YR: We have entered a pivotal period between two industrial revolutions: the third which occurred at the end of the previous century, essentially based on communication technologies and the exploitation of data as a new raw material, and the fourth which will probably occur at the end of this century and crystallise the convergence of all the new upcoming technologies. We will gradually move from a physical to a virtual world. However, in that nascent cyberspace, most individuals, organisations and States will not have an immune system enabling them to anticipate, counter and cope with cyber-attacks by recovering the lost data.
By Stéphane Etienne for LG and EBRC
Simply protecting data is no longer enough. It is necessary to become cyber-resilient in order to survive in a virtual world increasingly prey to ever more virulent cyber-attacks. How can this be done? What behaviours and solution should be adopted? Yves Reding and Philippe Dann, respectively CEO and Head of Risk & Business Advisory at EBRC, provide us with some answers.
Why do you believe it is urgent to enter the age of Cyber-Resilience?
Are such cyber-attacks as widespread as you claim? Do they have the potential to become dangerous to the point of being deadly, physically-speaking?
YR: 2017 and 2018 were marked by major Cyber-Security failures, and 2019 will be worse. The European Union, in particular, fears massive cyber-attacks during the elections scheduled for the end of May. And that is just the beginning! In the future, when everything has become digital, such cyber-attacks will have much more serious consequences. Imagine an airplane suffering a cyber-attack or a technical bug against which the pilot is unable to act.
What can be done to avoid the worst-case scenario?
YR: We need a paradigm shift, a more holistic approach, to not rely on protection-oriented Cyber-Security which has clearly shown its limitations. Given the increasing number of threats, it is necessary to consider that the risk has become certain. It is necessary to invest more in the continuous prevention and detection of potential threats, be ready to cope with and manage the crisis in order to better react and bounce back. This is why we place great emphasis on the concept of Cyber-Resilience which aims at building up a high-performance immune system for companies and why we offer our customers a fully integrated, end-to-end approach.
How does this approach translate into your consulting and support activities for companies?
PhD: We help our customers to meet best practices, including the ISO 27001 and ISO 22301 standards, and even to obtain their certification. Those two standards are the essential pillars of Cyber-Resilience. ISO 27001 defines the requirements for the establishment, implementation and continuous improvement of an Information Security Management System (ISMS), namely a systemic approach through which an organisation ensures the security of its sensitive data (governance, persons, processes, IT systems). ISO 22301 is the international standard for business continuity management designed to protect the business from potential interruptions occurring as a result of accidents, human errors or organisational and technical disruptions, and obviously from malicious acts such as cyber-attacks. In 2018, we provided support to over 80 customers in Luxembourg, Belgium and France.
What fundamentally sets the support we provide to clients apart from the support provided by competitors is that our support is absolutely not theoretical; it is pragmatic and based on customer feedback. Anything that we recommend to our customers has already been applied within our company. EBRC has been ISO 27001 and ISO 22301 certified for many years and we implement all the good practices taught to our customers internally on a day-to-day basis.
YR: It is a virtuous circle of sorts. All the solutions and methods that we internally develop are then applied to our customers and the specific solutions that we offer to our various clients are then internally applied within our company. This sharing of know-how and resources, which is made possible thanks to our holistic offering, makes us unique on the market.
You have also set up a trusted digital ecosystem. Can you tell us more about it?
PhD: In addition to the skills of our specialised teams, we have integrated an ecosystem of partners in order to add more innovation and efficiencies to our consulting offer. Our partners are specialised in cyber-risk management and the protection of personal data, access security and tracing, risks associated with identity and access rights, and the crisis communications automation.
YR: This desire to create a trusted digital environment across several countries is not solely limited to partnerships. We want to become a European centre of excellence in the protection and management of sensitive information. Through its recent directives, and in particular the NIS directive (Network and Information System Security), the European Union aims to become a cyber-resilient continent and we wish to contribute in our own way, not simply by advising our customers, but also by maintaining permanent contact with other critical institutions and operators, in particular in Luxembourg, working in the field of Cyber-Security and Cyber-Resilience.
PhD: We have set up a close collaboration with the Cyber-Security Competence Center (C3). After conducting crisis management exercises internally, we invite our customers to take the next step and participate in the C3’s simulation and training platform called Room 42 – Do(n’t) Panic. In an isolated room, our customers are subjected to cyber-attacks in real time and must find solutions to eliminate or contain them within a given amount of time.