Cyber Security Awareness Month: “Cyber Security by Default”

Cyber Security Awareness Month: "Cyber Security by Default" October 2021 is the European cyber security month! It is an annual campaign dedicated to promoting cybersecurity among EU citizens and organisations. One of the topics this year is "Cyber Security by Default". 

A few years ago, the European General Data Protection Regulation (GDPR) introduced terms such as "Data Protection by Design" and "Data Protection by Default". So, why not also use the concept of "Cyber Security by Default". The concept is introduced to incorporate cybersecurity into every aspect of an organisation.

We, at RealCGR, also believe that cybersecurity should be a priority and not an afterthought. Every month shall be like a "cyber security month" and cybersecurity shall be a year-round effort.
The COVID19-pandemic has imposed another risk. It excelled the trend towards the use of the cyberspace to conduct business. More than ever, employees are working from home: processing personal data, participating in online meetings, processing sensitive information, etc. And often, the employees connect to networks over which the organisation has no control, or use private printers,…

But also, consumers are significantly more present online. During the pandemic, ecommerce has seen a significant boost, not only clothes and holiday gifts, but also groceries and B2B. Consequently, consumers trust their personal data, including like for instance credit card information, to various web shops with little information on how these web shops protect their data.
We believe that cyber security should be embedded at the core of an organisation. Cybersecurity should not be considered a burden or obstacle, but as an opportunity or unique selling point to gain the trust of customers.

Below we have provided some guidance for organisations to enhance their cyber security practices. (https://cyberguide.ccb.belgium.be/en)

1. Plan for cyber security
First, one must understand organisational and its cyber security needs. Are there any laws or regulations such as the GDPR or EU NIS that are applicable to your organisation? What are external and internal factors that can influence normal operations? What measures can be taken to avoid or minimize the impact on operations?

When one has identified these needs, one can define and implement policies and procedures, such as a security policy, mobile device policy, teleworking policy, and other codes of conduct. But policies alone cannot protect! Training and awareness regarding cyber risks remains crucial.
And still, even the most prepared organisation can become the victim of a cybersecurity incident. By creating a business continuity plan, prepares an organisation for many adverse situations (where policies and controls are not sufficient.)

2. Manage risks
The first thing an organisation should do when it comes to managing risks, is the selection of a risk management methodology. This methodology can be very simple or very detailed depending on the size and complexity of an organisation. If sensitive personal data is being processed, risk will be more severe. Therefor a risk assessment should be performed for key resources such as people, premises, ICT components or partners and suppliers.

3. Take security measures
Based on the risks that surfaced in risk assessments, organisations should take appropriate measures to mitigate those risks. These measures can be technical or organisational. Great examples of technical measures are backup and restore procedures, access control and management for employees and, the security of endpoints such as laptops, data carriers or mobile devices that are taken home for teleworking purposes.

4. Evaluate actions
Set out Key Performance Indicators (KPI's) for your cyber security program. These KPI's are not static and should be measured and reviewed regularly. But KPI's are not the only thing that should be reviewed and adapted. As your organisation grows, its key resources are also constantly changing which could open the opportunity for new risks to arise. Therefor the register resources and risks should be reviewed regularly. To assess whether your organisation is prepared, various business continuity exercises can be performed. Based on these exercises one can document all lessons learned and change its plans accordingly.