Our website uses cookies to create a better userexperience. To optimize the website we ask that you accept the cookies:

I agree I disagree

2021: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

A word from our Chairman

Main themes

Shaping Belgium's digital future

Empower people through knowledge sharing

Need to mobilize talent for cyber security

Prepare for future challenges

Facts & Figures

Shaping Belgium's digital future

An interview with our Prime Minister about Belgium’s cyber security strategy

2021 has been a year with a further acceleration of our digital transformation. At the same time cyber threats have been on the rise with increasingly extensive and serious attacks. In order to better arm our country against cyber crime the federal government adopted a cyber security strategy 2.0 in May to make Belgium one of the least vulnerable countries in Europe in terms of cyber security by 2025.

Cyber Security Coalition · PODCAST CSC A DE CROO

Alexander De Croo

Prime Minister of Belgium

“We are reaching more and more Belgians”

"Cyber threats were clearly increasing in 2021, but Belgium can be proud of its efforts to deal with this relatively new form of crime," describes Miguel De Bruycker, Managing Director of the Centre for Cyber Security Belgium (CCB). "Great strides have been made in both vision and strategy."

Miguel De Bruycker

Managing Director of the Centre for Cyber Security Belgium and Vice-President of the Cyber Security Coalition

It’s a fact: several international studies show that Belgium is one of the best-performing countries in Europe for cyber security. For example, our country came in third in the recent National Cyber Security Index (NCSI). In terms of incident numbers, as well, we are certainly no worse off than our neighbouring countries. In other words, the prevailing perception that Belgium lags behind in digitalisation and cyber security expertise does not align with the reality.

Successful efforts

"Importantly, we clearly see that the initiatives set up around cyber security are having a noticeable effect," explains De Bruycker. "In the spring of 2021, for example, we had an above-average number of vulnerable Exchange servers. Our comprehensible communication ensured that this number dropped sharply in only a few weeks. We now have a well below-average number of such vulnerable Exchange servers."

This result shows the CCB’s improvements in reaching the Belgian population. Miguel De Bruycker comments: "We get about 12,000 messages a day, which proves that there is confidence in our operation. Our channel Safeonweb is becoming more and more of a brand. In addition, from the start we have focused on raising awareness amongst the population, while neighbouring countries were focusing on the institutions. In the context of accelerated digitalisation resulting from the COVID-19 pandemic, this focus on the citizen has proven to be the right choice."

A new Belgian cyber security strategy

The most important initiative that the CCB co-launched in 2021 was the renewed Belgian cyber security strategy, which aims to make Belgium one of the least vulnerable countries in Europe. "That is a very clear mission, and immediately differentiates from previous plans. Major steps have been taken in terms of vision and strategy," explains De Bruycker.

"Our goal is to better arm companies and users, and thus lower vulnerability. For this purpose, we will soon launch a portal for companies, as well as a new contact centre for all users. For the rest, the focus is mainly on knowledge exchange."

In order to achieve these goals, additional police and judicial capacity to deal with cyber criminals must be put in place. In other words, the government still has work to do. Miguel De Bruycker concludes, "The Internet is not a public space, so the government has to find its role there. Given the limited resources in particular, this requires both governance and leadership. Sometimes it is unclear who is driving the car. But steps are being taken, and thanks to the cyber security strategy, we at least have a clear direction."

Knowledge sharing

"Many are sitting on a cyber security time bomb - without realising it"

Assessing business risks to ensure the organisation’s continuity is one of a manager’s core responsibilities. When it comes to cyber security, however, there is often a great gap of understanding of what these risks entail. "Too many people think that a one-off investment is sufficient," explains Georges Ataya, Vice-President of the Cyber Security Coalition and Academic Director for the Executive Programmes in IT Management and Information Security Management courses at Solvay Brussels School of Economics & Management.

Georges Ataya

Solvay Brussels School of Economics & Management

Every manager and executive in a company strives to create added value. In daily practice, this implies continuously evaluating business risks to avoid unexpected situations. While this basic management principle seems obvious, too often it appears not to be the case for cyber security.

Research has shown that managers frequently have little or no knowledge of cyber security, and therefore cannot make a thorough assessment of the risks. "Executives underestimate the complexity of that responsibility," says Georges Ataya.

A continuous process of improving

This lack of knowledge starts with a clear fallacy concerning security. "Companies often think that a one-off investment is sufficient to guarantee cyber security. That is obviously not the case. There is no such thing as a one-size-fits-all solution. Because threats are constantly changing, cyber security must be understood as a continuous process of monitoring and improving," states Ataya.

