European Union Agency for Network and Information Security

Ninth ENISA-EC3 Workshop on CSIRTs-LE Cooperation: standing shoulder-to-shoulder to counter cybercrime

Tue, 09/22/2020 - 09:30

The CSIRTs and LE communities from the EU and EFTA countries, together with representatives from the EU Institutions and Bodies and the Council of Europe, met to discuss ways to effectively cooperate for the purpose of countering cybercrime. The favourable conditions for cybercrime caused by the COVID-19 pandemic have only rendered this meeting even more important. Keeping all stakeholders involved, as stressed by ENISA, has been overwhelmingly accepted in this year’s event, organised by invitation only. As a result of the COVID-19 situation, the CSIRT and LE communities had to coordinate their reactions and respond to the attacks targeting, for instance, the health sector already facing a critical situation because of the pandemic.

During the workshop the participants had also the opportunity to share success stories and bring forward national examples of cooperation and crisis management, as well as initiatives from EU Institutions and bodies. Experts discussed relevant EU policy developments, cooperation frameworks and response mechanisms against cyber threats.

Key Takeaways

Key takeaways of the workshop were that trust is the cornerstone of the CSIRTs and LE cooperation and that the judiciary needs to be involved at an early stage of a response to an attack. The event also highlighted that it is essential to have the legal and policy framework and the necessary tools and procedures in place. Finally, crises offer a unique opportunity to test CSIRTs and LE cooperation and identify gaps.

The 2020 ENISA report on CSIRTs and LE cooperation, expected to be finalised by end of 2020, will be published in the publication section of the ENISA website.

Further Information

For questions related to CSIRTs and LE cooperation, please contact: CSIRT-LE-cooperation@enisa.europa.eu

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Leadership from ENISA and FORTH further talks on Cybersecurity Collaboration

Thu, 09/10/2020 - 08:00

On 2 September 2020, an executive delegation from the European Union Agency for Cybersecurity (ENISA) toured the premises of the Foundation for Research and Technology – Hellas (FORTH) in Heraklion, Crete to advance research collaboration in cybersecurity.

EU Agency for Cybersecurity Executive Director Juhan Lepassaar met with FORTH President Prof. Nektarios Tavernarakis and FORTH’s directors to further discuss cooperation and other actions such as the co-organisation of workshops and the annual NIS Summer School.

Mr. Lepassaar toured the foundation’s facilities and was briefed on the activities of the Institute of Computer Science, in particular on the Institute’s work on System and Network Security, and Internet Security. He also visited the Precision Medicine & Genomics Unit, the Ancient DNA infrastructures, the Attosecond Laboratory and the Ambient Intelligence Infrastructures. FORTH’s directors and researchers also shared updates on their work in the field of coastal and marine research, as well as the study and treatment of phenomena and problems due to climate change.

EU Agency for Cybersecurity Executive Director, Mr. Juhan Lepassaar said:  “At the Agency, we are committed to advancing high-quality cybersecurity knowledge and competencies to meet today’s ever-growing demand. The state-of-the-art facilities of FORTH, and their innovative R&D, have made them a key strategic partner. Through events, such as the NIS Summer School, and collaboration on research projects, we will be able to boost awareness and education on cybersecurity more effectively. It is a pleasure to be here today to meet with FORTH leadership and strengthen our cooperation.

FORTH President Prof. Nektarios Tavernarakis stated: "The multi-annual and highly fruitful cooperation between FORTH and ENISA, contributes significantly to the strengthening of cybersecurity, at national and European level. FORTH supports and encourages close cooperation between ENISA and the Foundation's Research Groups, as the interdisciplinary nature of the Network and Information Security sector relates to the priorities of many FORTH Institutes. The significant expertise of the two organisations in technologies that fuel the 4th industrial revolution, such as those of Ambient Intelligence, Big Data Management and Analysis, Internet Security, Privacy, Blockchain and the Internet of Things, will continue to lead to the development of research and educational actions, with the goal of benefiting society."

Background                                                                                                 

In order to enhance the cooperation between ENISA and FORTH, a Memorandum of Understanding (MoU) was signed by both parties on 24 September 2018. The Agency and FORTH jointly organise the annual ENISA-FORTH Network and Information Security (NIS) Summer School. The 7th annual event is scheduled for 24-28 May 2020 in Heraklion, Crete.

These actions strengthen the excellent cooperation between the two organisations, which started with the establishment of ENISA in Heraklion in 2004.

Further Information

FORTH

NIS Summer School

For questions related to the press and interviews, please contact press (at) enisa.europa.eu

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

European Cybersecurity Month: How to Get Involved

Tue, 09/01/2020 - 11:00

The highly anticipated European Cybersecurity Month (ECSM), the EU’s annual campaign in October promoting cybersecurity among citizens and organisations, has opened its doors for people to get involved. The majority of this year’s activities – from conferences and trainings to presentations and knowledge games – have moved online due to the COVID-19 pandemic. Each year, hundreds of activities take place across Europe for the entire month of October to advance online security.

Get Involved

ECSM is an open platform allowing people to join the programme as local event producers. All interested parties can submit their event proposals by visiting the ECSM website (click ‘become an organiser’). Accepted proposals will be listed as ECSM activities on the website’s interactive map of Europe for public access and registration.

The website acts as a ‘hub’ of cybersecurity information. Each participating EU Member State has a dedicated webpage with updated information in the local language. Users can find tips and advice in 23 languages, awareness raising materials, online quizzes, links to events and more. People can also share their ideas and opinions by joining the cybersecurity awareness campaign on Twitter @CyberSecMonth with #CyberSecMonth and #ThinkB4UClick.

Cybersecurity Is A Shared Responsibility

Each year, ECSM organisers bring together people from across Europe to join forces under the slogan ‘Cybersecurity is a Shared Responsibility’ to unite against cyber threats. The ECSM campaign is coordinated by the European Union Agency for Cybersecurity (ENISA) and the European Commission, and supported by the EU Member States and more than 300 partners (governments, universities, think tanks, NGOs, professional associations, private sector businesses) from Europe, and beyond.

EU Agency for Cybersecurity Executive Director Juhan Lepaassar said: “European Cybersecurity Month is one of the EU’s most important campaigns that engages people across our region, and beyond, to better understand cybersecurity and adopt good cyber practices. Boosting knowledge about cybersecurity is not only key to building trust among EU citizens, but it is our shared responsibility.”

ECSM 2020

The outbreak of COVID-19 has brought an immediate change in the way people conduct their daily lives. People have become more reliant on the Internet for communication, education, purchases, business and more. This digitalisation of everyday life brings with it a rise in cyber crime. In this increasingly connected world, there is a need for people to be aware of security risks and have the up-to-date tools to mitigate them. This year’s ECSM campaign has been designed to address these issues.  

Under the motto, ‘Think Before You Click’, ECSM 2020’s programme includes two themes to help people identify and be prepared for cyber threats. The first theme, ‘Digital Skills’, will provide participants with information on e-privacy matters such as personal data protection, cyber bullying and cyber stalking. The second theme, ‘Cyber Scams’, will provide participants with insights into current and potential cyber threats such as phishing, business email compromise and online shopping fraud.

Background

The European Cybersecurity Month first launched in 2012. The campaign is now part of the actions designed to implement the provisions of the EU Cybersecurity Act on awareness raising and education. The Act mandates the EU Agency for Cybersecurity to organise regular outreach campaigns in cooperation with Member States, and EU Institutions, bodies, offices and other agencies. The ECSM is one of the areas in which the Agency assists Member States in their efforts to raise cybersecurity awareness and promote cybersecurity education across the Union.

Further Information:

ECSM website

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

OTT Security & Resilience: ENISA Launches a New Survey

Wed, 07/29/2020 - 10:00

This month, the European Union Agency for Cybersecurity, ENISA, has launched a new survey about the security and resilience of Over-The-Top (OTT) communications and collaboration services. The study aims to identify the current risks, mitigation measures and COVID-19 factors affecting OTT services across the European Union. The survey is addressed to industry experts and will remain open until the 14th of August 2020 at 12:00 CET.

The survey is part of a larger ENISA project examining the importance of OTT services under normal and extraordinary circumstances. The feedback from this survey will help the Agency determine key measures and good practices for the provision of secure and resilient OTT services.

To participate in the Public Consultation, please visit: the OTT Security & Resilience Survey.

About OTT Services

As the COVID-19 pandemic has put a strain on the resilience and continuity of public electronic networks and services, OTT communications services and online collaboration tools have become even more critical for businesses to stay up and running.

The survey only deals with OTT communications services and collaboration services. OTT electronic communications services facilitate real-time interpersonal communication between two or more people via voice, video or messaging – including the sharing of media such as photos or videos. Collaboration services facilitate interpersonal and interactive communication in business/organisational settings with functionalities such as video conferencing, direct file sharing and group collaboration tools.

Further Information

The OTT Security & Resilience Survey

More information on the ENISA work on OTT is available on:

the ENISA’s Article 13a Expert Group portal,

under the ,

and on the ENISA Report on the Security Supervision Under the EECC.

For questions related to the press and interviews, please contact press (at) enisa.europa.eu

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Report on the EU 5G Toolbox Implementation by Member States Published

Fri, 07/24/2020 - 14:00

Today, EU Member States, with the support of the European Commission and the European Union Agency for Cybersecurity, ENISA, published a report on the progress made in implementing the joint EU toolbox of mitigating measures for identified 5G risks, which was agreed by the Member States and endorsed by a Commission Communication in January 2020. The toolbox sets out a joint approach based on an objective assessment of identified risks and proportionate mitigating measures to address security risks related to the rollout of 5G, the fifth-generation of mobile networks.

The Agency has actively supported the Commission and the Member States in preparation of this implementation report and is working on various supporting actions defined in the toolbox that will enable and assist implementation of relevant strategic and technical measures.

Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity, said: "The toolbox sets the foundation for a coordinated EU approach towards 5G security based on a risk management approach. All Member States have made progress in implementing the necessary measures. Also, it is acknowledged by all that the job is not finished and we are reinforcing the measures as we go along. The EU Agency for Cybersecurity is committed to assist in this. We also update the 5G threat landscape and stand ready to develop an EU 5G cybersecurity certification scheme should it be requested.''

While work is still ongoing in many Member States, the report notes that all Member States have launched a process to review and strengthen security measures applicable to 5G networks, demonstrating their commitment to the coordinated approach defined at the EU level. For each of the toolbox measures, the report reviews progress made since the toolbox adoption, showing what has already been done and identifying areas where measures have not been implemented so far.

Ensuring resilience of 5G networks is essential to our society, since this technology is expected not only to have an impact on digital communications, but also on critical sectors such as energy, transport, banking and health, as well as on industrial control systems. 5G networks will be carrying sensitive information and will be supporting safety systems that will come to rely on them. Market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security – yet, collective work and coordinated implementation of appropriate measures is fundamental to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

The toolbox implementation is the result of collective work and of the strong determination by all Member States, together with the Commission and the EU Agency for Cybersecurity, to cooperate and respond to the security challenges of 5G networks and to assure the continued openness of the digital single market. In the toolbox, Member States agreed to strengthen security requirements through a possible set of recommended measures, in particular to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk (including necessary exclusions for key assets considered as critical and sensitive, such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

Main insights of the report on the EU 5G toolbox

Today’s report analyses the progress made in implementing the toolbox measures at the national level, coming to a set of conclusions.

