security, to update old and obsolete devices, and to establish end to end security.
The ANSSI also published an update on its "SecNumCloud" referential, which aims as setting up security qualifications for cloud suppliers. The recently published release 3.2 introduces protection criteria against extra-European legal systems, an answer to the US Cloud (Clarifying Lawful Overseas Use of Data) Act. The latter has been under heavy criticism by several civil rights groups, including the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), Amnesty International, and Human Rights Watch (HRW), as it makes it mandatory for US-based companies to provide stored data for a customer or subscriber on any server they own and operate when requested by warrant.
Cybersecurity requirements exactly fit with our industry. The secure transactions industry core expertise revolves around numerous experts able to provide extended cybersecurity measures, products and services to all types of corporations.