Ideally, a company has a safety committee made up of several specialised technical profiles and board members. "With such a set-up, committee members can clearly inform each other and build mutual trust. In reality, however, many companies don't even have a safety officer. And if they do, he or she is mostly dependent on the IT department for the necessary expertise."

In terms of reporting, as well, the approach is often off the mark. "Security reports mainly emphasise what is going well, whereas the focus should be on what is going wrong," explains Ataya. "This is crucial, because an understanding of the specific vulnerabilities within a company is just as essential as knowledge about a threat."

A crucial part of corporate governance

In other words, while the pursuit of security should be closely linked with the company’s strategy and embedded in its structure, today it is mostly limited to the operational level. As a result, many companies are clearly at risk while they are going through a digital transformation. "They are sitting on a ticking time bomb without realising it," warns Georges Ataya.

Thus, it is crucial to increase awareness about cyber risks amongst managers and executives. "Today, a mature company should be putting in place a clear governance around cyber security, and seeing it as a critical part of wider corporate governance."

To achieve this, however, a great number of people need to improve their competencies in the short term. Now, interested professionals can turn to Skillsbeam. "This brand-new digital tool enables people to weigh up their own competences against the required expertise for cyber security positions. In this way, we hope to give an extra push to all those who are considering a career switch," concludes Georges Ataya. 

Security architecture: achieving competitive advantages through knowledge sharing

As the interest in cyber security is growing at a feverish pace, the role of security architects is becoming increasingly important. Many organisations have implemented an enterprise security architecture as a vital part of their cyber defence. "We see that more and more companies are finally realising that security improves their business."

Benoît Moreau

Enterprise Architect, IT Risk & Security at ING Belgium

Security systems can no longer be based on identical products that are to be implemented in different contexts. They should be architectural structures by design, and thus specifically developed to suit the needs of a company or organisation. ‘If you think about the development of an application, security by design is about ensuring that security is taken into account at all stages’, explains Benoît Moreau, Enterprise Architect IT Risk & Security at ING Belgium.

‘Designing security systems is also about guaranteeing that you can explain how the security works. So-called security by obscurity, meaning that something is secured because no one actually understands its functioning, is something we absolutely aim to avoid.’

Paradigm shift

The goals of security architecture often aggregate in three categories called the CIA triad: Confidentiality, Integrity and Availability. ‘We aim to turn security architecture into a competitive advantage’, explains Moreau. This understanding has clearly given rise to a paradigm shift in recent years. ‘We see that more and more companies are finally getting rid of the idea that security is blocking their business. They see their security architecture as a means to create new business.’

In other words, this paradigm shift fundamentally changed how security architecture is being appraised. ‘I often make the comparison with the brakes of a car. These were not only created to slow down your vehicle but were primarily invented to allow the driver to go faster than before. So, translated into a business context, developing better brakes is a security investment that leads to better business results.’

Discussions are improving

In this vision, the Enterprise Security Architecture can be tailored to the specific structure of an entire company. However, this does not necessarily mean that security architects have to start from scratch when developing new security systems. Benoît Moreau: ‘We don’t have to reinvent the wheel every time. On top of the common standards we use, we can learn from big tech companies and reuse their innovations in our own specific contexts. This improves the overall security levels.’

Sharing experiences and expertise among cyber professionals is part of their culture. ‘For example, it is common practice for security algorithms to be made public’, says Moreau. ‘We share the modus operandi between different players in the same sector. This definitely is a big advantage in heavily regulated sectors, where regulators expect a formal demonstration of the security. It also helps to reduce the cost of security.’

Despite this unequivocal importance and the increasing level of awareness, the job of the enterprise security architect is often misunderstood and confused with other security-related jobs. ‘This is why the Enterprise Security Architecture Focus Group of the Cyber Security Coalition is currently working on a position paper that will explain the role and the benefits for the company’, concludes Benoît Moreau.

Every cyber attack bolsters the line of defence

For the general public, 2021 seemed to be a year of large-scale cyber attacks, with the press regularly reporting major incidents in Belgium and abroad. We interviewed Dirk Haex of Belnet and Kurt Gielen of ZOL Hospital, which were both victims of cyber criminals. The two organisations found it a simultaneously stressful yet instructive experience.  

Dirk Haex

Co-General Director of Belnet

One of the most discussed cyber incidents in Belgium this past year was the DDoS attack on Belnet, the IT partner of Belgian colleges, universities, research centres, hospitals, and government institutions. On May 4th, attackers flooded the Belnet network with an immense volume of traffic, saturating it. The consequences of this attack were significant for almost all Belnet customers and end users.

Thanks to its clearly defined crisis management plan, Belnet successfully stabilised the situation within a few hours. Then, the organisation turned its full attention to the so-called ‘post-mortem analysis’. “During this inquiry, we assessed all of our actions very critically, and asked our customers where things could be improved”, says Dirk Haex, Co-General Director of Belnet.

Learn and improve

This assessment also served as the foundation for the improvement programme that Belnet subsequently designed. Haex explains, “The programme contains three sections: a technological component that focuses on stronger embedding in the digital landscape, a component that focuses on communication via various platforms, and a process component that revolves around faster detection and response to incidents."

Ziekenhuis Oost-Limburg (ZOL) was also hit by a cyber attack in 2021. "Through a theft at one of our suppliers, an attacker managed to get hold of the credentials of a number of our users", explains Kurt Gielen, IT manager at ZOL. "We were able to block the incident very quickly, but one of our privileged accounts was compromised for several minutes."

Just as for Belnet, this incident turned out to be a very instructive event for ZOL. Gielen says, "Based on the incident evaluation, we implemented many improvements in our defence system. For example, we are focussing much more on auditing; every action on our server is now recorded."

A long-term, positive impact

Looking back, Belnet emphasises that the attack demonstrated the strength of the existing crisis management plan. "We had already invested a lot in crisis management in the past, which proved to be crucial", stresses Dirk Haex.

"Without our existing crisis communication plan, we certainly would not have been able to react as we did," adds communication officer Davina Luyten. "That is the message we want to pass on to other organisations: draw up plans in advance, before you run into a crisis. Exploit all the expertise available for this in a digital ecosystem. Together, we are much stronger. By telling our story, we hope that the DDoS attack on Belnet will have a long-term, positive impact."

For ZOL too, the cyber attack was an eye-opener. "It has shown that cyber security in a hospital is no longer only a matter of IT; it impacts the entire organisation. That's why it's crucial for the healthcare sector to put much more effort into knowledge sharing and building overarching expertise. We cannot possibly master the cyber threats on our own," concludes Kurt Gielen.  

Ransomware: some facts and figures

Ransomware is a type of malware that blocks access to the target’s personal data or threatens to publish it unless a ransom is paid. Victims may face business downtime if access to critical data is blocked, or the risk of a data leak. Ransomware is considered to be the number 1 threat to business disruption, and that menace has clearly increased during the Covid-19 pandemic.  

Research has shown that one in three organisations pays the ransom to get their data back. Unfortunately, paying the ransom never results in the recovery of all data. On average, only 65% can be recuperated.

The average ransom payment in Q3 of 2021 was 134,000 US dollars. A higher proportion of payments came from mid-market sized victims. Ransomware actors are clearly shifting from ‘Big Game Hunting’ to ‘Mid-Game Hunting’. So SMEs should remain vigilant. They do not only risk direct damage to themselves, but also indirect damage to their customers, by infecting their networks.

Moreover, a survey by Sophos in 30 countries revealed that the total remediation cost after an incident varies widely; the highest costs are seen in Austria, followed by Belgium in the number 2 spot. This reflects the considerable manual effort required to remediate an attack; the total cost can be up to 10 times the ransom payment itself.

A holistic cyber security approach is needed

Cyber criminals are continuously improving their tools and techniques, to be more effective and breach more victims. Finding and exploiting security weak spots is their core business. Fox-IT observed threats that specifically targeted the Benelux. Over the past months, organisations throughout the region have been hit by a spate of extremely rapid data breach extortion attacks. The attackers typically steal significant amounts of sensitive data within 30 minutes.

Increasingly, attackers are using vulnerability exploits, including those of commonly used protocols (e.g., remote access protocols such as RDP), amongst others. Clearly, applying anti-phishing security measures is not enough - a holistic cyber security approach is absolutely required.

More info:

“Former experiences can be a huge asset in creating awareness”

Raising awareness on cyber security and its societal importance is probably the biggest priority, yet the biggest challenge for organisations and companies right now. This challenge is not purely technical, but primarily cultural. Thus, not only IT profiles have to play a role in this process. This applies a fortiori to women, who are still underrepresented in the sector.

Sophie Kemenes

Security Education and Awareness Coordinator at Norsk Hydro

Johanna Kinnari

Information Security Manager at OP Financial Group

Creating awareness is inextricably linked to making cyber threats tangible and personal. “Most people still don’t realise its their business as well”, explains Johanna Kinnari, the Finnish Information Security Manager at OP Financial Group. “If you cannot relate to the danger yourself, it will always remain too abstract”, adds Hungarian Sophie Kemenes, Security Education and Awareness Coordinator at Norsk Hydro.  

