Top sectors affected by cyber threats

Cybersecurity threats in the European Union affect sectors vital to society. According to the latest report of the European Agency for cyber security (ENISA), the top five most affected sectors are:

  1. public administration and governments
  2. digital service providers
  3. general public
  4. medical field
  5. financial/banking.

When it comes to information security, including personal data – which is the subject of GDPRthere is a set of technical and organisational measures designed to substantially improve the position of cyber securityto increase resilience to attacks and thus reduce the risk of security breaches.


The ENISA and CERT-EU recommendations are part of the recommendations that we, the GDPR Complete team, make in the

GDPR consulting services
 we offer. We always advise operators to pay close attention to policies and procedures:

  • network access and infrastructure
  • hardware and software inventory
  • backup
  • verbal
  • of email usage
  • staff training

If we are to detail the ENISA and CERT-EU recommendations, we see that the 13 minimum recommendations touch on exactly the same issues mentioned above.

Based on the ever-increasing threat level, ENISA (the EU Agency for cyber security) and CERT-EU (Computer Emergency Response Team) strongly encourage both public institutions and public and private sector organisations in the EU to apply, as a minimum, the best practices of cyber security listed below.

Cyber security best practices

Note that organisations should prioritise their actions according to their specific business needs. The following
best practices
 may supplement, but do not replace, guidance issued by you, your national or governmental authority on cybersecurity. The order in which they are presented does not necessarily represent their importance, as they are all of greater importance.

1. Multi-factor MFA authentication.

Make sure remotely accessible services require authentication multi-factor (MFA).

These include VPN services, externally facing portals (extranets) and email access (e.g. OWA or Exchange Online).

Multi-factor authentication (MFA comprising two-factor authentication or 2FA) is a method of electronic authentication in which a user of a computer (or mobile device) is granted access to a website or application only after successful presentation of two or more authentication proofs (or factors): knowledge (something that only the customer knows, such as a PIN, a password), possession (something that only the customer owns, for example possession of a device evidenced by a password sent by SMS) and Inerrancy (something the customer is, such as fingerprint, facial recognition or other biometrics). MFA protects the user from an unknown person trying to access their data, such as personal identification details or financial assets.

2. Make sure users do not reuse passwords

Encourage users to use multi-factor authentication (MFA) whenever it is supported by an app (on social networks for example)

Hackers often compromise organizations by performing stuffing attacks. These attacks use accounts and passwords obtained from previous breaches of possibly personal data (most likely of other operators).

Leaked usernames and passwords against another unrelated service make these attacks possible because users tend to reuse the same username/password.

Users are therefore encouraged to never to reuse a password. In addition, users are advised to use trusted leak checkers to see if their personal email addresses are present in any known data breaches and to immediately change any compromised email addresses or compromised passwords on relevant websites and/or applications.

The easiest way to check if a particular email address or password has been compromised is to use https://haveibeenpwned.com/.

Some statistics on passwords in 2021:

  • 90% of internet users are worried that their passwords will be broken.
  • 53% of people rely on their memory to manage passwords.
  • 51% of people use the same passwords for both work and personal accounts.
  • 57% of people who have already been scammed in phishing attacks have not yet changed their passwords.
  • The password “123456” is still used by 23 million account holders.
  • 33% of account compromise victims have stopped doing business with the companies and websites that leaked their credentials.
  • An analysis of over 15 billion passwords shows that the average password is eight characters or less.
  • “Eva” and “Alex” are the most common names in the passwords.
  • Abu Dhabi is the most commonly used city name in the word.
  • Food and drink appear in only 1.9% of user-generated passwords.

Learn more about GDPR compliance for passwords.

3. Make sure all software is up to date

Updates that address known vulnerabilities should be prioritised. Reorganization of vulnerability management processes is also necessary and recommended to deploy high severity and critical patches as quickly as possible.

Ensure that all actions related to patching endpoints and servers have been completed (e.g. rebooting the system).

Don’t forget to encourage your users to do the same for their personal systems/equipment at home as regularly as possible (e.g. computers, smartphones, tablets, connected devices such as TVs, video game consoles, home routers, etc.).

If we look at the most important aspects of using updated software, besides security, they are: better software, software with fewer defects (bugs) and improved performance.

  • Better software.

