Impact of war in Ukraine to Cybersecurity in the Baltic Region
2022 - 04 - 13
Since Russian invasion of Ukraine, the Baltic countries continue to face high risk of cyber-attacks and new types of malicious cyber activities. Baltic authorities have reported that state institutions, media, as well as financial sector continue to experience a number of Distributed denial of service (DDoS) attacks. However, alarming rate of new type of hoax messages show how cybercriminals use the war for trying to collect people’s personal data, spread malware as well as to conduct financial fraud by pretending to be charities. Therefore, current situation underlines a high necessity for all companies and institutions to continue to strengthen their cybersecurity measures and implement best practices of cyber hygiene.
Cybersecurity should be a priority for every company and institution. Cyberattacks may not only have financial and commercial impact, but also poses high risk to personal safety and health. Therefore, we provide the best practices how to maintain cybersecurity and data protection standards up to date and how to prevent data breaches.
Implementation of Cybersecurity Policies
Each company and institution shall have cybersecurity documentation that outlines cyber security best practices, policies, response plan to incidents and risk mitigation strategies. The NIS Directive (EU 2016/1148) provides that certain service providers (operators of essential services and digital service providers) are required to implement technical security measures based on their risk. However, not only the essential service providers should evaluate their cybersecurity risk, but every company should do that.
Cyber Hygiene Best practices
In order to mitigate cybersecurity risks, we recommend to establish cyber hygiene in your organisation:
1) Data backup routine and storing data copies separately from the system. Create a data backup routine that suits your organization and ensure that data copies are up to date and usable. Store them separately from the system, including both in the cloud and in a storage device. A common approach for keeping data safe is the 3-2-1 backup rule: keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them located offsite. Do data backup regularly. Regularly test the backups to ensure they are usable.
2) Regular system and software update from trusted sources. Computers and equipment that have not been fixed for security bugs are most vulnerable for malware. Therefore, it is especially important to regularly update your system, software (including antivirus software) and devices. Download applications and mobile applications only from known and trusted sources.
3) Increased security for remote work and access to computer systems. Review access to your computer systems and use a virtual private network (VPN). Systems and devices should be properly prepared and configured to ensure a secure and correct connection for remote access to the organisation’s systems. It is advisable to establish clear remote work guidelines for your employees who should practice appropriate care and safety of devices outside of the work area.
4) Open e-mail messages and attachments from known senders and pay attention to the sender’s address. Be cautious and always check that received e-mail is from trusted source before opening the attachment or any hyperlink. Infected e-mails are the most common way how malware spreads and it is common to create infected e-mails that at first hand looks from a known person or organization. Check sender’s name and address, as well as the style of the message.
5) Delete cookies and reset passwords regularly. Cookies stored on users’ devices can help to trace a specific person and get information on his/her passwords. In addition, it can facilitate illegal access to logged-in accounts.
7) Increase employee’s awareness and ability to recognize cyber risks. Where employees are not aware about security practices, there is higher risk that in a case of an incident, an organization can face inability to deal with the incident in a timely manner. Moreover, the incident itself can be cause by employees who do not have a necessary level of security skills.
8) Develop risk mitigation plans in case of cyber incidents. When an incident occurs, each minute is important. The easiest way to save time and reduce risks is to act in accordance with a pre-defined plan. It is also recommended to ensure simulation of incident-like situations for the relevant employees.
Data Protection Basics
Most of the cybersecurity attacks impact personal data. Many of the GDPR requirements are more legal and organizational than technical. However, general compliance would contribute to the strength of the cybersecurity system of the implementing organizations. How?
1) Data minimisation and storage limitation
Data minimisation and data storage limitation will help to get rid of unnecessary data. Thus, an organization will not need to spend its resources to protecting what can be deleted. In addition, knowing all of the data kept by an organization and controlling it will help to protect all of the relevant information. Thus, an organization will be sure that there is no unknown personal data that can be an easy prey to malicious actors.
A mandatory and useful tool to control the amount a personal data and its retention term are personal data processing records. The form and maintenance type depend on each specific organization and what it does with personal data.
2) Data processing agreements
Although drafting and concluding data processing agreements seem more like a legal task, such contract can have a decisive impact on security of personal data.
A vital part of any data agreement between a controller and a processor is personal data security. The same is relevant for agreements covering international data transfers (such as standard contractual clauses). The GDPR requires such provisions in order to ensure that personal data enjoys an appropriate level of data protection throughout all of the personal data processing chain. Thus, if you entrust personal data to your service provider (especially, if it is located outside of the EU), it is vital to check the security terms in your agreement.
3) Security of Personal Data
Ensuring security of personal data as well as of any other information starts with assessing relevant risks. If such assessment has not been performed yet, it is the right moment to do it. As the results of the assessment serve as a reliable basis for introducing appropriate controls. Having discovered cybersecurity risks, an organization can choose one of the following options: i) to avoid the risks (i.e. the actions that cause the risk) or ii) to reduce them (through using technical, organizational or legal controls), or iii) to transfer them (by buying cyberrisks insurance), or iv) to accept them (i.e. by taking the risks on).
Then, when the risk treatment option is chosen, it is time to adopt security controls, if relevant. There is no specific list of security solutions in the GDPR. Thus, in this case, the organization can rely on its experience, local or international guidelines, standards (such as ISO or SOC) or other authoritative sources of information. Some of the countries introduce mandatory controls for specific types of organizations (such as for critical infrastructure, financial sector, e-commerce, search engines, data centres, public and local authorities, electronic communication services providers and many others). Such requirements are becoming more similar in the EU due to the NIS Directive and future NIS2 Directive as well as PSD2, eIDAS Regulation, European Electronic Communications Code, proposed DORA Regulation and other related acts.
Where to follow recent cybersecurity practices
For Latvia: Latvian CERT.LV
For Estonia: Estonian CERT.EE
For Lithuania: National Cyber Security Centre and LITNET CERT