Unexpected career changes 

The personal stories of these two female security awareness professionals reflect how the concept of cyber security can be shifted from something far-fetched to a defining part of life. Before she landed as an information security content specialist for Norsk Hydro, Sophie Kemenes first started her career as a freelance content creator and marketeer in the advertising sector. “Norsk Hydro was looking for someone with writing and sales skills. So, even though I didn’t know a thing about cyber security, I was hired.” 

“Then, during my third week at the company, a ransomware attack hit Norsk Hydro. Suddenly, I found myself in the middle of an IT hub during an intense battle on all fronts, with an enemy we had yet to identify. With a communication profile, I felt like a war reporter at the battlefield. I was the one telling everyone what was happening”, Kemenes continues. “At this point, I realised what expertise I was missing. So, later on, I explored the field more deeply and got the necessary certificates and knowledge.”  

Johanna Kinnari also initially envisioned a very different career path: “My original education was in barbering and hairdressing. However, I quickly felt this was too basic for me and decided to change to IT. As I knew that I didn’t want to spend my career in coding, focussing on information security and corporate security management was a logical step.”  

Soft skills and subtility 

These stories show that awareness creation never solely is a matter of education and imposing rules. It should rather be considered as a step towards cultural change. Therefor the Awareness Focus Group organised a third edition of the Certified Cyber Security Awarenes & Culture Manager course, a peer-to-peer training. A new ‘Culture’ module was recently added to the programme. To support the Women4Cyber foundation they were invited to designate two participants. Sophie and Johanna were thus able to take part in this course.

“Awareness is about getting people to change their behaviour. Thus, soft skills and subtility are crucial”, clarifies Kinnari. “Explaining vulnerabilities can only be successful if it’s focused on a practical level. Therefore, former experiences of any kind can be a huge asset”, adds Kemenes.  

By sharing this insight, both hope to make cyber security more attractive to women. This also explains their Women4Cyber membership, a European non-profit organization with the objective to promote, encourage, and support female participation in the field of cyber security. Johanna Kinnari: “As a top-down approach will never be sufficient, women in this sector should take up their role as ambassadors.” 

In addition, the current pandemic clearly offers opportunities for speeding up this process. "On the one hand, people are more exposed to cyber risks because we are all working remotely most of the time. On the other hand, a lot of people have started questioning their jobs, making this a good time to shift careers. We now have to make sure that they know about the exciting opportunities in cyber security”, concludes Sophie Kemenes.  

“We need more awareness and more cyber professionals”

In 2021, cyber security continues to gain ground. One of the main reasons is that since the Covid-19 pandemic criminals have had a bigger playing field. More awareness and security measures are needed to protect citizens and businesses from being hacked. The European Union is taking the lead in this matter. Ann Mennens, Cyber Aware Programme Manager of the European Commission, outlines some key European initiatives.

Ann Mennens

Cyber Aware Programme Manager of the European Commission

In October, European Cyber Security Month, the European Union traditionally emphasises the importance of cyber security to all citizens. Promoting cyber security awareness is crucial. "We really need to create more awareness. During the past year, the number of phishing cases has been heavily increasing. We see a rising trend in cyber incidents, a logical consequence of the fact that remote working is the new normal. We do not always secure our home environment sufficiently. You may have the best firewall installed, hackers can always find a backdoor to penetrate", says Ann Mennens. 

Preventive action is the message because the impact of a cyber attack can be enormous. "By demonstrating the danger in advance, we can increase vigilance. Within the European Commission, for example, we do this by sending fake phishing emails. These tests show that we still fall into the trap too easily. But, on the other hand, we have noticed that people are taking action and are reporting suspicious mails more quickly than before. Which of course is a good evolution." 

Need for more women in the sector 

In order to detect suspicious cases faster, the IT and cyber teams of the European institutions are regularly tested and trained. "These exercises are essential to keep them alert, because criminals are becoming increasingly cunning, and European institutions are an interesting target for them. We really need to keep everyone on their toes at all times. But at the same time, we need extra professionals, with the right skills, who can identify the risks and mitigate them." 

Unfortunately, finding that cyber security talent is becoming increasingly difficult. "Moreover, the IT world is dominated by men. We noticed that adding woman experts to our cyber security teams creates added value. Therefore, we launched our inhouse Cyber Security Training Programme. The programme attracts colleagues from a variety of backgrounds who are interested in upskilling in cyber security, and many women follow the training. With the Women4Cyber initiative and registry we also created a platform to promote and connect female professionals working in cyber security. And it is catching on: more and more women are showing interest and joining." 

An inspiring network of professionals 

The European Union is also a source of inspiration for the Belgian Cyber Security Coalition. Ann Mennens has been closely involved since its inception and is one of the initiators and trainers of the ‘Cyber Security Awareness and Culture Manager' training programme. "Awareness for cyber security is not high on the agenda of many companies. We have therefore launched a unique four-month training programme for Coalition members, to help them build the capacity inhouse for organizing and running effective and efficient cyber security awareness raising activities. 27 participants, from various sectors, completed the course this autumn and obtained their certificate." 

