Many countries do not perceive the creation of national cybersecurity strategies as a requirement.
As emerges from one of the graphs of the Global Cybersecurity Index of 2020, the least attentive countries are Africa, America, and Asia. The lack of NCS can depend on many things, such as an excellent overall system or poor access and use of computer systems. Europe is doing quite well and has a good resilience and security infrastructure.
Knowing Cybersecurity is the first step
Cybersecurity is the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and protect against unauthorized systems, networks, and technologies. Cybersecurity is also referred to by the acronym CIA which represents three pillars. Microsoft explains how: C represents confidentiality linked to the protection of your data; I like the integrity of information; A is the secure access to systems.
So many standards, but which one to apply?
The various agencies created for systems security, such as NIST in the United States or ENISA in Europe, agree that the procedures to be applied are many still they are essential, whatever the sector of application. Before using security standards, you need to analyze your systems to understand their strengths and capabilities.
Stefano Mele, Partner at Gianni & Origoni Head of Cybersecurity Law Department co-Head of Data Protection Department, explains the ESG world connected to Cybersecurity. He explains how companies should perform a cybersecurity assessment to identify various assets affected by cyber-attacks, such as hardware systems, laptops, customer data, intellectual property, etc. Companies recognize the risks and weaknesses, so it is easy to understand where to improve the system. It is also easier to track risk and know where it comes from to strengthen the system part.
The main actions that a company must do
- Continuously monitor and review the risk environment and make any changes in the context to control part or all of the risk management process. Conduct a cybersecurity assessment and create a cybersecurity strategy and policy.
- Define the role of personnel within the company and give cascading responsibilities in risk management. In the company, each level must be more or less involved in the management and control procedures. The more specialized groups, such as the IT team, will also be responsible for resolving errors or limiting them by implementing measures or recommending specific standards based on the company’s needs. Everyone must know the possible risks, applicability standards, and metrics to underestimate an incident, report incidents to those in charge, make an effort to correct them, or report them to those who need to fix them.
- Create a disaster recovery plan developed as part of a broader business continuity plan, which includes Cybersecurity, and IT records teams that assign teams to manage an incident that only comes when the incident has a significant impact on the ‘organization. And another is the business continuity plan which describes how the organization will operate in an emergency and the coordinated efforts across the organization.
- Implement the remote access policy. Especially in the last year, due to Covid-19, organizations have implemented a remote access policy to the organization. Control access by users. When an employee no longer works in an organization, the company removes access to data.
- Define the standard to be applied to control and defend internal systems and control access to the network. Implement or adapt measures and new techniques for monitoring our approach to change them.
- If we want to protect Cybersecurity within our ESG traceability model, we can preserve the data system. It concerns the technical measures that should be put in place to manage data, collect, and process commercial information, including technical mapping measures, technical mechanisms, user data to their accuracy, and the disclosure of personal data based on user control.