This is the December news and product review from Cyberday and also a summary of the last admin webinar of 2024. Our next admin webinar, where we will go live, will take place in early 2025. You can register for the webinar on our webinars page closer to the date.
The NIS2 Directive will be applicable from October 2024, and country-specific laws are being finalised at a good pace. The main differences between countries are in the designation of sectors and the emphasis on security measures. In many countries the national law has been implemented.
In spring 2024, we published the e-book NIS2 ready with ISO 27001's best practices, where we show how the requirements of the internationally recognised standard go hand in hand with the directive, facilitating compliance. National legislation in many countries also refers to ISO 27001 to ensure adequate implementation.
We are publishing the NIS2 national laws on Cyberdayday at the moment!
The Digital Operational Resilience Act (DORA) applies to financial operators and ICT service providers operating in the EU. It sets uniform requirements for information networks and systems that support financial business processes. We have already written about DORA in more detail on our blog.
Several Regulatory Technical Standards (RTS) updates to DORA will be published during 2024 to help financial institutions adopt the principles of DORA and ensure compliance. Therefore, to operate in accordance with DORA, it is also necessary to comply with the RTS endorsements.
The specifications address issues such as risk management, incident classification, supply chain security management, penetration testing, incident reporting, and more detailed implementation of information security for outsourcing. In the digital security model, DORA has already received an update on the classification of incidents, and we will introduce the RTS refinements during 2025.
The supervision of DORA will start from 17 January 2025.
The CRA (Cyber Resilience Act) is an EU regulation that ensures the security of all digital products and services. It has a broad scope, categorising software and hardware (e.g. consumer electronics, IoT, operating systems) with digital elements. CRA ensures that products with digital elements are designed, developed and maintained with security in mind throughout their lifecycle.
The EU AI Act entered into force in August 2024, and its enforcement will be phased in during 2025. The AI Act applies to developers and users of AI systems. Although the scope of the AI Act is narrower, it is good for organisations to know where they stand.
The main purpose of the AI Act is to:
EU AI legislation is expected to serve as a global benchmark for AI regulation, balancing technological advances with social and ethical considerations.
Organisational Chief Information Security Officers (CISOs) often have a huge responsibility in their work. CISOs are strategic players and risk managers. However, the CISO's role is not only to ensure that data is protected, but also to maintain the trust of the organisation.It is critical to consider the fear that many CISOs experience: will I lose my job if there is a data breach in the organisation?
Portnox conducted a survey of 200 professionals in CISO roles, particularly in large organisations. The figures speak for themselves in terms of job challenges and fears, with 99% of respondents concerned about job survival after a data breach, including 77% who are very concerned.
What can be done to improve the situation? Organisations should understand the current state of information security, and devote resources to building and nurturing a proactive information security environment and shared responsibility.
Information security is a team effort - let's make it one.
Now let's see what CyberArc's survey of staff security practices reveals. The survey of 14,000 employees across a range of sectors shows that security practices have not improved much. Key figures from the survey include:
The survey results highlight the need for security awareness and training for staff. How does your organisation maintain staff security skills?
Ransomware cybercrime gangs have recently plagued the UK healthcare industry. The UK's NHS (National Health System) has been much in the news, as many systems have been the target of multiple attacks, allegedly also by various criminal gangs. Among the latest targets is the well-known Alder Hey Children's Hospital in Liverpool. The attack on the children's hospital has been acknowledged by the same ransom group that has been behind many attacks on NHS hospitals in the past.
At many sites, the attack has affected the availability of systems, resulting in cancelled appointments and staff having to resort to pen and paper. Despite the data breach, Alder Hey's services are unaffected and there is no disruption to scheduled appointments or procedures. However, sensitive data was stolen in the data breach. In the case of Alder Hey, the leaked data includes patient and donor information, reports, and documents. The hospital confirmed that it is investigating the data breach and is working with the National Crime Agency (NCA) and other partners to assess the impact and secure its systems.
.png)
In December, Romania, the sixth largest country in Europe, decided to annul the results of the 1st round of the presidential election. The annulment came after the Tik Tok service started to circulate campaigns promoting the right-wing right-wing party Geogescu, in which Russia was suspected to be involved. The investigation found, for example, large undeclared donations and 25 000 social media accounts activated in a short period of time to support Geogescu's election campaign, coordinated through another contact channel. It is not yet clear whether Geogescu played a role in the campaign.
The annulment statements highlighted how the election result did not match the polls, with a relatively little-known far-right candidate coming out on top. Candidates who did well in the election are naturally unhappy with the decision, with some commenting that the annulment was anti-democratic. The second round of presidential elections was due to take place in December 2024, but the Romanian government has decided to postpone the presidential elections to a later date, presumably spring 2025.
The case highlights in particular the growing challenges faced by democracies due to external interference through digital platforms, and underlines the urgent need to strengthen social media controls and modernise political regulations to protect the integrity of elections.
The feature allows you to first classify your partners into different categories and identify which ones need a security assessment. You can then send assessments based on the selected requirements framework. Learn more about the feature in our Academy.
We've also released the first improvements to security assessments, including review of assessment responses, request resubmission, and the ability to delete redundant assessments.
With the help of our team, the account can be linked to a group-level feature that allows different organisations within a large group to use separate Cyberday accounts. However, at the corporate level, there may sometimes be a need for additional requirements for certain tasks and sometimes a need to provide a corporate implementation for some tasks.
One of the accounts can be defined as a " main corporate account ", where the main users can decide to distribute the desired task descriptions to the sub-accounts. The sub-accounts receive the distributed descriptions immediately, but otherwise they have to manage their own task version in the normal way, including writing their own "account-specific specifications" in the process description.
This feature is especially created for consultants servicing multiple accounts or large corporations with several companies/accounts under their control and with the same key people. The Your Accounts page now displays more relevant information. If you have access to multiple Cyberday accounts, you can access them via the "Change Account" button in the left menu.
Use of public API: We will soon aim to publish better descriptions of the public APIs available on Cyberday. These will allow organisations to build their own integrations between other services and Cyberday.
Cyberday Trust center reporting portal: You can easily create a credible-looking web page for security reporting. You can select the reports you want to share (e.g. organisational security policy, compliance reports or sub-area specific security policies) and other "control information" is also brought to the page. The reports and the whole portal can be either freely accessible or behind a lightweight authentication.
Clearer improvement recommendations from Cyberday: We are currently testing a new view of the desktop that will give, in prioritised order, up to the next 10 recommendations for improvements to either the compliance value or its evidence. These will always help the user to understand what should be done next.
In addition, we are currently exploring AI-assisted security survey response generation using content from your management system. 🔍
New frameworks: TISAX, NIS2 National legislations: Kyberturvallisuuslaki (Finland), Cyberfundamentals (Belgium), NSM ICT Security Principles (Norway)
Upcoming frameworks: DORA RTS, CIS18, CRA, NIS2 national laws
Check the available and upcoming frameworks in the Cyberday app or on the Frameworks website.
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
