Upload
brian-honan
View
293
Download
2
Embed Size (px)
DESCRIPTION
A presentation I gave at the Information Security Ireland event where I highlighted upcoming EU legislation that will impact how organisations should think about cyber security and opportunities for security companies to take advantage of
Citation preview
European Cyber and Data security, What is coming and how we can be prepared
for it
Who Am I?
CEO of BH Consulting – Independent Information Security Firm
Founder & Head of IRISSCERT – Ireland’s first Computer Emergency Response Team
Special Advisor on Internet Security Europol's CyberCrime Centre (EC3)
Adjunct Lecturer at University College Dublin
Expert Advisor to European Network & Information Security Agency (ENISA)
Regularly comments on media stories – BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times
Who Am I?
“considers cybercrime to be an ever-increasing threat to the EU in the form of large-scale data breaches, online fraud and child sexual exploitation, while profit-driven cybercrime is becoming an enabler for other types of criminal activity..”
Europol Serious & Organised Threat Assessment 2013
“Total Global Impact of CyberCrime US$ 3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined.”
Europol Serious & Organised Threat Assessment 2013
“cybercrime as one of nine EU priorities in the fight against serious and organised crime between 2014 and 2017”
The Justice and Home Affairs Council of 6-7 June 2013
Policy on Critical Information Infrastructure Protection (CIIP) – 2009
Focusing on the protection of Europe from cyber disruptions by enhancing security and resilience.
Based on five pillars: Preparedness and prevention Detection and response Mitigation and recovery International cooperation Criteria for European Critical Infrastructures in the field
of ICT.
DIRECTIVE 2011/92/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCILof 13 December 2011
on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council
Framework Decision 2004/68/JHA
(to be transposed into national law in the Member States by 18th December 2013)
DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 12 August 2013on attacks against information systems and replacing
Council Framework Decision 2005/222/JH
(to be transposed into national law in the Member States by 4th September 2015)
This Directive
Sets out minimum rules defining criminal offences. Improves operational cooperation between Member
States’ national law enforcement services Improves operational cooperation between Member
States and relevant EU agencies (Eurojust, Europol, ENISA).
Member States have to respond within eight hours to an urgent request related to a cyber-attack.
EU agencies will conduct threat assessments and strategic analyses of cybercrime
All such activities have also to comply with existing EU legislation on privacy and electronic communication and data protection
The main crimes defined in the Directive are
illegal access to information systems, illegal interference with systems or data, illegal interception of data transmissions, stricter criminal sanctions for botnets
Key Priorities For the Strategy
Freedom and openness
The EU's laws, norms and core values apply as much in cyberspace as in the physical world
Developing cyber security capacity building
Fostering international cooperation in cyberspace
EU Cyber Security Strategy - 2013
The Cyber Security Directive (formally known as the Network & Information Security
Directive) (the Directive)
bring all member states to a minimum security standard promote cooperation and ensure preparedness and
transparency in important sectors introduce mandatory breach notification for certain
organisations All member states to develop a National Security Strategy Appointment of a single point of contact among national
competent authorities (NCAs)
Changes to Data Protection Directive
View to being ratified in 2015 Fines of up to €100 million or 5% of Global Turnover for Data
Breaches Mandatory Breach Notification “without undue delay” Right to Be Forgotten Companies with more than 250 employees will need to have a
Data Protection Officer Privacy by Default baked into all business processes &
services
Trend Micro's UK Study re Data Protection Directive
50% of UK IT decision makers were unaware of the impending legislation
25% percent adamant that compliance is not achievable
To enhance the capability of the Commission, other EU bodies and the Member States to prevent, address and to respond to NIS problems
To provide assistance and deliver advice to the Commission and the MS on issues related to NIS falling within its competencies as set out in this Regulation
To develop a high level of expertise and use this expertise to stimulate broad cooperation between actors from the public and private sectors
To assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of NIS.
Objectives
Computer Emergency Response Teams
Resilience of Networks and Services and Critical Information Infrastructure Protection
Identity, Privacy and Trust
Risk Management
Areas of Research
National Cyber Security Strategies
Countries aligned for the deployment of the European Cyber Security Month
List of available courses and certification programmes