Europol's 2015 Internet Organised Crime Threat Assessment (IOCTA) found that cyber crime “is becoming more aggressive and confrontational” and the “number and frequency of [publicly] disclosed data breaches is dramatically increasing”.
Rather than “devising novel attack methods, most cyber-attacks rely on existing, tried and tested exploits, malware code and methodologies such as social engineering, which are re-used and recycled to create new threats.”
"The lack of digital hygiene and security awareness,” it explained, brings “opportunities and gain to the criminal masses."
As cyber crime demonstrably increases in scale and severity, all European organisations need to recognise that security software alone is not enough to protect them from cyber crime: cyber security technologies are only effective when appropriate processes are in place, and processes are only effective when people are adequately trained to adhere to them.
An effective cyber security posture relies on policies, risk management, tools, training, best practice and technologies to protect the confidentiality, availability and integrity (CIA) of corporate information assets.
Cyber security in Europe
The European Commission’s key cyber security objectives are:
Increasing cyber security capabilities and cooperation
Making the EU a strong player in cyber security
Mainstreaming cyber security in EU policies
The Cyber Security Strategy of the European Union and the European Agenda on Security provide the overall strategic framework for EU cyber security initiatives.
Directive on security of network and information systems
Proposed in February 2013 and enacted in 2016, Directive (EU) 2016/1146 – the NIS Directive – is the main instrument that supports Europe’s cyber security objectives. It aims to achieve a high common level of network and information systems security across the European Union by:
Improving national cyber security capabilities
Increasing cooperation between EU member states
Requiring “operators of essential services and digital service providers” to take appropriate security measures and notify the relevant national authorities of serious incidents
Click here for more information about the NIS Directive >>
General Data Protection Regulation
The GDPR also has cyber security implications for organisations that process personally identifiable information (PII).
Among other obligations, data processors must notify data controllers of personal data breaches “without undue delay” and data controllers, in turn, must notify the relevant supervisory authority within 72 hours. Processors and controllers will both be liable for damage caused by processing that does not comply with the Regulation.
All organisations that process EU residents’ PII must comply with the Regulation by 25 May 2018 or face penalties of up to €20 million or 4% of annual global turnover – whichever is the greatest.
Click here for more information on the GDPR >>
Download our free cyber security green paper
Cyber Security: A Critical Business Issue provides an overview of cyber security and explains how to apply effective cyber security measures in all organisations.
Download your free cyber security green paper today >>
Notable data breaches in the EU
German aerospace parts manufacturer FACC’s financial accounting department was targeted by cyber fraud that caused the loss of €50 million.
Poland’s national airline, LOT, suffered an “IT attack” that caused several flights to be grounded. The attack targeted the ground computer systems at Warsaw’s Okecie Airport, forcing ten flights to be cancelled and a further 12 to be delayed.
Parts of the Bundestag’s systems – including the drives of the parliamentary committee investigating allegations of BND (Germany’s foreign intelligence agency) surveillance on behalf of the NSA (the US’s National Security Agency) – were temporarily shut down following a cyber attack.
French television network TV5Monde – which broadcasts to more than 200 countries – suffered an “unprecedented” cyber attack, taking 11 channels off air. Attackers claiming affiliation with Islamic State also hacked into the TV station’s website and Facebook page.
||19,000 French websites
Around 19,000 French websites were attacked by “more or less structured” groups, according to France’s cyber defence chief, Adm. Arnaud Coustilliere. Denial-of-service attacks hit a wide range of websites, from military regiments to pizza shops.
||German government websites
CyberBerkut, a group of pro-Russian hackers, claimed that it brought down the websites of Germany’s parliament and chancellor Angela Merkel.
||German iron plant
Cyber criminals gained access to an iron plant and caused “massive damage to the whole system” when a furnace was unable to shut down properly.
||European Central Bank (ECB)
20,000 email addresses, plus phone numbers and postal addresses were stolen when the ECB’s website was hacked.
ENISA and EC3
EU member states and European institutions are protected by the European Union Agency for Network and Information Security (ENISA). ENISA’s role is to enhance cyber security and to respond to cyber security challenges across the European Union. The agency seeks to develop awareness of information security for the benefit of EU citizens, consumers, businesses and public sector organisations.
Part of Europol – the EU’s law enforcement agency – the European Cybercrime Centre (EC3) was established in 2013 to "strengthen the law enforcement response to cybercrime in the European Union (EU) and to help protect European citizens, businesses and governments." It focuses on three areas:
- Cyber crimes committed by organised groups, particularly those generating large criminal profits such as online fraud
- Cyber crimes that cause serious harm to the victim, such as online child sexual exploitation
- Cyber crimes (including cyber attacks) affecting critical infrastructure and information systems in the European Union
ISO 27001 and cyber security best practice
ISO 27001, the international cyber security standard, sets out the requirements for a risk-based ISMS (information security management system) that encompasses people, processes and technology. It forms the backbone of every intelligent cyber security risk management strategy.
Implementing ISO 27001 provides companies with assurance and also helps to develop and enhance information security best practice. Benefits of ISO 27001 certification include:
- Winning and retaining business opportunities
- Protecting and enhance your reputation
- Building trust (internally and externally)
- Demonstrating compliance
- Satisfying audit requirements
- Improving efficiency
- Identifying vulnerabilities
Click here for more information on ISO 27001 >>
Sensible organisations recognise that it’s impossible to defend against all potential attacks. Effective cyber resilience combines cyber security and business continuity to set out coordinated, integrated plans for rebuffing, responding to and recovering from a wide range of possible attacks and disruptive events.
Cyber resilience is a key principle underpinning ISO 27001, and the wider issue of ICT’s role in business continuity is covered by ISO 27031.
Click here for more information on cyber resilience >>
IT Governance specialises in helping organisations with cyber security, cyber governance and cyber compliance.
Find out more about our products and services here.
You may also be interested in: