Arendt & Medernach
  April 7, 2021 - Luxembourg

Cyber Protection: Beyond the Obligation of Means

In a recent article published in écho, WSG Member Astrid Wagner, Partner, IP Communication & Technology at Arendt & Medernach, provides insight on the growing risk of damage to information systems in cyber attacks and what cyber protection measures should be taken.
 
 

Cyber Protection: Beyond the Obligation of Means

Any company is now connected to the Internet, forced to digitize part or all of its internal processes and its interactions with its customers, investors or suppliers, and must allow its employees, as far as possible, to telework. The result is that the risk of damage to information systems in the context of a cyber attack is only growing.

PROTECT EVERYTHING?

Any company must analyze what types of data it processes and categorize them according to their degree of importance or sensitivity. Then it can deploy the necessary means to protect them as well as possible and to mitigate the associated risks.

Some data deserve increased protection, either because they represent a very important value, or because they fall under an obligation of secrecy or protection.

This is particularly the case for confidential data by virtue of the law (medical secrecy, professional secrecy of the banker, the lawyer, the auditor, etc.)
or by virtue of a contractual commitment, of data necessary for operation of the company, sensitive data due to their impact on the image or reputation of the company, data representing a competitive advantage such as customer data, know-how or trade secrets. This is also the case for personal data.

Any type of business must equip itself with the necessary means to ensure the confidentiality, integrity and availability of this data at all times.

AWARENESS

The first step in a process of minimizing risks is awareness of their existence. Awareness should be done first of all at the level of the management body and the C-level for the simple reason that they are both ultimately responsible for the risks incurred by the company, and decision-makers in the allocation budgets.

Budget constraints, a lack of skills and the fragmentation and lack of integration of security solutions are generally identified as major obstacles in securing information. Organizations often struggle to balance their security with their operational and business priorities.

By creating the position of Chief Information Security Officer (CISO),
a company has the opportunity to enhance information security. Supporting the ISO / IEC 27000 family of standards can also help ensure the security of sensitive information.

BEYOND PROCEDURES

Internal procedures, including control and limitation of access to the strict minimum required, must be established and applied. It is not enough to establish them once, they must be applied, tested and updated regularly.

The main cause of data breaches remains human error, as the CNPD points out in its last activity report published in 2020. The human factor should therefore be monitored more, through awareness-raising and training. systematic and regular staff. This allows a business to convert a threat into force.

We can only advise any business to take out cyber insurance. Beyond covering a risk, this type of insurance has other beneficial effects.

Thus even before signing an insurance contract, the company will have to carry out an analysis of the maturity of the security of its information systems and carry out an analysis of the related risk. The insurer will do the same. This critical exercise is already enabling the company to identify what can be implemented to reduce its risks and strengthen its security.

Cyber insurance will also allow the insured to benefit from a panel of specialists in communication, IT and legal matters and from their immediate assistance in the event of a cyber incident.

A MATTER OF PREPARATION

Businesses must be aware that a large-scale cyber attack puts them in an acute crisis and that it is crucial to be able to act without delay to limit the damage.

No company is immune to such a mishap, but the upstream preparation and the constitution of a multidisciplinary team made up of specialists in IT, communication and legal, who can come together as soon as such an incident occurs. , could allow a less chaotic course of actions to be taken in the immediate future.

Components that may initially appear less important can be prepared in advance: analysis of notifications or information to be given to the authorities or to the persons concerned, management of communication with customers, actions to be taken against the criminal author, etc.

ONE MORE OPPORTUNITY?

The cybersecurity measures to be put in place, however, should not only be seen as a burden. On the contrary, they can be an opportunity for the company to stand out positively from its competitors and strengthen the confidence of its customers. Good preparation will help maintain this confidence and minimize operational, financial
and reputational damage.

 

Article originally published in écho, 7.04.21