Top sectors affected by cyber threats
Cybersecurity threats in the European Union affect sectors vital to society. According to the latest report of the European Agency for cyber security (ENISA), the top five most affected sectors are:
- public administration and governments
- digital service providers
- general public
- medical field
When it comes to information security, including personal data – which is the subject of GDPRthere is a set of technical and organisational measures designed to substantially improve the position of cyber securityto increase resilience to attacks and thus reduce the risk of security breaches.
The ENISA and CERT-EU recommendations are part of the recommendations that we, the GDPR Complete team, make in the
GDPR consulting services
we offer. We always advise operators to pay close attention to policies and procedures:
- network access and infrastructure
- hardware and software inventory
- of email usage
- staff training
If we are to detail the ENISA and CERT-EU recommendations, we see that the 13 minimum recommendations touch on exactly the same issues mentioned above.
Based on the ever-increasing threat level, ENISA (the EU Agency for cyber security) and CERT-EU (Computer Emergency Response Team) strongly encourage both public institutions and public and private sector organisations in the EU to apply, as a minimum, the best practices of cyber security listed below.
Cyber security best practices
Note that organisations should prioritise their actions according to their specific business needs. The following
may supplement, but do not replace, guidance issued by you, your national or governmental authority on cybersecurity. The order in which they are presented does not necessarily represent their importance, as they are all of greater importance.
1. Multi-factor MFA authentication.
Make sure remotely accessible services require authentication multi-factor (MFA).
These include VPN services, externally facing portals (extranets) and email access (e.g. OWA or Exchange Online).
Multi-factor authentication (MFA comprising two-factor authentication or 2FA) is a method of electronic authentication in which a user of a computer (or mobile device) is granted access to a website or application only after successful presentation of two or more authentication proofs (or factors): knowledge (something that only the customer knows, such as a PIN, a password), possession (something that only the customer owns, for example possession of a device evidenced by a password sent by SMS) and Inerrancy (something the customer is, such as fingerprint, facial recognition or other biometrics). MFA protects the user from an unknown person trying to access their data, such as personal identification details or financial assets.
2. Make sure users do not reuse passwords
Encourage users to use multi-factor authentication (MFA) whenever it is supported by an app (on social networks for example)
Hackers often compromise organizations by performing stuffing attacks. These attacks use accounts and passwords obtained from previous breaches of possibly personal data (most likely of other operators).
Leaked usernames and passwords against another unrelated service make these attacks possible because users tend to reuse the same username/password.
Users are therefore encouraged to never to reuse a password. In addition, users are advised to use trusted leak checkers to see if their personal email addresses are present in any known data breaches and to immediately change any compromised email addresses or compromised passwords on relevant websites and/or applications.
The easiest way to check if a particular email address or password has been compromised is to use https://haveibeenpwned.com/.
Some statistics on passwords in 2021:
- 90% of internet users are worried that their passwords will be broken.
- 53% of people rely on their memory to manage passwords.
- 51% of people use the same passwords for both work and personal accounts.
- 57% of people who have already been scammed in phishing attacks have not yet changed their passwords.
- The password “123456” is still used by 23 million account holders.
- 33% of account compromise victims have stopped doing business with the companies and websites that leaked their credentials.
- An analysis of over 15 billion passwords shows that the average password is eight characters or less.
- “Eva” and “Alex” are the most common names in the passwords.
- Abu Dhabi is the most commonly used city name in the word.
- Food and drink appear in only 1.9% of user-generated passwords.
Learn more about GDPR compliance for passwords.
3. Make sure all software is up to date
Updates that address known vulnerabilities should be prioritised. Reorganization of vulnerability management processes is also necessary and recommended to deploy high severity and critical patches as quickly as possible.
Ensure that all actions related to patching endpoints and servers have been completed (e.g. rebooting the system).
Don’t forget to encourage your users to do the same for their personal systems/equipment at home as regularly as possible (e.g. computers, smartphones, tablets, connected devices such as TVs, video game consoles, home routers, etc.).
If we look at the most important aspects of using updated software, besides security, they are: better software, software with fewer defects (bugs) and improved performance.
One of the reasons for upgrading to the latest version or a new edition is simply that you, as a user, benefit from a better program. Software companies are constantly improving their products by adding new features, improving user experience and functionality. Of course, the barrier to this is that you can get used to the way a particular version of a program works. It can be hard to move on from something you’re used to. A popular example is the different versions of Microsoft Office.
It is virtually impossible to release a 100% fully functional product in time for launch, so most of the time software will be released and then patched later.
The good news is that developers are always looking to improve and fix the flaws. To eliminate problems and to have a system that works as well as possible, it is important to always update and use the latest version of an application (where there are no incompatibility conflicts).
Old software can often consume more computing power than necessary. The signal that software that simply doesn’t work like it used to is that you need to upgrade to the latest version. It will be optimised for your current operating system and should work much better. If it’s in the cloud, much of the software won’t use your internal resources and will therefore run even faster.
- And last but not least, TO IMPROVE SECURITY
The most important reason for the update is elimination of security issues. Hackers can find vulnerabilities in certain programs, sometimes caused by bugs, and exploit them to damage your computer system and steal personal data. Older versions of software can become gateways for hackers to access your network. Software vendors are quick to realize these vulnerabilities and will patch weak or exposed areas if you let them.
4. Strictly control third-party access to internal networks and systems.
This will improve your ability to prevent and detect potential attacks if a third party is compromised and used as a beachhead to break into your network.
Third party users can be: contractors, suppliers, resellers and technology partners who need access to internal resources hosting sensitive data, personal data or intellectual property. These internal resources can be located anywhere: in your data centre or from public cloud services such as AWS, Azure or GCP. To add further complexity, third party users can be located around the world, in multiple time zones, with a variety of unmanaged devices.
Estimates indicate that about 60% of cases of security breaches are linked to third parties and we can expect this percentage to grow as more companies adopt digital platforms and new operating models that require data sharing with partners and service providers.
Learn more about managing GDPR security breaches in our dedicated article Managing GDPR security breaches.
Access control, or precision and control over when and how a person can exercise access rights, can apply to both internal and external users. It is particularly important to apply types of third-party access control as they pose the greatest risk.
Access control is an additional layer of security that helps protect those assets that qualify as “high risk” in an organization and it is very possible that a third party may need to regularly access these high risk assets.
Find out what rights data subjects have, in addition to the right of access, under the General Data Protection Regulation.