2 years ago


editor's choice INS AND

editor's choice INS AND OUTS OF CYBER RESILIENCE THE EUROPEAN UNION IS PLANNING TO ENHANCE ITS CYBER RESILIENCE WITH A NEW EU-WIDE CERTIFICATION FRAMEWORK. IN OUR PRE-BREXIT STATE, WHAT ARE THE 'INS' AND 'OUTS' OF THIS? It's reassuring to see that the European Union is to enhance its cyber resilience by setting up an EU-wide certification framework for information and communication technology (ICT) products, services and processes. The industry could use the new mechanism to certify products such as connected cars and smart medical devices. The council has agreed its general approach on the proposal, known as the Cybersecurity Act. The proposal will also upgrade the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity. Now cynics might say it has nothing to do with us, we're leaving the EU anyway, but nothing is that simple - as the seemingly endless and painful negotiations over the UK's withdrawal will testify. And ensuring the UK benefits from the best possible protections around cyber will not end on the day we leave (assuming that still happens!). It seems unlikely that the UK would want to walk away from anything that helps to keep its businesses and citizens safe. In the meantime, what is the framework really all about? The draft regulation creates a mechanism for setting up European cybersecurity certification schemes for specific ICT processes, products and services. Certificates issued under the schemes will be valid in all EU countries, making it easier for users to gain confidence in the security of these technologies, and for companies to carry out their business across borders. Certification will be voluntary, unless otherwise specified in EU law or member states' law. Features covered would include, for instance, resilience to accidental or malicious data loss or alteration. There will be three different assurance levels: basic, substantial or high. For the basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves. Ed Williams, director EMEA, SpiderLabs at Trustwave, is one who welcomes any initiative to increase the security and assurance of ICT products. "Given the current climate, this legislation is welcome," he says. "Without question, this is a difficult task. ICT products can be difficult and complex, and ensuring that security is baked in could, initially, be difficult, but is clearly the correct thing to do - secure by design is a must in 2018 and moving forward. I have some reservations around the certification framework; depending on the type of product, certification may be voluntary or mandatory. Personally, I would like to see mandatory security for 'all' products." On the subject of the three different assurance levels, where basic "provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service," he would prefer all ICT products to have high levels of assurance. "I don't think that's too much to ask for?" It will be interesting, he adds, to see how consumers take to this. "My hope is that the certification framework is agile, simple and clear, and that having high assurance doesn't come with additional costs (whatever they may be). In 2018, we shouldn't be paying more for secure products; we should be expecting all products to be secure. I, for one, hope that this certification framework is successful in raising what is currently a low bar. Good luck!" Yes, one suspects that good luck and much more is going to be needed along the way. 06 computing security July/August 2018 @CSMagAndAwards

editor's choice BACKUP CONFIDENCE ON THE UP AND UP IN ALL OF THE DOOM AND GLOOM THAT OFTEN DOMINATES THE NEWS AROUND SECURITY, IT IS TO BE WELCOMED WHEN THERE ARE STATS SURFACING TO BUCK THAT TREND New research from business continuity and disaster recovery firm Databarracks has revealed that organisational confidence in IT backup capabilities has risen dramatically over the past decade. In fact, more than 50% of organisations feel 'very confident' in the state of their backup solutions, which is up from 33% in 2008. It's the kind of positive we need more of, as a counterbalance to the all too many breaches that make the headlines. First released 10 years ago, the Data Health Check surveys over 400 IT decision-makers on a range of topics relating to IT practices within their business. Notable highlights from this year's survey include: Confidence in backup solutions has risen significantly since 2008. An 18% point increase means 51% of participants are now very confident in their backup capabilities This increased confidence is against a backdrop of growing data volumes, with 29% of organisations (from 12% in 2008) handling over 100TBs of data In 2008, 47% of organisations had not encrypted their backup data. This fell to 33% in 2018 The average frequency of restores has stayed fairly consistent over the years. Additionally, restore testing has decreased, with those 'not testing' dropping from 20% in 2008 to 15% in 2018. Commenting on these highly pertinent findings, Peter Groucutt, managing director of Databarracks, had this to say: "Considering macro trends in IT over the past 10 years - the explosion of data, ever increasing cyber threats, the emergence of cloud and with it the shift to greater mobile and remote working - it's easy to see where strains are being placed on an organisation's backup capabilities and why confidence might be shaken. "Our findings show this is not the case, which is encouraging to see. More and more firms have a business continuity and disaster recovery plan in place and importantly, plans are being reviewed and regularly tested, which will breed confidence." Groucutt also highlights other areas for organisations to address: "Despite more businesses encrypting backup data, a third of organisations not doing this is too high. Whether you're backing up data to physical media like tape or disk, or whether you're transferring data offsite, over the internet, the possibilities for it being intercepted are very real, with serious ramifications for those at fault. "Considering it from the perspective of GDPR, while not mandating the use of encryption in the regulation itself, it does require an organisation to demonstrate its approach to compliance. If an organisation chooses not to encrypt, then a business would need to demonstrate what alternative methods it uses to safeguard data or face severe penalties." And he concludes: "We hope the next 12 months sees confidence continue to rise in backup solutions. More regular testing of restores, as well as greater numbers of businesses adopting encryption into their backup strategies, will certainly improve this." Peter Groucutt, managing director of Databarracks @CSMagAndAwards July/August 2018 computing security 07