  • Good progress has already been made for some of the toolbox measures, namely in the following areas:
    • The powers of national regulatory authorities to regulate 5G security, have been or are in the process of being reinforced in a large majority of Member States, including powers to regulate the procurement of network equipment and services by operators.
    • Measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few Member States and at an advanced stage of preparation in many others. The report calls on other Member States to further advance and complete this process in the coming months. With regards to the precise scope of these restrictions, the report highlights the importance to look at the network as a whole and address core network elements as well as other critical and highly sensitive elements, including management functions and the radio access network, and of imposing restrictions also on other key assets, such as defined geographical areas, government or other critical entities. For those operators having already contracted with high risk vendors, transition periods should be put in place. 
    • Network security and resilience requirements for mobile operators are being reviewed in a majority of Member States. This report underlines the importance to ensure that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.
  • Furthermore, some measures are at a less advanced stage of implementation. In particular, the report calls for:
    • Progress is urgently needed to mitigate the risk of dependency on high-risk suppliers, also with a view to reducing dependencies at the Union level. This should be based on a thorough inventory of the networks’ supply chains and implies monitoring the evolution of the situation.
    • Challenges have been identified in designing and imposing appropriate multi-vendor strategies for individual mobile network operators (MNOs) or at the national level due to technical or operational difficulties (e.g. lack of interoperability, size of the country).
    • Steps to be taken in the context of screening of Foreign Direct Investments (FDI), to introduce national FDI screening mechanism without delay in 13 Member States where it is not yet in place, including in view of the approaching application of the EU investment screening framework as of October 2020. These screening mechanisms should be applied to investment developments potentially affecting the 5G value chain, taking into account the objectives of the toolbox.

Going forward the report also recommends that Member State authorities:

  • Exchange more information about the challenges, best practices and solutions for implementing the toolbox measures;
  • continue monitoring and evaluating the implementation of the toolbox;
  • and, continue working with the Commission to implement EU-level actions listed in the toolbox, including in the area of standardisation and certification, trade defence instruments and competition rules to avoid distortions in the 5G supply market. Also, investing in EU capacities in 5G and post-5G technologies, and ensuring 5G projects supported with public funding take into account cybersecurity risks.

Next Steps

The Commission will continue to work with Member States and the EU Agency for Cybersecurity within the framework of the NIS Cooperation Group, to monitor the implementation of the toolbox and to ensure its effective and consistent application. The Group will also promote the alignment of national approaches through further exchanges of experiences and by working with the Body of European Regulators for Electronic Communications (BEREC). As part of the implementation of the Commission Recommendation adopted last year, by 1 October 2020, Member States, in cooperation with the Commission, should assess the effects of the Recommendation and determine whether there is a need for further action. This assessment should take into account the outcome of the EU coordinated risk assessment that was published in October 2019, as well as of the effectiveness of the toolbox measures.

Background

In March 2019, following a call by the European Council for a concerted approach to the security of 5G, the Commission adopted a Recommendation on Cybersecurity of 5G networks. It called on Member States to complete national risk assessments, to review national measures and to work together at the EU level on a coordinated risk assessment and a common toolbox of mitigating measures.

Based on the Member States’ national risk assessment, the Report on the EU coordinated risk assessment of the cybersecurity of 5G networks, presented in October 2019, identified the main threats and threats actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks.

To complement this report and as a further input for the toolbox, the European Union Agency for Cybersecurity carried out a dedicated threat landscape mapping, consisting of a detailed analysis of certain technical aspects, in particular the identification of network assets and of threats affecting these.

In January 2020, the Member States, acting through the NIS Cooperation Group, adopted the EU Toolbox of risk mitigating measures. The Commission adopted a Communication, on that same day, in which it endorsed the toolbox underlining the importance of its effective and quick implementation, and called on Member States to prepare a report on its implementation by 30 June 2020, which was therefore published today.  

Further Information

Progress report on the implementation of the joint EU toolbox

Commission Communication on Secure 5G Deployment in the EU

EU Toolbox on 5G Cybersecurity

Questions and Answers on the EU toolbox

NIS Cooperation Group website

Press Contact

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Survey to Explore the Preparedness of EU SMEs for Cybersecurity Challenges

Wed, 07/22/2020 - 08:00

Today, the European Union Agency for Cybersecurity, ENISA, is launching a two-month-long public survey for EU small and medium-sized enterprises (SMEs) to share their feedback on their state of digital security and preparedness for crises such as COVID-19. The survey asks respondents to identify their main cybersecurity challenges and their level of preparedness to cope with the most common threats. The survey is addressed to individual owners and employees of EU SMEs, as well as to SME associations at both the Member State and EU levels. The survey is open until the 15th of September at 12:00 CET.

Findings will be published later this year in the form of a good practice guide. This will provide advice that will focus on how businesses can successfully overcome digital challenges in a crisis such as the COVID-19 pandemic and how they can better prepare themselves for similar crises in the future.

To participate in the Public Consultation, please visit: Survey on cybersecurity challenges for SMEs.

According to the European Commission, SMEs, defined as having less than 250 employees and up to EUR 50 million in turnover, make up 99% of all businesses in the EU (see the official SME definition). Clearly, an important driver for innovation and growth across the Union, SMEs are a priority focus for the economic policies of EU governments.

This year, the European Union Agency for Cybersecurity is working to increase the resilience of EU SMEs in the face of crises such as COVID-19.

Within this scope, the Agency plans to analyse the ability of EU SMEs to cope with cybersecurity issues in different crises and to provide recommendations on good practices. Cybersecurity topics such as how to handle phishing campaigns or how to mitigate ransomware attacks will be included in the recommendations in this forthcoming work.

Further Information

ENISA’s work related to national cybersecurity strategies (NCSSs) is available on our dedicated topic - National Cybersecurity Strategies

For any general related questions, please contact .

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Annual Report on Trust Services Security Incidents in 2019

Fri, 07/10/2020 - 08:00

For the year 2019, 27 EU countries and 2 EFTA countries reported 32 security incidents that had a significant impact on trust services in the EU. The 2019 Annual Report published today gives an aggregated overview of these security breaches showing root causes, statistics and trends. This report marks the fourth round of security incident reporting for the EU’s trust services sector.

According to the EU regulation on Electronic Identification and Trust Services (eIDAS), trust service providers must notify security breaches to their national supervisory body. The national supervisory bodies send annual summary reports about these breaches to ENISA and to the European Commission. ENISA aggregates this information in its Annual Reports.