Despite all her experience and expertise, Ann still learns from the Coalition. "For every member, the Coalition offers added value. The success depends on its members. Each meeting we exchange experiences and at times challenge each other, and this offers new insights every time. All is based on mutual respect and trust. After all, everyone realises that we must cooperate now if we want to be prepared to face the challenges of tomorrow", concludes Ann Mennens. 

Mobilize talent for cyber security

Education has a key role in changing the perception of cyber security

As cyber security remains a huge challenge for our economy and society, the demand for cyber professionals is on the rise. Yet, there is a clear labour shortage in this domain. With the launch of a brand-new master’s programme, KU Leuven hopes to be part of the solution.

Bart Preneel

Professor of information security and industrial cryptography at KU Leuven

High-performance security is becoming increasingly important in the digital world. "We see that cyber attacks are getting bigger every year, and smarter too. A fairly recent trend, for example, are the attacks on supply chains, which can hit the operations of several companies at once", says Bart Preneel, Professor of information security and industrial cryptography at KU Leuven.

Shortage of people and resources

To cope with the expanding threat, the focus on cyber security needs to be further increased. "Today, an average of 7.7 percent of the IT budget within a company or organisation is spent on cyber security. This should actually be at least double", Preneel continues. In addition to the budget, awareness must also improve. "Too many companies and organisations live with conviction that it won't happen to them. That has to change. Luckily, things are certainly moving in the right direction."

This attitude illustrates how the cyber security challenge is underestimated. "It has the image of being important only for nerds. While in reality it is something very practical and socially relevant. One of the consequences is there are far too few people active in this segment of the labour market today. Look at the government: they are doing an excellent job, but they have very limited resources. Compared to Germany, we have 10 times fewer people in this area", says Preneel.

A new master's programme as of 2022

Education has a key role to influence and change this perception. “In fact, we should strive for every IT education to have a cyber security component”, says Preneel. In Flanders, the expertise is concentrated first and foremost at KU Leuven. Moreover, there is a Bachelor's Programme for Cyber Security Professionals at Howest. "That is a conscious choice. Unlike in Wallonia and Brussels, where the knowledge is more spread out over different institutions", explains Preneel. "Through our existing elective courses, KU Leuven students can acquire extensive knowledge and later take this with them as they enter the labour market.”

And in light of the growing challenges, the University of Leuven is taking an important step as of next academic year. Students with a relevant prior education will be able to apply for the new advanced master in cyber security. To follow this one-year programme, you will need to have obtained a master's degree or have sufficient experience in the industry.

“This advanced master focuses on academic skills, but at the same time we have tried to also pay attention to practical aspects. The industry will be involved wherever possible", states Preneel. This connection with industry is anything but new for KU Leuven. "Many professors in this academic field have earned their stripes in the industry in the past. This very close relationship is also deliberately maintained with all start-ups working around cyber security that emerged from the university."

Through this brand-new course, KU Leuven hopes to offer a solution to the acute shortage of professionals within the field of cyber security. "Today, we deliver about 30 cyber security profiles a year to the labour market. We hope to be able to add 50 more over a fairly short period of time. We are convinced this will make a significant difference", concludes an ambitious Preneel.   

Rosanna Kurrer: Cyber Security Personality of the Year

In 2021 the Cyber Security Coalition launched the competition “Cyber Security Personality of the Year” to honour the prominent achievements of cyber security experts. A jury selected Rosanna Kurrer from 10 finalists who are a role model and have shown extraordinary efforts to serve their organization, the community of cyber security professionals and the Belgian society. Rosanna is Co-founder and Managing Director of CyberWayFinder. In this video she explains the vision and growth of her organisation.

For more info: https://award.cybersecuritycoalition.be/

Rosanna Kurrer

Co-founder and Managing Director

Bart Steukers (Agoria): “Creating awareness will save jobs”

Amongst Belgium’s estimated 5,000 industrial manufacturing companies, some 60% are working on their digital or Industry 4.0 transformation. But this also brings risks, including making the sector more vulnerable to cyber attacks. Bart Steukers, CEO of Agoria, comments, "More than half of the large industrial companies dealt with an OT system security breach in 2021. We urgently need people with the right skills to better protect our production environments."

Bart Steukers

CEO Agoria

Disruptive technologies have put organisations and their systems under pressure in recent years. Machines processing enormous amounts of data are all too often poorly or insufficiently secured. "The security of OT systems is an underestimated problem. The software on which they run is commonly outdated, and rarely updated. Hence, if a company becomes the victim of a cyber attack, the impact is immediate and often incalculable," says Bart Steukers.

