Beltug

Cyber security: Meeting responsibility towards society through a 360 approach. Takeaways from the X-change of 25 April


Date:25/04/2019


Fighting off cyber attacks and hacking threats seems to have become an ongoing battle. You obviously need to secure your infrastructure, network and devices: the challenge is how?

 

In this session, we had a look at a few of the aspects, including the issues surrounding mobile devices, and how the government can support us in our defence. Plus, we heard from KBC about onboarding staff (often your most vulnerable link) into the battle. Presentations are available to Beltug members (after log-in):
 

 

The mobile security spectrum

 

Björn Kemps, Director Operations at mobco, first took the floor with a talk about security in the world of mobile devices.  In 2018, 25% of the malware discovered was mobile malware, he stated. Yet, only 10% of companies have a Mobile Thread Defence solution in place.

 

He described some different types of mobile malware:

  • Bad networks
  • Bad apps
  • Bad devices
  • Bad messages

When looking at Android and IoS: 3 to 5% of apps on Android can be considered malware, compared to only 0.1% on IoS.

 

The mobile security spectrum also has different levels, from DIY (do it yourself), UEM (Unified Endpoint Management) and MTD (Mobile Thread Defence), up to MAP (Mobile Active Protection) (slides 11 to 23).  This last level, MAP (active protection), aims to actively prevent the user from e.g. hitting a URL.

 

UEM ensures proper configuration and dictates security settings to protect the device and corporate infrastructure.  MTD validates app behaviour,  MAP monitors network connections, protecting both personal and corporate information. Combining all the levels guarantees an appropriate level of security on mobile devices.

 

Even so, Björn warned, there might still be leaks or vulnerabilities on the other side: on the O365 tenant for instance.  Then your data can be leaked as well, and your mobile device can be compromised.

 

Ready for conflict – the new EU cyber defence strategy

 

"I'm from the government and I'm here to help." what a scary phrase! smiled Hans Graux, ICT lawyer at time.lex, as he opened his talk.  Yet, he explained; there are valuable attempts from government and the EU to help companies and citizens.  These include the recent European Cybersecurity Act, the new cyber defence strategy, which aims to get the EU more involved operationally and to help more effectively.

 

Hans started by sharing the reasons we need a better plan (slide 3). Previously, we already had the NIS directive (recently translated into Belgian law).  This directive actually pushes member states and companies to invest more in security.  It was a big step in the world of security, and the first EU directive that directly targeted private companies as well.

 

The new Cybersecurity Package (developed in Sept 2017) (slide5), takes all this a step further, aiming to build resilience, deterrence and defence.  The Cybersecurity Act is a means to achieve this.

 

The final text reached consensus in March 2019.  Before publication, it must be translated in all EU languages, which will take a few months. The biggest innovations include:

  • the launch of an EU cybersecurity agency
  • an EU certification framework
  • coordinated response

 

When zooming in on the certification framework, the goal is to enhance security and support the digital single market (slide 7).  The certification schemes should define rules, technical requirements, standards and procedures.

 

For the certification of cloud computing security, the EU is already testing the waters (slide 11 has the timeline).

 

The CSP certification:

  • doesn’t push private schemes out of the market – so won’t push ISO away
  • can replace national schemes
  • won’t be mandatory (in principle)
  • but will likely have a strong impact in practice.

 

Cyber security - a top priority at KBC group

 

Hilde Van Gils, Information Risk Officer at the KBC Group, took the podium and shared that the financial sector is one of the most targeted industries for hackers.  Reason enough for KBC's executive committee to make cybersecurity a top priority. 

 

The CERT group aims to share best practices, awareness and insights with the different entities within the KBC group.

 

Hilde zoomed in on the joint approach of cybersecurity awareness within the KBC Group:

  • Execution of phishing simulation tests
  • Preparation and creation of Awareness Campaigns
  • Creation of Awareness Products for group-wide use
  • Participation in the ‘Cybersecurity Month’

 

She gave an overview of the different awareness campaigns and drills that regularly run at KBC Group - video campaigns, gamification, simulations, etc. Taking it even further, the results of, for example, a phishing campaign are part of the score that determines staff bonuses.

 

Hilde wrapped up with 3 key suggestions:

  • Increase employee awareness through information, tips & tricks, viral infection, etc.
    • Key principles: repetition, mandatory, hands-on, direct impact, verification, segmentation
  • Create funny and attractive awareness products
    • Key principles: gamification, segmentation
  • Secure your responsibility towards society concerning cyber risk awareness. 
    • Share your knowledge and experience with other companies and people where appropriate.

 

 

 

 

 

 

 

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview