Our Blog

Learn more about ACTAGIS and related news

09sep08:0009:00"Trust" and "security": not add-ons

more

Event Details

Why «trust» and «security» should never be Add-ons

Article published on the supplement “Protection” of the “Tribune de Genève” and the “24 Heures” on 9 September 2020.

ISACA, the International Information Systems Governance Association, supports companies in the fight against cyber attacks. INTERVIEW SMA

The internet is a crucial tool for most companies. Unfortunately, it does not only offer possibilities but also opens up potential vulnerabilities. Especially small and mid-sized enterprises (SMEs) are often victims of cyber-attacks. The international IT-Governance Association ISACA helps companies fight this trend. We spoke to Jeff Primus, Security-Expert and ISACA-board member for Romandie, to learn how this works.

Jeff Primus, nowadays the importance of cyber-security is undisputed – also because a rising number of organizations find themselves being targeted by hackers. But what exactly does «cyber-security» imply for SMEs?

Firstly, we must look at the context in which companies currently find themselves: Boosted by accelerated global exchanges, cyber-threats are spreading rapidly, with large scale worldwide effects also grandly impacting Switzerland as a key platform of information exchanges. In such a context, Swiss SMEs should be prepared to cope with the major disruptions to the information systems caused by cyber-attacks. Failure to activate prepared solutions for such scenarios, which can harm the delivery of the products and services, can have major consequences for the enterprises’ survival. Therefore, the discipline of «Cyber-Security-Governance» is gaining more and more traction.

What does Cyber-Security-Governance entail?

It focuses on setting objectives, measures, roles and responsibilities to help to protect organization’s information systems, enabling them to bring more value while reducing the risks. For example, in the context of the current coronavirus pandemic, remote working «home office» has become the most widely implemented action to enable business continuity. In consequence, enterprises are opening more doors and vulnerabilities to enable the information flow between the corporate datacenter and remote workers. This can, however, be potentially detrimental as enterprises are mainly focused on their survival and consider security «a low priority topic». This facilitates the exponential increase of the frequency of cyber-attacks exploiting various vulnerabilities. These attacks, coupled with the capacity limits of national, regional and worldwide infrastructures are seriously shaking the fundamentals of security & privacy in terms of information confidentiality, integrity, business continuity and data protection. Cyber-Security-Governance provides companies with a toolset to address all these topics.

So, Cyber-Security-Governance is becoming one of the main building blocks for ensuring Business Continuity. How does the topic of data privacy come into play?

According to the official 2019 statistics published by the Swiss government, 99% of economic power is based on SMEs, making the vast majority of businesses highly vulnerable to cyberattacks. With the pandemic context, more than ever, the convergence of Information Security, Privacy and Business Continuity is becoming a MUST to implement, in order to reduce financial, operational, legal and reputational impacts of cyber-threats. One key to a successful realization of converged governance is to apply well-established frameworks and certifications such as COBIT, CRISC, ISO 27001, GDPR, and many more. The issue: Implementing these sometimes quite «huge» frameworks can be work- and cost-intensive. Big Companies have the power to do so, but most smaller ones do not.

The solution?

It lies in a «Light implementation approach». Simply put: By breaking huge frameworks into smaller, more easily implementable parts, SMEs can choose the most appropriate subset of measures which fit their needs. Ideally, enterprises would embrace the concept of «Security and Privacy by Design». This means that these two essential factors are being considered at the very start of application infrastructure development and acquisition. Because one of the main errors of many organizations lies in the fact that they do put in place information solutions, BUT usually forget to incorporate the privacy and security aspects from the beginning. They are then later added, almost as an afterthought or Add-on. But security and privacy should be a part of the very DNA of applications.

The COVID app of the government has re-ignited the debate on whether or not users should share their data with organizations. How can the trust of users be won?

Unfortunately, due to events such as the Swisscom Data theft from 2018, people are reluctant to trust organizations as far as the protection of their personal data is concerned, which explains why organizations need to enhance «Trust by design». How can they do that? By implementing «Security and Privacy by Design», as mentioned. By promoting these key messages, applications such as the COVID APP will be adopted by higher rates. This kind of implementation can be practised via ISACAs new cursus: «Certified Data Privacy Solutions Engineer».

Let us speak of ISACA – how does it work and how do its services help companies?

The ISACA association is a network for people who are interested and wish to develop themselves in domains such as IT governance, auditing, Cybersecurity and Risk Management. The association has been active in Switzerland for 30 years. On the one hand, ISACA promotes the exchange of knowledge, on the other hand, also offers further training and certification. The latter, in particular, is a valuable tool for employees who wish to enhance their technical and organizational expertise.

How does your own company, ACTAGIS, help clients to put the principles of ISACA into action?