One of the reasons for upgrading to the latest version or a new edition is simply that you, as a user, benefit from a better program. Software companies are constantly improving their products by adding new features, improving user experience and functionality. Of course, the barrier to this is that you can get used to the way a particular version of a program works. It can be hard to move on from something you’re used to. A popular example is the different versions of Microsoft Office.

  • Fewer defects (bugs)

It is virtually impossible to release a 100% fully functional product in time for launch, so most of the time software will be released and then patched later.

The good news is that developers are always looking to improve and fix the flaws. To eliminate problems and to have a system that works as well as possible, it is important to always update and use the latest version of an application (where there are no incompatibility conflicts).

  • Improving performance

Old software can often consume more computing power than necessary. The signal that software that simply doesn’t work like it used to is that you need to upgrade to the latest version. It will be optimised for your current operating system and should work much better. If it’s in the cloud, much of the software won’t use your internal resources and will therefore run even faster.

  • And last but not least, TO IMPROVE SECURITY

The most important reason for the update is elimination of security issues. Hackers can find vulnerabilities in certain programs, sometimes caused by bugs, and exploit them to damage your computer system and steal personal data. Older versions of software can become gateways for hackers to access your network. Software vendors are quick to realize these vulnerabilities and will patch weak or exposed areas if you let them.

4. Strictly control third-party access to internal networks and systems.

This will improve your ability to prevent and detect potential attacks if a third party is compromised and used as a beachhead to break into your network.

Third party users can be: contractors, suppliers, resellers and technology partners who need access to internal resources hosting sensitive data, personal data or intellectual property. These internal resources can be located anywhere: in your data centre or from public cloud services such as AWS, Azure or GCP. To add further complexity, third party users can be located around the world, in multiple time zones, with a variety of unmanaged devices.

Estimates indicate that about 60% of cases of security breaches are linked to third parties and we can expect this percentage to grow as more companies adopt digital platforms and new operating models that require data sharing with partners and service providers.

Learn more about managing GDPR security breaches in our dedicated article Managing GDPR security breaches.

Access control, or precision and control over when and how a person can exercise access rights, can apply to both internal and external users. It is particularly important to apply types of third-party access control as they pose the greatest risk.

Access control is an additional layer of security that helps protect those assets that qualify as “high risk” in an organization and it is very possible that a third party may need to regularly access these high risk assets.

Find out what rights data subjects have, in addition to the right of access, under the General Data Protection Regulation.

Need help implementing GDPR?
In order to be compliant in terms of procedures, measures, response methods and risk mitigation, we recommend that you seek expert advice. GDPR Complete is an IT company with validated expertise in national and international projects.

  • We assess your risks in every detail

  • We assist you step by step in implementation

  • We train your employees who process data

  • We provide you with standardised procedures and documents

5. Pay special attention to cloud environments

Before moving your critical data to the cloud, use the strong security controls available on cloud platforms and separate the management of cloud systems from the management of on-premises systems. This is necessary to ensure that threat actors cannot jump from one environment to another due to security discrepancies.

In this regard it is recommended to:

  • Understand the shared responsibility model
  • Ask your cloud provider detailed security questions. Some examples:
    • Where are the provider’s servers located geographically?
    • What is the vendor’s protocol for security incidents?
    • What is the supplier’s disaster recovery plan?
    • What measures has the provider taken to protect the various access components?
    • What level of technical assistance is the supplier willing to provide?
    • What are the results of the supplier’s latest penetration tests?
    • Does the provider encrypt data in transit and at rest?
    • What roles or people within the provider have access to data stored in the cloud?
    • What authentication methods does the provider support?
  • Implement an identity and access management solution
  • Train your staff
  • Establish and enforce cloud security policies
  • Secure your end points
  • Encrypt data in transit and at rest
  • Use intrusion detection and prevention technology
  • Enable security logs

6. Review your data backup strategy and use the so-called 3-2-1 rule approach

For organisations, the rule is to keep three copies complete copies of their data, with two stored locally, but on different types of media, and at least one copy stored off-site. Your organisation’s backup strategy should be fully aligned with your business needs by setting explicit recovery times and recovery points.

  • Ensure that access to backups is controlled, limited and recorded.
  • Confirm that restoration procedures are well documented and regularly tested.
  • Given the proliferation of ransomware attacks, it is strongly recommended to increase the frequency of backups for critical data. The latest storage technologies facilitate quick backups of almost any data set in minutes.
  • Users should be instructed to save data only to your permitted storage devices or, if applicable, to your company’s cloud storage devices and not to their own workstations.
  • In addition, you should make sure that the backup software itself is up to date. We have detailed above why they are needed
    software updates
    .