Key takeways from the 2019 incident report:

  • A significant increase in notified incidents: with an increase of nearly 80% in terms of reported incidents compared to the previous year.
  • System failures as the dominant root cause: they account for more than 60% of the incidents and remain the dominant root cause over the past four years of incident reporting.
  • Most reported incidents concerned qualified trust services: more than three quarters of total incidents (78 %) had an impact on qualified trust services.
  • Most of the incidents were minor: most incidents were minor, but a third of the incidents (31%) were rated as having a large impact. Unlike the previous two years, in 2019 there were no reports about incidents with impact rated as disastrous.
Root cause categories Trust services incidents in the EU

General observations:

  • Supervision of, and incident reporting by, non-qualified services: statistics of the reported incidents suggest there is under-reporting of security breaches with non-qualified trust services.
  • Reporting about vulnerabilities and attacks-in-the-wild: there is a clear need to exchange information not only about actual incidents with impact at a TSP’s trust service, but also about attacks and vulnerabilities.

To access to the report please visit: Trust Services Security Incidents 2019 Annual Analysis Report

ENISA and the eIDAS regulation

The Agency will continue to support the national supervisory bodies to implement the breach reporting under the Article 19 of the eIDAS regulation, and will work towards making this process efficient, effective and yielding statistics. Such data are useful for the supervising bodies, for the authorities of other sectors, as well as for the trust service providers and the organisations relying on these trust services. 

In this direction, ENISA has recently released a new Visual Tool - CIRAS designed to increase transparency about cybersecurity incidents. The online visual tool, accessible to the public, gives now access to 4 years of trust services incident reports and to 8 years of telecom security incidents, aggregating as many as 1100 cybersecurity incidents. The new visual tool also allows for analysis of multiannual trends. 

Background information

Electronic trust services include a range of electronic services around digital signatures, digital certificates, electronic seals, timestamps, etc. used to secure electronic, online, transactions.

The eIDAS regulation is the EU wide legal framework meant to ensure the interoperability and security of the electronic trust services across the EU. One of the goals of the eIDAS is to ensure electronic transactions can have the same legal validity as traditional paper - based transactions, to create a framework in which a digital signature has the same value has a hand-written signature.

This regulation is important for the European digital market because it allows businesses and citizens to work and use digital services across the EU. Adopted in July 2014, the eIDAS regulation came into force in 2016.

Security is an important pillar of the overall framework. Article 19 of the eIDAS regulation requires trust service providers in the EU to assess risks, take appropriate security measures, mitigate security breaches. They notify breaches to the national supervisory bodies who, in turn send annual summary reports about the notified breaches to ENISA and the Commission. ENISA publishes aggregated data on a yearly basis.

Security and trust are crucial factors in making eIDAS a success. ENISA supports the European Commission and the EU Member States with implementing the security requirements of the eIDAS regulation and supports collaboration and exchange of information between national supervisory bodies in Europe about the security of trust services.

Further information

ENISA webisite - Incident Reporting Topic

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

European Cybersecurity Skills Framework: call for participation in the new Ad Hoc Working Group

Wed, 07/08/2020 - 11:00

The cybersecurity workforce shortage and skills gap is a major concern for both economic development and security, especially in the rapid digitisation of the global economy.

The European Cybersecurity Skills Framework project aims to:

  • promote harmonization in the ecosystem of cybersecurity education, training, and workforce development;
  • help in the development of a common European language in the cybersecurity skills context, to reduce the skills shortage.
  • support the digital transformation, by defining the skills needed to fulfil cybersecurity related positions;
  • support the design of cybersecurity related training programmes for skills and career development in order to address the cybersecurity skills shortage.

In response to the European Skills Agenda, ENISA will create an Ad Hoc Working Group on the European Cybersecurity Skills Framework to support in the development of a Cybersecurity Education and Skills Framework. The ad hoc working group will follow the Pact for Skills engagement and governance model in order to have input from a number of relevant stakeholders and assess the challenges in the development of the European Cybersecurity Skills Framework from different perspectives (e.g. academic and industrial perspective). Thus, this call for collective action is also a collaboration opportunity for individuals to help advance the EU skills ecosystem.

The ad-hoc working group is expected to:

  • advise ENISA on defining the criteria for a European Cybersecurity Skills Framework;
  • support the analysis of other existing initiative cybersecurity related frameworks with respect to the defined criteria;
  • assist in identifying gaps in already developed European Cybersecurity Skills Framework;
  • assist in conducting a SWOT analysis for an European Cybersecurity Skills Framework;
  • review of related ENISA deliverables;
  • assist in the preparation of the European Skills Framework.

When assessing the applications, ENISA will take into account the following criteria:

  • relevant competence (e.g. technical, legal, organisational or a combination thereof) and experience in the area of cybersecurity skills;
  • ability to deliver technical advice, including that of scientific or technical nature, on issues relevant to cybersecurity skills categorization, including in the above-mentioned areas of relevance for this purpose;
  • good knowledge of English allowing active participation in the discussions.

How to apply:

  • information about the ENISA Ad Hoc Working Group on the European Cybersecurity Skills Framework, terms of reference, privacy statement and application form is available in the dedicated page: Ad Hoc Working Group on Cybersecurity Skills Framework;
  • applicants will be assessed according to criteria included in the call; members shall be appointed by the Executive Director of ENISA;
  • Duly completed applications must be submitted by 18h00 EEST (Athens time) on 10th of August 2020.

Further Information

ENISA website page - Ad Hoc Working Group on the European Cybersecurity Skills Framework

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

25th Meeting of the Cybersecurity Working Group of the European Banking Federation

Fri, 07/03/2020 - 11:00

The meeting has been an opportunity for professionals from banking institutions to share good practices and lessons learned about cybersecurity challenges, threats, and incidents faced over the past year. The group also discussed new and emerging policy developments in the sector as well as current and future technological challenges

The European Union Agency for Law Enforcement Cooperation (EUROPOL) provided insights on threat intelligence in the financial sector.

The American Bankers Association (ABA) gave a presentation to reflect on the importance of the Sheltered Harbor initiative.

Besides, the European Banking Federation supports ENISA by playing an active role as member of the European Stakeholders Cybersecurity Certification Group.

This year ENISA has been supporting the financial community with the mapping of stakeholders and EU initiatives in relation to cybersecurity. Previous initiatives of ENISA in the industry include the Payment Service Directive 2 (PSD 2) implementation interactive map, Blockchain cybersecurity as well as support in the information sharing community through the European Information Sharing and Analysis Centre FI-ISAC.

Further Information

If you would like to contribute to the stakeholder mapping go to the Finance Stakeholders 2020 - Survey.

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA Launches Public Consultation for First Candidate Cybersecurity Certification Scheme

Thu, 07/02/2020 - 10:30

Today, the European Union Agency for Cybersecurity, ENISA, is launching a month-long public consultation for the first candidate cybersecurity certification scheme, the Common Criteria based European cybersecurity certification scheme (EUCC). The scheme aims to replace the existing schemes operating under the SOG-IS MRA for ICT products, to add new elements and to extend the scope to cover all EU Member States.

The public consultation allows interested parties to provide feedback on the draft of the EUCC candidate scheme and the outcome will be processed and shared. The consultation will remain open for contributions until July 31st, 12:00 CET.

 To participate in the Public Consultation, please go to:  EUCC Consultation Survey

Over the past two decades, the Common Criteria have proven efficient for the certification of chips and smartcards across Europe, and have enhanced the level of security of electronic signature devices, for means of identification such as passports, banking cards and tachographs for lorries. More recently, the criteria have been used intensively to certify the cybersecurity of ICT software products.

This new candidate scheme aims to further improve the Union’s internal market conditions for ICT products, and positively affects the ICT services and ICT processes relying on such products.

About the EUCC candidate scheme:

  • Built on the current SOG-IS MRA and Common Criteria with rules included for transition;
  • Applicable to ICT products;
  • Covers assurance levels ‘Substantial’ and ‘High’;
  • Certificate validity for five years, can be renewed;
  • Allows for composite certification;
  • Recognition in all EU Member States;
  • Voluntary scheme;
  • Harmonised conditions for vulnerability handling and disclosure;
  •  Clearly defined rules on monitoring and handling non-compliance and non-conformity;
  • Introduces a new patch management mechanism to support vulnerability handling;
  • Use of a framework-based label and a QR code to ensure easy access to accurate certification information.

The EU Cybersecurity Act of 2019 (CSA) lays down an EU cybersecurity certification framework for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as of avoiding fragmentation of the internal market. ENISA’s task under the CSA is to prepare and develop candidate cybersecurity certification schemes with the involvement and support of stakeholders and a working group.

The first ad hoc working group for this scheme, the EUCC AHWG, was set up late last year by ENISA, and is chaired by the Agency. The group is composed of 20 appointed members representing industry (developers, evaluators), and 12 participants from Member States and accreditation bodies. The EUCC AHWG has been working in close collaboration with the Commission and with the European Cybersecurity Certification Group (ECCG).

The EUCC is the first candidate scheme in the framework. A second candidate scheme is currently in preparation and relates to the certification of cloud services.

Further Information:

More infomation on the Public Consultation are available on the dedicated page: Public Consultations on Cybersecurity Candidate Schemes.

Before answering please consult the Draft of the EUCC Candidate Scheme.

Find more information about the EU cybersecurity certification framework and about ENISA’s role under the EU Cybersecurity Act, please visit ENISA Topic on Certification.

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA Leads Cybersecurity Seminar for the Hellenic Ministry of Digital Governance

Wed, 07/01/2020 - 13:30

The European Union Agency for Cybersecurity, ENISA, led an Infodays seminar on June 24, 25, 30 and July 1 for the National Cybersecurity Authority (NCA) of the Hellenic Ministry of Digital Governance to support the ministry in developing its own train-the-trainer programme. The event was held virtually.

Over the span of two weeks, ENISA experts spotlighted the key developments in the EU cybersecurity ecosystem, including emerging technologies such as Artificial Intelligence and 5G, for new employees of the ministry. The team also trained NCA personnel on various cybersecurity topics, with a special focus on EU cybersecurity policy. Most importantly, ENISA identified and shared with attendees the main tools and materials needed to establish a basic cybersecurity train-the-trainer programme for Greece’s pubic administration sector.

ENISA Executive Director Juhan Lepassaar opened the seminar on day one, which focused on operational crisis management and the role of Computer Security Incident Response Teams (CSIRTs) across Europe. Day two focused on EU cybersecurity certification framework, and cyber-threat intelligence and risk management. On day three, experts took a look at the NIS Directive, the first piece of EU-wide cybersecurity legislation, and discussed security supervision under the European Electronics Communications Code (EECC). The final day, today, concluded with a deep dive into emerging technologies, such as AI, 5G, IoT and cloud computing.

ENISA has played a significant role in supporting the Hellenic Ministry of Digital Governance since opening its doors in Athens in 2004. The Agency and ministry are currently working together to expand this collaboration to National Cyber Security Strategies and trainings for incident handling and response.

Further Information

For information on ENISA’s work regarding National Cyber Security Strategies, please visit: ENISA Topic - National Cyber Security Strategies.

For information on ENISA’s work regarding trainings for incident handling and response, please visit: ENISA Topic - Trainings for Cybersecurity Specialists.

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

3rd General Assembly of the ER-ISAC Meeting

Fri, 06/26/2020 - 13:00

The European Union Agency for Cybersecurity, ENISA, co-hosted the 3rd General Assembly of the European Rail ISAC (ER-ISAC) on the 26th of June 2020. The event was virtual.

The ISAC (Information Sharing and Analysis Centre) meeting allowed IT professionals from 40 organisations in the rail sector to discuss cybersecurity issues, including challenges and incidents faced over the past year. Experts built on their shared experiences and lessons learned in regard to prominent cybersecurity threats in the rail sector.

The closed-door meeting also included a series of presentations from partners on projects that enhance the sector’s cybersecurity procedures across Europe. Best practices were shared by railway operators, as well as current and future technological and policy developments in the sector. The International Union of Railways (UIC) also gave a welcome speech and reflected on the importance of cybersecurity in the sector. Finally, as an invited guest, EUROCONTROL provided insights on threat tntelligence in the aviation sector.

ENISA has played a significant role in supporting the ER-ISAC from the start, and is currently drafting a study on cybersecurity in the rail sector.

Further Information:

For more information on ENISA’s work in the area of ISACs please visit: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Article 13a Expert Group convened by ENISA for its 31st meeting

Fri, 06/26/2020 - 13:00

The European Union Agency for Cybersecurity hosted the 31st meeting of the Article 13a Expert Group on 24th and 25th this week. The working group of European National Authorities supervises the security of electronic communications networks and services. The group is chaired by by Warna Munzebrock, the representative of the Agentschap Telecom, the Dutch Radiocommunications Agency.

Normally the group meets physically, three times a year. This time, the group met online, using an electronic communications platform. 40 experts attended from national authorities supervising the telecom sector across Europe, from 24 countries. Warna Munzebrock, the Dutch Chair of the Article 13a group opened the meeting, together with Evangelos Ouzounis, Head of the ENISA unit for Secure Services and Infrastructures.

On the first day, the group received updates from:

  • Anders Lindell, from DG CONNECT, the Directorate‑General for Communications Networks, Content and Technology;
  • Machteld Vrieze, Chair of the Working Group of authorities for the digital services under the NIS Directive;
  • Marcin Domagala, co-Chair of the NIS Cooperation Group on Digital Infrastructure;
  • Vassiliki Gogou, co-Chair of BEREC’s Ad-hoc Working Group on 5G.

ENISA gave an update on both the Agency’s incident reporting platform - CIRAS and the pandemic toolkit project, whose aim is to provide an overview of good practices for telecom operators and authorities in dealing with pandemics.

An important part of the meeting was dedicated to an in-depth round table, where experts shared experiences and lessons learned during the first months of the COVID-19 pandemic. Overall, the countries reported that, despite some issues, the communication networks and services sustained the change in usage and traffic well, and that operators successfully implemented their business continuity plans.

The supervision changes needed for the transposition and implementation of the EECC, the European Electronic Communications Code were addressed on the second day. The EECC will be in force from 2021. The group discussed a new model for the EU-wide reporting thresholds. ENISA also presented a first draft of the new security measures framework for the EECC. This framework takes into account the changes introduced by the EECC, but also the security requirements in the European Commission’s 5G toolbox.

The group will meet again in the third quarter of the year. Most of the work of the group this year will focus on updating the guidelines for security measures and incident reporting process in light of the EECC.

Background on Article 13a group

The ENISA Article 13a Expert Group was established in 2011 and consists of more than 50 experts from national telecom security authorities from all EU countries, the EFTA countries, and EU candidate countries. The group is a forum for exchanging information and good practices on telecom security. It produces policy guidelines for European authorities on the implementation of EU telecom security rules, and publishes annual summary report about major telecom security incidents.

  • This work is done under ENISA's Annual work program output O.1.2.3 “Supporting incident reporting activities in the EU”.
  • The ENISA Article 13a Expert Group was set up in 2010. There have been 31 meetings so far.
  • The security guidelines of the Article 13a Expert Group can be found on the ENISA Article 13a expert group portal.

Further Information:

ENISA Incident Reporting webpage

ENISA Article 13a Expert Group portal

To know more about the Article 13a Expert Group's work, or to join the telecom security mailing lists, to be up to date about our telecom security work or to receive invitations for future telecom security meetings, please contact us via resilience (at) enisa.europa.eu

For press questions and interviews, please contact

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

The EU Cybersecurity Act’s first anniversary: one step closer to a cyber secure Europe

Fri, 06/26/2020 - 10:00

On 27 June 2020, the European Union Agency for Cybersecurity (ENISA) celebrates the first anniversary of the EU Cybersecurity Act (CSA) and its strengthened role towards securing Europe’s information society. The CSA gave the Agency a permanent mandate, a new list of tasks and increased resources, and also established the EU cybersecurity certification framework. 

The Agency now plays a key role in setting up the framework and builds on its past work towards achieving a high common level of cybersecurity across the European Union by actively supporting Member States, EU institutions, industry, academia and citizens. Regarding the framework, the Agency is close to completing the first cybersecurity certification scheme and is making rapid progress towards a second one, on cloud services.

The mandate has also expanded the Agency’s role in supporting capacity-building and preparedness capabilities, as well as operational cooperation - areas that continue to be put to the test during the COVID-19 pandemic. ENISA acted quickly at the onset of the pandemic by preparing awareness campaigns, sets of tools and publications offering in-depth guidance on cyber safety for organisations, businesses and citizens, all publically available on the webpage COVID19.

Under its expanded role in policy development and implementation, ENISA has thrived, especially in the area of emerging technologies. For 5G security, ENISA has been involved in each phase and continues to support the European Commission and Member States as a common toolbox is being implemented. Last year, the Agency also supported the EU Member States with developing an EU-wide joint risk assessment regarding the 5G roll out, and delivered a 5G threat landscape report, which analyses threats at a more technical level. On Artificial Intelligence, the Agency has set up a 15-member ad-hoc working group on Cybersecurity for AI that will further advance European expertise on AI threats and solutions.

In addition, ENISA has welcomed the newly mandated tasks around research and innovation by creating the EU cybersecurity skills framework and fostering collaboration amongst the four cybersecurity pilot projects of the European Cybersecurity Competence Network.

 

Further Information:

EU Cybersecurity Act and ENISA

EU cybersecurity certification framework

ENISA’s decicated page for COVID-19

ENISA’s work on 5G

ENISA’s work on AI

For press questions and interviews, please contact

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

2ND Inter-EU ISACs Meeting

Thu, 06/11/2020 - 08:00

The European Union Agency for Cybersecurity, ENISA, hosted the 2nd Inter-EU ISACs meeting on the 10th of June, 2020. The event was virtual.

The meeting allowed experts of the EU Information Sharing and Analysis Centres (ISACs) to build on trust, get to know new members coming from newly formed ISACs, review developments from last year’s in-person meeting and identify synergies to enhance collaboration between the centres. They also discussed their current challenges and possible solutions.

Participants included chairpersons of the EU ISACs, the European Commission, the FS-ISAC, GSMA, as well as experts with deep knowledge on the issue.

 

Further Information

For more information on ENISA’s work in the area of ISACs please visite our  dedicated website's topic Information Sharing and Analysis Centers

For more information on this event, please contact: resilience (at) enisa.europa.eu

For press questions and interviews, please contact

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA working group on Artificial Intelligence cybersecurity kick-off

Wed, 06/10/2020 - 13:00

Artificial Intelligence (AI) is no longer in the realm of science fiction and futuristic scenarios. It is already changing everyday life, improving the provision of services by automating procedures and systems, and rapidly processing large amounts of data. AI has the potential to lead the digital transformation paradigm shift, and, in many ways, is already doing so.

The benefits of Artificial Intelligence may only be attained if AI itself can be trustworthy and cybersecure. We are already witnessing attacks against AI systems that aim to negatively manipulate their behaviour and lead to unintentional operations by adversaries. The European Commission has highlighted the importance of AI in society and the economy; and, most recently, in its White Paper on Artificial Intelligence, the Commission has underlined the need for AI to be secure. This white paper is the frontrunner to forthcoming policy initiatives in the area that will shape the future of AI deployment and its wide adoption by the public.

Recognizing the significance of cybersecurity for Artificial Intelligence, ENISA has set up an Ad-Hoc Working Group in line with the European Commission’s directions and policies.

The main objectives of the group include:

  • Advise ENISA in matters related to AI cybersecurity.
  • Assist ENISA in the development of an AI Threat Landscape.
  • Support ENISA in providing risk-proportionate cybersecurity guidelines for AI.

The working group is composed of 15 members, representing stakeholders from small and large companies, the public sector, academia, associations, and more, as well as seven observers from European bodies, including the DG for Communications Networks, Content and Technology, the DG Joint Research Centre, Europol, the European Defence Agency (EDA) and the European Telecommunications Standards Institute (ETSI).

The list of members and observers is available on the webpage of the Ad-Hoc Working Group on Artificial Intelligence cybersecurity.

 

Further Information

For more information on ENISA’s work in AI Cybersecurity, please visit our dedicated website's topic Artificial Intelligence.

For press questions and interviews, please contact .

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Spotlight on incident reporting of telecom security and trust services

Tue, 06/09/2020 - 12:00

Today ENISA, the EU Agency for Cybersecurity, releases a new version of CIRAS, a tool for statistical analysis of cybersecurity incidents. Two new sets of EU data on cybersecurity incident were made available:

  • Telecom security incidents reported for the year 2019
  • Trust services security incidents for 2016-2019.

The online visual tool, accessible to the public, now gives access to 8 years of telecom security incidents, and 4 years of trust services incident reports: a total of 1100 cybersecurity incidents. The new visual tool allows for analysis of multiannual trends. 

Mandatory cybersecurity incident reporting is a corner stone of cybersecurity legislation in the EU. Cybersecurity incident reporting gives the national authorities in Europe vital information about the root causes and overall impact of major incidents. Every year national authorities send summaries of these major cybersecurity incidents to ENISA for aggregation and analysis at EU level. ENISA publishes statistics in yearly reports and gives access to aggregated and anonymised data in the online visual tool, to increase transparency about cybersecurity incidents. This online visual tool allows for custom analysis of trends and patterns. For example, the user is able to select a specific time-period or specific root cause categories and get custom statistics about detailed causes and assets affected. ENISA also maintains a private repository for the national authorities.

You can access the tool via the following link:

Cybersecurity Incident Report and Analysis System

Background and legal base:

ENISA has been supporting the EU telecom security authorities with the implementation of EU wide telecom breach reporting, under Article 13a of the Framework directive since 2010.

Under this framework, ENISA develops procedures, templates, tooling and analysis and publishes an annual report with aggregated statistics about the telecom security incidents with significant impact since 2012.

ENISA has been supporting supervisory bodies in the EU with cybersecurity breach reporting for trust services under Article 19 of the eIDAS regulation since 2016. Besides, ENISA also started to support the NIS cooperation group with the cybersecurity incident reporting along the provisions of the NIS Directive.

ENISA will be publishing the detailed annual reports in the coming weeks. The following two trends are highlighted:

Root causes of telecom security incidents

Over the last 4 years, the most common root cause of telecom security incidents is system failures (412 out of 637 incidents). The second most common root cause is human errors with nearly a fifth of total incidents (19%, 119 incidents in total). Natural phenomena are the third root cause with 11% while only 4% of the incidents are categorized as malicious actions.

Root cause categories of trust services security incidents

Over the 4 years of trust services security incident reporting, the most common root cause is System failures (60%). Around a fifth of the reported incidents were due to human errors and a fifth of the incidents were flagged as malicious actions. Natural phenomena are not a common root cause in this sector. This sector operates differently than the telecom one. With large-scale aboveground infrastructure for the mobile networks, the telecom sector is more vulnerable to natural phenomena.

Further Information

For more information on ENISA’s work on incident reporting and security regulation (Article 13a and Article 19), please visit our dedicated website's topic Incident Reporting.

For press questions and interviews, please contact

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Tips for secure user authentication

Thu, 06/04/2020 - 10:30

We are living in an era of large-scale data breaches. More and more high-profile companies are hacked; as a result, the personal data of millions of customers is leaked online.

Cybercriminals with different motivations and interests take advantage of this data in order to mount attacks at both individuals and other organizations. As passwords are still the main method to authenticate users to platforms and systems, this article aims to provide tailored recommendations for improved cyber hygiene.

