The rapid development of technology, its direct impact on the operation of businesses and the easier than ever access to large amounts of information over the internet have made it necessary to establish rules and practices that are able to enhance the resilience of businesses to cyber risks, provide the confidentiality, integrity and availability of data, and achieve privacy and personal protection Data.
According to the NIST (National Institute of Standards and Technology), the resilience of information systems is defined as "The ability to anticipate, withstand, recover and adapt to adverse conditions, pressures, attacks or compromises on systems used or activated by cyber resources”.
Consequently, the resilience of information systems is directly linked to a company's ability to address operational and information risks successfully in order to be driven to the development of a sustainable digital modernization.
Confidentiality, integrity and availability
Confidentiality, integrity and availability refers to a structured set of rules which are the fundamental principles of information security and are intended to provide the assurance that information and data are accurate, available and accessible only by persons who have the appropriate accesses. More specifically, these three fundamental principles are explained as follows:
Confidentiality: Confidentiality is one of the key concepts of cybersecurity, which ensures that information is protected from unauthorised disclosure. The protection of confidentiality is an obligation of all members of a business.
Integrity: Integrity is the ability to ensure the accuracy and reliability of data. Integrity refers to all assets of a business.
Availability: The principle of availability includes ensuring that systems, applications and data are available to authorized users when the need arises.
Protection of privacy and personal data
The first major effort for the protection of personal data was made by Directive 95/46/EC – Law 2472/1997, which, among other things, aimed to achieve an equivalent level of protection between member states and to remove obstacles to the free movement of data, combining prevention on the risks of the processing of personal data.
This Directive was subsequently replaced by Regulation 2016/679 which is also popularly known as the GDPR (General Data Protection Regulation). Regulation 2016/679 was passed on 27 April 2016 and entered into mandatory application from 25 May 2018. While in 2019 and more specifically on 29 August 2019, law 4624/2019 was voted by the Greek Parliament, which aimed at taking measures for the implementation of 2016/679 and its incorporation into national legislation.
The transition from the first Directive was mainly aimed at the processing of personal data within the European Union by individuals, businesses or organisations and designated the key parts of the processing which are the controller and data subjects, while in addition it set out safeguards such as the information of natural persons, the appointment of data protection officers and the implementation of appropriate organisational and technical measures.
The General Data Protection Regulation, as in force, concerns almost all businesses, whether they are private or public, as they handle personal data concerning employees, partners, customers or other natural persons. Therefore, all companies/organisations should, in order to meet the requirements of the Regulation, implement specific security measures, such as regular network and infrastructure security audits, implementation of security policies and procedures, training of users on the proper use of information assets and development of risk identification procedures.
Risks can come in many forms, including software attacks, identity theft, sabotage, and information blackmail. Since 2019 and the "advent" of the COVID pandemic, there has been a large increase in the risks arising from cyber criminals, with the most widespread attack technique being the attack of social engineering. The most common types of attacks that have been observed during the pandemic and pose a significant risk to personal or non-personal data are the following:
- Malware: Malware can be designed to create permanent access to a network, spy on a user to obtain their credentials, or steal valuable data.
- Phishing: A phishing attack is the attempt of a malicious user to deceive an unsuspecting victim in order to deliver valuable information, such as passwords, credit card details, etc. Phishing attacks often take the form of an email that pretends to be from a legitimate organization or other trusted entity.
- Leakage of information / Data breach: The leakage of information refers to the disclosure of information to unauthorized users. The leakage of information is usually the result of interception attacks. A data breach is an incident in which the information is stolen or received by a system without the knowledge or approval of the system owner.
- Identity theft: Identity theft means using an individual's personal identity information, such as a name, credit card number, or other personal information, without the individual's permission, to exploit it in fraudulent activities.
- Ransomware: A ransom attack is a malware designed to restrict users' access to their files or threaten to leak personal data without the consent of individuals or organizations.
- Cyber espionage: Cyber espionage is a form of cyberattack that targets the theft of classified or sensitive data to gain an illegal advantage over a competing organization.
The Importance of Cybersecurity and Cyber Resilience
Cybersecurity and cyber resilience are inextricably linked. Cybersecurity is about implementing technologies, processes and controls aimed at protecting information systems, networks and data from malicious attacks to ensure the integrity, confidentiality and availability of information. At the same time, cyber resilience allows businesses to ensure their operation, reduce their exposure time to potential threats, reduce the risk and impact of potential threats, and achieve a continuation of their activity.
In order for a business to be able to identify, assess and address the risks arising from its operation, it must fully understand the source of the threats, assess the reasonable likelihood of such threats occurring, create reaction scenarios, check for potential vulnerabilities and assess their relevance and criticality and establish the necessary procedures to address those vulnerabilities.
How can businesses achieve the desired cyber resilience?
The desired resilience to cyber risks can be achieved by adopting a cybersecurity framework that protects the functioning of businesses. In particular, companies should integrate into their operation a set of controls and procedures based on risk management.
The core of this framework consists of a set of cybersecurity activities, focusing on identification, protection, detection, response and recovery. The following is a brief description of the key elements of the cybersecurity framework:
Identification: The identification function helps develop an organizational understanding of cybersecurity risk management in systems, individuals, assets, data and capabilities. Examples of the identification function can be the identification of physical and software assets to create an asset management program, the identification of cybersecurity policies to define a plan governance, the determination of the risk management strategy for the organization, etc.
Protection: The protection function helps in supporting to the limitation of the impact of potential cybersecurity incidents. Examples of the protection function may be the protection of confidentiality, integrity and availability of data, the management of technology to ensure the security of systems, awareness raising and training of staff within the organisation.
Detection: The detection function helps in developing and implementing appropriate activities to detect cybersecurity incidents in order to achieve early detection and therefore fast reaction. Examples of ways to detect may be detection of anomalies and events and continuous monitoring of security.
Response: The response function develops and implements appropriate activities in order to take appropriate actions in an identified cybersecurity incident.
Recovery: The recovery function develops and implements appropriate activities to maintain resilience plans and restore any service affected by a cybersecurity incident.
Advantages of cyber resilience
Cyberspace is a rapidly changing environment resulting from the interaction of many factors, including people, software and online services. As a result, security needs are constantly changing and the need for a flexible and adaptable approach to operational risks can bring great benefits to businesses, which could be summarized as follows:
Improving the "security posture": Improving the "security posture" will help businesses focus on threats that are important and will drastically reduce the number of security incidents in information systems. Preventing or drastically reducing risks and avoiding potential violations play an important role in the overall operation of a business and are not just about the technology it leverages.
Regulatory Compliance: The adoption of a cybersecurity framework and the improvement of the resilience of businesses to cyber threats will help businesses achieve a "mature" information environment that complies with the legal provisions relating to the protection of the data they manage. This results in avoiding damages that may result from fines or lawsuits.
Trust and Reputation: The direct impact of technology and the increasing dependence of business operations on cyberspace makes potential customers of businesses wary of the trust of their data. A potential breach could reduce customer confidence and significantly damage the reputation of businesses. Businesses, which create a safe operating environment can develop important relationships of trust with their customers.