Moreover, only one in four manufacturing companies is said to have a proper contingency plan covering both IT and OT systems. "This is why we need to create more awareness about cyber security, because every link in a production environment is vulnerable. One solution is training staff intensively to recognise threats. If everyone realises what can happen, then the biggest risk - the human factor - can be largely eliminated."

More than 3,700 vacancies for IT professionals

In too many smaller organisations, there is insufficient awareness of cyber risks. Yet they are at least as vulnerable to criminals as the larger corporations. "The existing NIS Directive is not applicable to many companies. Moreover, the regulation is quite technical and open to interpretation. Tailor-made cyber insurance for SMEs, with a number of clear conditions, could be a good alternative and a driver for change."

At the same time, Agoria’s CEO argues that every company should sharpen its employees' digital competences. "Today, every job involves a digital component, so training courses should pay more attention to those competences. On top of that, we need more IT and cyber professionals. The new courses that several colleges and universities have set up are promising. Thanks to cooperation with our sector, they are also very practice-oriented. We hope this will lead to a situation where talent multiplies."

We need to catch up in cyber security, yet currently there are 3,700 vacant positions. "Even then, we are only talking about the professionals," notes Bart. "We really need to make an effort to teach all employees the right skills. If that does not happen, no fewer than 47,000 jobs could be at risk. If we create enough awareness and provide companies with the right tools, I am convinced that we can save those jobs."

The added value of the Cyber Security Coalition

Building the right skills is what the future will be about. And the Cyber Security Coalition can play a role in that. "The Coalition is the largest network of security experts in Belgium. We bring together academics and professionals to learn from each other, and become even better at cyber security. If we can increase our collective knowledge, develop the right tools in cooperation with businesses, and inspire talent, then I am hopeful for the future," concludes Bart Steukers.

Prepare for future challenges

"We need a fundamental debate on privacy"

In the past year, the handling of the corona pandemic raised many questions about Belgium's privacy policy and governance around big data. Although these questions voice legitimate concerns, little attention was paid to them in Flanders. Privacy expert Paul De Hert: “A lot of institutions are doing courageous work but this hardly reaches the general public and they often lack the necessary support. We need a fundamental debate on privacy.”

Paul De Hert

Professor at Vrije Universiteit Brussel (VUB)

Cyber security law is slowly becoming more mature. For instance, the legal structures that enable the enforcement of privacy rules are being developed. "We have reached the point where we will finally be able to evaluate if the structures that have been created are effective", opens Paul De Hert, Professor of criminal law and privacy expert at the VUB University. "Think of the Bruvax scandal in Brussels, where data on vaccination could easily be retrieved. It remains to be seen whether a court will effectively punish this privacy leak."

These evolutions in data protection and cyber security law are the result of the implementation of GDPR and the so-called NIS Directive in the past years. "Before those regulations were put in place, cyber security was a matter of cashflows, not legal structures. Since 2018 this has changed and security has also become legally enforceable."

Who whould take decisions on data?

An indirect consequence is that privacy has become a topic in the public debate. The best-known example is the case of top civil servant Frank Robben, who created large data systems on health, on behalf of the government. These are inherently very privacy-sensitive issues. But at the same time mister Robben also takes part in the Knowledge Centre of the Data Protection Authority. He has become a symbol of the so-called ‘pragmatic’ approach to privacy protection, which critics say is potentially very dangerous.

"This case illustrates that we need a much more fundamental debate about what kind of big data and AI governance our society wants", De Hert explains. "Frank Robben represents an expert model, which assembles a lot of data, that in a next step is accessible for a limited club of experts to use. For opponents, including myself, this is the wrong approach. Decisions about these data should only be taken by parliament or by a structure that guarantees a democratic debate and participation."

"Debating both models is essential for our democracy. In the Netherlands, the existence of an expert model, which tends to be much more closed, even led to so-called ‘benefits scandal’ that brought down  the government. But I notice that this discussion is not an issue for Flemish media. Unlike in Wallonia and Brussels, the privacy discussion is caricatured in Flanders", says De Hert. "The Flemish press is apparently not interested in privacy. 2021 was the year in which the privacy discussion was conducted asymmetrically."

The need for better cooperation

Partly because of limited media reporting, a number of praiseworthy initiatives to increase the protection of privacy did not get enough attention. De Hert: "During the discussion about the difficult choice between privacy and healthcare, for example, the Data Protection Authority took a very courageous stance. But it did not receive the support that I expected from the government. This illustrates that the Belgian privacy policy and the structures to support it need to be strengthened. The Data Protection Authority should be consulted more and play a bigger role."

The need for an organisational reform was included in the evaluation report led by the Secretary of State for Data Protection Mathieu Michel on the occasion of the GDPR's three-year anniversary. "Today our country has five different authorities for personal data. They need to cooperate better", says Paul De Hert. "Moreover, there is a tendency for the establishment of regional authorities with the same competency. But those in favour of such regionalisation should ask themselves if a regional authority will be able to operate independently."

New Focus Group bridges the gap between IT and OT

How can we better protect our critical infrastructure against cyber attacks? Over the past year, this topic was discussed extensively in the Cyber Security Coalition's new OT/ICS Focus Group, which gathers IT and OT professionals from both public and private sectors. Driving forces Wim Van Langenhove and Dirk Daems shed light on the challenges that critical infrastructures are facing, and how the Focus Group can contribute to better protection.  

Wim Van Langenhove

Head Of Cybersecurity Advisory Services at Orange Cyberdefense Belgium

In 2019, the NIS legislation came into force in Belgium, prompting many companies to increase their cyber security efforts. "There have been clear steps in the right direction. Where the focus used to be mainly on the IT environment, we now also see attention on the security of industrial equipment and critical infrastructure. This is necessary, as many companies have made the switch to Industry 4.0, making them easier prey for hackers,” states Wim Van Langenhove, Head of Cybersecurity Advisory Services at Orange Cyberdefense Belgium.

More and more systems and processes are interconnected; as a consequence, more people have access to sensitive company information. "Once a hacker gets hold of that data, he can manipulate equipment, and cause a lot of damage to a company. Look at what happened at Picanol, for example. Fortunately, we can learn from such attacks. The importance of creating extra barriers and segmenting company networks becomes clear," adds Dirk Daems, Senior ICS Security Consultant at Toreon.

Raising awareness

Nevertheless, the human factor remains decisive. 80% of successful cyber attacks can be attributed to human error. "That is why we need to create more awareness, especially among people on the shop floor. Every company should have a structured, overarching approach that maps out all cyber risks and involves multiple actors, including suppliers", Wim continues.

However, getting everyone on board is not so easy. The OT/ICS Focus Group acts as a lever to put cyber security on the agenda. "During our sessions, we try to reconcile IT and OT professionals. The group is very diverse, which creates a nice dynamic. Our members can implement the ideas from the sessions within their own organisations."

Taking a leading role

The Focus Group has already addressed five themes: Anticipate, Identify, Detect, Respond and Recover. Wim Van Langenhove explains, "We have based our approach on the NIST Cyber Security Framework. Each pillar is treated separately, and we dive deep with keynotes. For example, how to set up a cyber security structure within an organisation. We also strive to inspire each other with practical examples. We keep the sessions as interactive as possible, so that everyone can learn from them.”

"At the same time, we also try to respond to current events, and pay particular attention to new technologies,” adds Dirk Daems. "After all, the cyber world evolves continuously. Thanks to the Coalition, we are in the front row. By uniting forces, we progressively gain insights that help to reconcile the IT and OT professionals and set the tone for a strong cyber security approach in Belgium."

EU Cybersecurity Act: the time to prepare is now!

In order to increase trust and security in connected devices and digital services, the European Union has adopted the Cybersecurity Act, which will gradually introduce a certification framework for products, services and processes. For companies this should lead to one certification process, recognised across the EU. “It certainly is an important initiative but implementation will be complex as every member state works to translate the certification schemes into national regulation”, states Bill Chard, Products Director at Eurofins Digital Testing. 

Bill Chard

Products Director at Eurofins Digital Testing

Eurofins Digital Testing is a global group headquartered in Belgium specialised in product testing and laboratory services. It provides a broad range of digital testing tools and services and also helps companies in dealing with cyber security threats. Bill Chard: “We cover infrastructure, cloud systems and devices and offer pen-testing, consultancy and training on cyber. My main area of focus is connected devices and for that domain the EU Cybersecurity Act could have a big impact.”

The Act was voted in 2019. This certification framework will provide rules, standards and procedures to evaluate the security properties of a specific product or service. But the process of implementation takes time. “The first scheme that is being developed is EUCC for ICT systems, soon to be followed by a scheme for cloud systems. Both are due to come into effect in 2022, and then manufacturers and developers of affected systems will have to become compliant by mid-2024. Other schemes for IOT or industrial automation & control are probably still a couple of years away.”

A good reason to join the Coalition

Legislation is already in progress in EU states including the Netherlands, and in the UK (not directly linked with the CSA as the UK is no longer a European member state). Belgium is at an earlier stage in this process. “For us this was a good reason to join the Cyber Security Coalition. It is an important stakeholder in how these schemes will be implemented and we hope to have a voice in this. And in the Focus Groups we can exchange with other companies and institutions on the evolutions and the impact of the Cybersecurity Act”, explains Bill.  

