Other issues in this category (19)
Europe vs. hackers: Will law and order work?
Monday, March 29, 2021
It appears that EU officials are fed up with constant data leaks and large companies getting hacked—and someone finally realised that simple calls to keep data secure don’t work. Neither do fines—large companies and banks just include them in their business plans or insurance. Create safety requirements and monitor how well they are being fulfilled? That’s dictatorship! And one (democratic) way out remains—and that is "to shoot":
National regulatory authorities in EU Member States may be authorised to force financial institutions to terminate the services of their existing technology suppliers if they cannot solve their cybersecurity issues.
It is reported that the law’s provisions have still not been agreed upon; it is still being worked on. Moreover, it’s quite possible that this will not be the only law for the whole European Union, and each state individually will be able to decide what measures to apply to companies.
What could this mean?
The review we've just quoted features problems that a company could have if it decides to replace its software. This is both time and money, the risk of complications during the transition period, and a lack of familiarity with the new product’s features. Many problems exist, but the question is about something else.
What does this mean—"cannot solve their cybersecurity issues"? And who cannot solve them? Are suppliers unable to solve their own problems (e.g., vulnerabilities)? Or is it that suppliers are not ensuring that a client's wishes are being complied with?
For example, an anti-virus itself will never fulfil the requirement that there be no incidents involving hackers encrypting data. Here there is the problem of weak passwords which, once cracked, will help a cybercriminal penetrate a system, and the use of legitimate encryption programs (for example, archiving programs), and cases of users themselves disabling their anti-virus protection. But the customer expects 100% of incidents to be detected.
Is there a solution? Yes, there is. Certification for certain requirements, with an indication of what a certain product can or cannot do. Suppliers avoid this procedure as there is always a user who will state that they do not have problems—in the hope that incidents will not occur.
And what if suppliers have to meet security requirements? Certification is requested here as well, not only for the quality of the solutions, but also for complying with quality assurance requirements during their development and for using secure development methods.
Although the final form of this law (assuming that it will ever appear) is unknown, it is likely that there will be even more ways it will be applied in practice from country to country. It will be interesting to see in several years whether these efforts will result in noticeable improvements in the fight against financial crimes.
One can assume that new suppliers will now face tougher checks.
Forward-looking companies that have (or hope to find) customers in the European financial industry will try to gain the lead over the remaining companies. Note: this is exactly what regulators in our country have recently required.
The Anti-virus Times recommends
Note: this is what recently the regulators require in our country.
How this will end? We'll see.