Backup best practices include:

  • Back up regularly: it is recommended to back up data “as frequently as necessary to ensure that if data is lost, it is not unacceptable to the business”.
  • Select the right data to back up: Some of the most common backup files include financial and customer databases, operating systems, registry files and machine images.
  • Automate backupsManual backups are prone to user error, while automated backups ensure you have the latest versions stored safely.
  • Test your backups: Backups fail and data gets corrupted, making data verification and restore testing essential.
  • Incorporate other tactics: A 3-2-1 backup strategy is just one part of a backup and recovery plan. You might also consider: data encryption and scanning backups for malware.

7. Change all default credentials

We are referring here to usernames and passwords. Disable protocols that do not support multiple authentication factors or use weak authentication (e.g. clear text passwords or outdated and vulnerable authentication passwords or encryption protocols).

The most handy example is the production use of the VPN protocol – PPTP.

The biggest danger is from Internet-connected devices such as cameras.

User IDs and default passwords are a serious security issue because:

  • are found in many commercially used operating systems and databases
  • may have high-level system or database administrator (DBA) privileges
  • are often unsecured by being set to default values
  • masks audit actions, making it difficult to monitor them
  • have passwords that are widely known to many “users”
  • hardcoded defaults can be easily identified
  • can be easily exploited, even by a beginner.

The biggest risk with default passwords is that the information can be easily discovered by almost anyone. This information is available in suppliers’ publications, books, on the internet. This, along with ease of use, is what makes it a serious security issue.

8. Use appropriate segmentation and network restrictions to limit access

Best practices for network segmentation

  • Know who is connecting to your network (and what data they need to do their job). You can’t segment properly if you don’t know exactly who has access to the network or what they need access to in order to do their jobs. Before starting any segmentation project, know what data needs to be accessed and by whom, so that you don’t have to re-architect the segmentation process later.
  • Don’t under- and over-segment. Segmentation projects can be complicated. A good successful segmentation plan has several necessary and separate subsections. Too much can be too complicated. Too few can threaten the security of your system. This is why it is important to know who needs what data. If you don’t have a good idea about your users and what they need, you might end up segmenting too much or too little. This is a common problem and means you may eventually have to step in and change the whole network.
  • Isolate third-party access points. Some of the most publicized breaches in recent history have happened because a hacker used a third party to access a company’s data. More alarmingly, when a third party is involved in a breach, it takes longer to find the breach. For those third parties that need data to provide services, segment by creating isolated access points. This way they have access to what they need and not something else.
  • Make legitimate access to data easier than illegitimate access. When segmenting your network, consider your network architecture. You may be creating a path that requires a third party to pass through multiple firewalls to access the data they are looking for. But what would a hacker do to get to the same data? If there are only two firewalls between a hacker and the data you need to protect, but three or four between your vendors and the same data, it’s time to reorganize your architecture so that illegitimate access is the most difficult path.
  • Audit your network regularly. Regular network audits are essential to protect yourself and ensure that no attacker can sneak from one sub-segment to another. If you don’t regularly monitor your network, you run the risk of missing gaps in your architecture that could be exploited by an attacker. Audits are also important for another reason: when new people or resources have been added to the network, or if your business needs have changed, your old segmentation plan may no longer work effectively. By regularly monitoring your users, needs and network, you can update your architecture so that it continues to work for you and not against you.

9. Conduct regular training

To ensure that IT and system administrators have a solid understanding of your organisation’s security policy and associated procedures. Below are 7 reasons to take such courses:

9.1 To prevent infringements and attacks

Starting with the most obvious, security awareness training helps to preventing security breaches. The exact number of security breaches that security training prevents is difficult to quantify. This might be a step too far for most organisations. But that doesn’t mean we can’t demonstrate the return on investment in security awareness software. It is possible to compare the number of incidents before and after awareness raising activities. The resulting measurements can be used to obtain an indication of ROI.

Security breaches can cost millions of lei, while cyber security training and awareness is relatively cheap.

9.2 To build a culture of security

A culture of security has long been seen as invaluable for information security managers (CISOs). Equally, such a culture of cyber security is seen as difficult to achieve. Creating a security culture means building security values into the fabric of your business. Training that covers situational awareness (why someone might be at risk) plus benefits for work and home life is a good way to get people on board.