Eurofins Digital Testing has a large capability in testing and assessment. “Our group already acts as certification body for many standards in different industries. We will be aiming to offer services and certification for the EU Cybersecurity Act too. We are preparing for it and recommend our customers to do so voluntarily. Taking into account that the certification schemes will be gradually rolled out over the next two to three years, companies will need another couple of years to comply with these rules and standards.” 

Bill Chard is convinced that certification under the EU cyber security schemes will be recognized in other parts of the world. “Certification of cyber security properties will become mandatory. As Europe is a frontrunner, this can offer competitive advantages. Having a label or certification will reassure end users. So manufacturers that succeed in being the first to have it, even in an environment where it is not yet mandatory, will get the most benefit from it.”

Our Board

From top to left bottom right: Bart Preneel, Bart Steukers, Georges Ataya, Fabrice Clément, Nathalie Ragheno, Jan De Blauwe, Séverine Waterbley and Miguel De Bruycker

Operations Office

Operations Manager

Cathy Suykens

Business Development Manager

Christian Mathijs

Operations Assistant

Hilde Lion

Our members

PRIVATE

Accenture • AG Insurance • Allen & Overy (Belgium) LLP • Allianz Benelux • Approach Belgium • Argenta • ATOS • AXA Belgium • AZ Rivierenland • Bekaert • Belfius • BNP Paribas Fortis • Byblos Bank Europe • Cegeka • CHU-UVC Brugmann/ HUDERF • Colruyt Group • Cranium • DigiTribe • Dilaco • DKV Belgium • DNS Belgium • EASI • Ethias • EURid • Euroclear • Eurofins Digital Testing Belgium • Excellium Services Belgium • Expertware • EY • Grand Hôpital de Charleroi • Huawei Technologies Belgium • ING Belgium • Innocom • Intigriti • Iris Ziekenhuizen Zuid • Isabel Group • Isaca Belgium • Jan Yperman Ziekenhuis • Juniper • KBC Group • KPMG Advisory • Lineas • Microsoft • National Bank of Belgium • nextAuth • NVISO • Onze-Lieve-Vrouw Ziekenhuis Aalst-Asse-Ninove • Orange Belgium • Orange Cyberdefense Belgium • Proximus • PwC Belgium • Rhea Group • SAI • Secutec • SecWise • Senior Living Group • Siemens Digital Industries • Sirris • Socialware • SopraSteria Benelux • SWIFT • Telenet Group • Thales Group Belgium • Toreon • Unisys Belgium • Vanbreda Risk & Benefits • Wortell • Zetes Belgium • Ziekenhuis Oost-Limburg (ZOL)

FEDERATIONS

Agoria • Assuralia • Beltug • Comeos • Confederatie Bouw • Febelfin • Fevia • HRZKMO • LSEC • Synergrid • UWE • VBO 

PUBLIC

 Agence du Numérique • A.S.T.R.I.D • Belnet • BelV • BIPT-IBPT • C.R.E.G. • Centre for Cyber Security Belgium • CERT.be • CERT.eu • CIRB-CIBG • Defensie • European Commission • FOD Justitie • FOD BOSA • FOD Buitenlandse Zaken • FOD Economie • FOD Financiën • FOD Volksgezondheid, Veiligheid van de Voedselketen en Leefmilieu • Gegevensbeschermingsautoriteit • IBZ • MIVB-STIB • NMBS-SNCB • SCK-CEN • VDAB • Vlaamse Overheid - Vlaio • Waals Parlement

About the Coalition

The Cyber Security Coalition is a non-profit association (ASBL/VZW) that provides a neutral, non-commercial forum where cyber security professionals can freely exchange in confidence. The Coalition is a member-funded initiative. The membership fees cover the operating costs and deliverables, such as awareness campaigns, information kits or the publication of guidelines. All members are represented in the General Assembly.

COLOPHON

The Cyber Security Gazette is a creation of Comm2B, the content company, commissioned by the Cyber Security Coalition.
Editors: Björn Crul, Roeland Van Den Driessche and Bavo Boutsen | Editor-in-Chief: Cathy Suykens | Photography: iStock, archives | Design: Anaïs Hoornaert and Webdoos | All rights reserved | © 2021 Cyber Security Coalition

Cyber Security Coalition
Stuiversstraat 8, 1000 Brussels | info@cybersecuritycoalition.be | www.cybersecuritycoalition.be
Release Date : January 2022

Cookie Policy
Privacy Policy
Disclaimer