Blog

The impact of cyber crime on Belgian Businesses

In 2017, the Belgian Cost of Cybercrime project (KUL) published the results of an enlightening study aiming to measure the impact of cybercrime, and more broadly cyber attacks, on Belgian Businesses.

We can highligt two results from this paper: First most businesses have been hit by one form or another of cyberattack, some even more than once a year. So, the likelihood of being hit is quite high.

Second, the average cost per incident is relatively low, most of them below 500€, although in some cases, it was above 10.000€. It surely depends on the kind of business you are and on the size of your company. Meaning SME shouldn’t have to spend a fortune in protection measure.

 

You can find the report here: https://bcc-project.be/surveys/wp4-2-the-impact-of-cybercrime-on-belgian.pdf

You receive spam by SMS (or via email) in Belgium, you can report it online to the authorities!

A while ago I posted an article stating that there was no way to report SMS spam online in Belgium. Guess what, I was wrong!

First, I was wondering if it was really illegal to send unsollicited commercial message by SMS in Belgium. I found this really nice flyer from the federal public service of economy (http://economie.fgov.be/fr/binaries/spamming_brochure_fr_tcm326-31741.pdf) explaining that the global definition of spam applies also to SMS or chat systems.

In the flyer, there was a link to a page to report such kind of behaviour to the authorities. The document being a bit old (2005), the link was outdated but our friend Google found me the new one: https://pointdecontact.belgique.be/meldpunt/en/welcome

On this official website, you can report SMS Spam (or other similar illegal activities) using the “New complain” button and the  “SPAM from unidentified party” type of report.

I’m not sure it will be quite efficient to stop rapidly the Spam SMS from coming (most smartphone allow you to block senders for a while) but it will be the start of it. And if more and more people stat to report such behaviour, it will likely have an impact.

Notice you can also report spam or harassement coming from outside the country.

The scope is quite clear from the 1st page:

“Are you the victim of misleading practices, fraud or swindle? Or have your rights as a consumer or enterprise not been respected?
Then choose the scenario that matches your problem and follow the various steps to report your problem to the competent services.
You will always receive a reply in which we will try to provide an answer to your questions.
The competent services will analyse your report and may carry out an investigation. They do not take any action in your individual dispute, nor do they provide any information concerning the investigation. For your individual problem, we exclusively refer to the reply that will be sent to you”

Now you know what to do.

Risk management as a decision tool: a synthetic diagram

Whatever the reference you might use (ISO27001, NIST CybersecurityFramework,the Australian ISMF, the german IT Grundschutz,…), all information security framework has risk management as its core.

Some people think of risk management as a painful and lenghty process used to justify security expanses or to achieve compliance with a standard. It can be just that.

But, first of all, it is a decision tool. A risk assessment is the tool used by senior managers to decide wether or not they should invest (additional) money in (more) security controls and in which one. For this reason, the identified risks must be credible, realistic and their likelihood (or frequency) and impact as accurate as possible. A bad assessment will likely lead to an unwanted level of residual risk.

Taking the time to clearly and concretely explain the risk scenario is an important task as senior managers are often lacking the technical knowledge to understand all the extent of the risks on their business. And this is normal, this is the risk managers or security officers’ job to translate these risks for the board.

I’m working for some time on a modelization of the information security governance processes in order to show the need to integrate all the available data. There is already a few models available but I try to create one that shows clearly the need to include information from a lot of sources in order to have a sound and efficient security management process. Here is a first draft of the integration of the risk management process in the software/system/solution developpment lifecycle.

Global security management process-V0.3

Any feedback will be welcome. Information security governance is a complex process, any suggestion to improve it will be taken into account and shared with the community.