9.3 To make defence tactics more robust

Firewalls must be on. Safety warnings must be acknowledged. Software needs to be updated. Few companies or institutions today would dream of operating without technological defences. However, without security awareness training, technological defences cannot reach their potential. Today’s attackers rarely bother trying to attack businesses through technological means alone. Today’s attackers routinely target individuals because they are seen as an easy way into protected networks.

9.4 To give your customers confidence

Consumers are increasingly aware of cyber threats. As customers, they want to feel safe. A business taking steps to improve cyber security will be better able to generate consumer confidence. And a reliable business is one to which customers remain loyal.

This is not an assumption. A recent survey by Arcserve shows that 70% of consumers believe that businesses are not doing enough to ensure cyber security. Nearly 2 in 3 consumers would probably avoid doing business with a company that has suffered a cyber attack in the past year. Clearly, customers are paying attention to security credentials. When you introduce security awareness training, customers hold you more accountable. This can only be a good thing.

9.5 For compliance

To be clear, compliance is not in itself a reason to introduce security awareness training. Those who introduce training just to comply with regulations risk doing the bare minimum. However, more and more regulators are requiring certain industries to implement security awareness training.

“Companies of all sizes need to develop a ‘culture of safety’, from the board of directors down to every employee. […] Cyber security is a shared responsibility, and we are taking a cooperative approach to addressing this threat, working with government, other regulators, nationally and internationally on this important issue.”

CybSafe partner, the Financial Conduct Authority (FCA), on cyber resilience.

Compliance can be a happy by-product of security awareness training. Those who introduce it become safer and, in many industries, meet regulatory requirements.

9.6 To be socially responsible as a business

As WannaCry and NotPetya demonstrated in 2017, cyberattacks can spread with rapid speed. The more networks that are infected, the more other networks become at risk. And the weakness of one network increases the overall threat to others.

The absence of security awareness training in one organisation makes other organisations vulnerable. It’s like leaving the door to your house unlocked, with the keys to the next door inside. Security awareness training is not only beneficial for you. It’s for the benefit of your customers, your suppliers and everyone who is connected to your network.

9.7 To improve employee well-being

It is well documented that happy people are productive people. So it’s worth remembering that safety awareness training doesn’t just keep people safe at work. It also keeps them safe in their personal lives.

For the most part, this special benefit remains unseen. If safety awareness training does what it’s supposed to do, it’s not just a benefit to the employer. It is also a benefit for employees.

Do you need an external DPO?
Leave the GDPR challenges to GDPR Complete – team of professionals with legal expertise, IT security expertise and business management expertise

  • We exercise the function of DPO

  • Audit and Implement

  • We train staff

  • Communicate with the authority

10. Create a resilient email security environment by enabling anti-spam filtering

Adding a secure email gateway system configured to automatically follow field-tested policies and playbooks designed to prevent malicious emails from reaching inboxes.

Read more about email usage and GDPR compliance.

11. Organise regular cyber awareness events

In order to educate your users about phishing and the most common phishing techniques (e.g. identifying spoofed/suspicious messages) as well as what the effects of phishing attacks can be.

12. Protect your web assets against denial-of-service attacks.

Using the CDN (Content Delivery Network) will help in thwarting this type of attack because web resources are available in multiple data centers or use a web hosting service provider with protection against “denial-of-service protection.

13. Block or limit (direct) internet access for servers or other devices that are rarely rebooted.

Usually these devices can be used by hackers as an entry point into your network.

Conclusions:

You shouldn’t overlook security protocols when working with personal data and sensitive information, especially when others depend on the smooth running of your business or enterprise.

Both ENISA and CERT-EU and we, the GDPR Complete team, remain confident that by applying this set of recommendations in a consistent and systematic manner, EU organisations will be able to substantially improve their cybersecurity and increase their overall resilience to attacks.

Through the GDPR compliance services we offer, both
GDPR consulting
 and
Outsourced DPO
, we attach great importance to all these cybersecurity policies and procedures to ensure the security of personal data. If you need support in this area contact us with confidence at
contact@gdprcomplet.ro
 and you will benefit from our validated expertise in national and international projects.

P.S. we are at the core IT company ;-)

[Infografic] Cyber security best practices.

Cybersecurity Best Practices - Full GDPR infographic