Risks to passwords

 Today, passwords can be stolen in multiple ways, including:

  1. Social Engineering attacks such as phishing credentials using fake pages, voice phishing (so-called Vishing), shoulder surfing (e.g. peeping behind a person who is typing their password on a laptop) and even retrieving handwritten passwords from post-it notes.
  2. Stealing using specialized software or physical keyloggers. Some of these attacks require a physical presence or proximity to a laptop or a device.
  3. By intercepting communications, using fake access points or by leveraging man-in-the-middle attacks (MiTM) at a network level, more prevalent in public WiFis found in hotels, cafés, airports, etc.
  4. Brute-force attacks on passwords by trying all the combinations, dictionary attacks or by simply guessing the password.
  5. Retrieving passwords directly from data breaches and leveraging them using password spraying techniques to other legitimate services.
Recommendations to improve password security
  1. Activate multifactor authentication functionality whenever possible for all of your accounts.
  2. Do not re-use your passwords. Cybercriminals work under the assumption that many users re-use passwords, hence their high success rates for compromising accounts.
  3. Use single sign-on functionality combined with multifactor authentication in order to reduce the risk of account compromise.
  4. Use a password manager.
  5. Generate strong and unique passwords or passphrases according to the latest guidelines available, for each individual website and service. This is where password managers come in handy.
  6. Check if any your accounts appear in existing data breaches and act immediately by changing your passwords for the services identified.
  7. Many websites offer password reminder functionalities. Make sure you do not rely on easily retrievable personal information to reset your password, e.g. name of your pet, your date of birth, your high school, etc.
  8. Make use of VPNs or at least mobile access points when accessing e-Banking or other private services from public WiFi.
  9. Be aware of your surroundings in lounges, airports, trains and cafés, and make sure there is nobody behind you trying to snoop your password. This is where screen privacy filters come in handy.
  10. Do not leave your devices unattended/unlocked in public spaces such as hotels, public transport, lounges, etc.

Further Information:

For more security awareness related materials, please visit the website of the European Cyber Security Month (ECSM) awareness raising activity coordinated by ENISA.

Cyber Hygiene best practices can be found in the ENISA Report - Cyber Hygiene.

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19.

For press questions and interviews, please contact

European Cyber Security Challenge 2020 - Event Date Change

Wed, 06/03/2020 - 11:00

Due to the worldwide pandemic and the lack of visibility regarding its evolution, the ECSC Steering Committee together with the Austrian national planners and the support of the European Agency for Cybersecurity decided to change the dates of the European Cyber Security Challenge 2020 Finals, scheduled to take place in Vienna this November. 

The ECSC Steering Committee, considering that the organization of this European event brings together more than 350 young people coming from all over Europe, wants above all to safeguard the health of all participants. Furthermore, to give a fair chance to all teams and permit each country to continue with the selection process in serenity, it was decided to amend the age conditions for participation by adding a year in each category.

In light of the above, the 6th edition of the European Cyber Security Challenge (ECSC) will take place in Prague, Czech Republic in 2021. Austria will host the event in 2022.

The annual event brings together top cyber talent from across Europe to network and collaborate, meet with industry-leading organizations and compete against each other to win the ECSC prize. Contestants work on solving security-related challenges on topics including web and network security, mobile security, crypto puzzles, reverse engineering and digital forensics.

About the European Cyber Security Challenge

The growing need for IT security professionals is widely acknowledged worldwide. To help mitigate this shortage of skills, many countries launched national cybersecurity competitions targeting towards students, university graduates or even non-ICT professionals with a clear aim to find new and young cyber talents and encourage young people to pursue a career in cybersecurity. The European Cyber Security Challenge (ECSC) leverages on these competitions by adding a pan-European layer.

The European Cyber Security Challenge is an initiative by the European Union Agency for Cybersecurity (ENISA) and EU Member States and aims at enhancing cybersecurity talent across Europe and connecting high potentials with industry leading organizations.

Further Information:

Further information on how to participate in the upcoming National Challenges and the European Finals, as well as the contact details of the organisers, can be found on the ECSC website.

For general organisational and press questions, please contact press (at) enisa.europa.eu 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Top ten cyber hygiene tips for SMEs during covid-19 pandemic

Tue, 06/02/2020 - 15:00

Crises like the current COVID-19 pandemic have a serious impact on the European as well as the International society and economy.  Small and medium-sized enterprises (SMEs) are often coping with difficult times.  Unfortunately, cybercriminals often see such crises as opportunities.  Phishing and ransomware attacks are on the rise.

SMEs are also faced with a new reality where employees are working more from home.  This way they become even more dependent on Information Technology (IT) than before.  It goes without saying that protecting these virtual assets is of utmost importance to almost every SME.  According to ENISA, the top ten cyber hygiene topics that SMEs should address, possibly through outsourcing where needed, are presented below:

  1. Management buy-in. It is important that management sees the importance of cybersecurity for the organisation and that it is informed on a regular basis.
  2. Risk assessment. This answers the question: what do I have to protect and from what?  Identify and prioritise the main assets and threats your organisation is facing.
  3. Cybersecurity policy. Have the necessary policies in place to deal with cybersecurity and appoint someone, for example an Information Security Officer (ISO), who is responsible for overseeing the implementation of these policies.
  4. Awareness. Employees should understand the risks and should be informed about how to behave online.  People tend to forget such things rather rapidly, so repeating this every now and then can be valuable.
  5. Updates. Keeping everything, meaning servers, workstations, smartphones, etc. up-to-date is key in your cyber hygiene. Applying security updates is part of this process.  Ideally, this whole process is to a certain level automated and the updates can be tested in a testing environment.
  6. Backups. Prior to doing these updates it is vital to have good backups in place.  This will also protect the environment from attacks such as ransomware.  Backup the most important data often and think about the cost of losing data during a certain timespan.  Keep the backups offline, test the backups and try to have duplication of the backups.
  7. Access management. Have rules/policies in place for access management and enforce them.  Make sure default passwords are changed for example, that passwords are not shared, etc.
  8. Endpoint protection. Think about securing the endpoints through for example installing antivirus software.
  9. Secure remote access. Limit remote access as much as possible and where absolutely needed, enable it but in a secure way.  Make sure that communication is encrypted properly.
  10. Incident management plan. There should be a plan on how to handle an incident when it occurs.  Different realistic scenarios could be part of this plan.  Get to know whom you could contact when things are problematic, for instance the national CSIRT.

 

Further Information

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19

For press questions and interviews, please contact

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Pages