ACTAGIS, as the official and exclusive partner of the ISACA Swiss Chapter in the French part of Switzerland, proposes learning and preparation classes for all ISACA certifications (also worldwide for in-house training). Active on the market for more than 25 years, in the IT Governance, Cybersecurity, Risk Management & Business Continuity domains, ACTAGIS consultants and trainers offer strong added value services (organizational and technical) to enterprises and organizations. The objective being to help them create more value for less risk and to increase their performance while reducing expenditures for their strategic projects. We also propose trainings with certifications in order to ensure the transmission of knowledge and expertise that increase the competitiveness of our customers. By doing this, we aim to be a trusted, discrete, reliable and rapidly available partner.

For further information, visit www.isaca.com et www.actagis.com

About Jeff Primus

Fondateur & CEO I Consultant Senior

Official and Accredited ISACA, BCI, PECB, CGEIT, CRISC, CISA, CISSP, SABSA-SCF, MBCI, ISO 27001 LA+LI, 22301 LA+LI, 27005 RM, 20000 LI, 9001 LI+LA, COBIT 5 CDPSE and Certified Data Protection Officer – GDPR.

He has over 25 years of experience within information systems governance, security and business continuity and leads teams of consultants while actively participating in business-critical missions.

Jeff, as an expert of the subject, actively implements ISO 27001, GDPR, ISO 22301 compliant Security, Privacy & Business Continuity Management Systems for the public sector, multinational companies and SMEs in Switzerland, Europe and the Middle- East. As a lead lecturer, he teaches Security, Governance and Business Continuity topics at the University of Paris-Sorbonne and University of Geneva and HES-SO-Valais. Additionally, he has written many articles on security and information systems and been featured on radio and television shows.

Jeff is a board member of ISACA-Switzerland and Chapter Lead ISACA Suisse-Romande. He also took active part in the ISO SC27 Workgroup, which co-defines the new releases of the ISO 27001 standard.

Download the PDF (French)

Time

(Wednesday) 08:00 - 09:00

27marAll DayCoronavirus : Business Continuity & remote working requires Cybersecurity

more

Event Details

(click on the image below to see the video)

In the context of the coronavirus pandemic, remote working has become the most widely implemented action to enable business continuity in our growingly service-oriented world. In consequence, the enterprises are opening more doors, tunnels and vulnerabilities to enable the information flow between the corporate datacenter and remote workers.

During this difficult period where enterprises are mainly focused on their survival, and where security is considered as a low priority topic, the frequency of cyber-attacks exploiting various vulnerabilities is increasing at an exponential rate. These attacks, coupled with the capacity limits of national, regional and worldwide technical infrastructures are seriously shaking the fundamentals of security in terms of information confidentiality, integrity and business continuity.

More than ever, the convergence of Business Continuity and Information Security is becoming a must to implement, in order to reduce the financial, operational, legal and reputational impacts of the cyber-threats.

ACTAGIS, was interviewed on this subject by RTS on March 27, 2020.

 

Willing to share its expertise, ACTAGIS proposes some key security recommendations for remote working that will help you to strengthen the continuity of your activities.

1. Set up a crisis management organization (a manager and if possible, a team) that can identify, prioritize and coordinate the necessary actions for the business continuity including the remote working plan.

2. Identify and focus on the most critical key processes of your enterprise and allocate to them the needed resources (human, material and financial).

3. Develop and implement the “Information Technology Disaster Recovery Plan”

4. Establish security policies & guidelines to facilitate the usage of technological solutions.

5. Empower your remote workers with on-line awareness & training sessions for security & remote working best practices in order to mitigate the cyber-risks relative to videoconferencing-bombing, corona-phishing, shared Wi-Fi…

6. Facilitate the activation of high-performance network connections for the enterprise premises and remote workers.

7. Provision sufficient capacity and implement adequate security for your IT infrastructure (software & hardware) that can scale and support an important number of simultaneous encrypted connections & access.

8. Provide secured corporate laptops (encrypted, hardened, using 2 authentication factors…) to enable a professional working environment.

9. Promote remote screen sharing and low definition video streaming enabling your staff to focus on the essential information without saturating network capacity.

 

Contact ACTAGIS for further recommendations, training and consulting services.

Take care of yourself and your family,
Jeff Primus

 

Author : Jeff Primus: Founder, CEO & Senior Consultant, has over 25 years of experience within information systems governance, cyber security and business continuity. Jeff, as an expert of the subject, actively implements ISO 22301 and ISO 27001 compliant Business Continuity & Security Management Systems for the public sector, SMSs and multinational companies in Switzerland, Europe and the Middle East. As a lead lecturer he teaches Security, Governance and Business Continuity topics at the University of Paris-Sorbonne, University of Geneva and HES-SO-Valais.

© 2020 Jeff Primus, ACTAGIS

Time

All Day (Friday)

29febAll DayCoronavirus is Seriously Impacting Businesses

more

Event Details

(click on the image below to see the video)

Boosted by accelerated global exchanges, the Coronavirus is spreading very rapidly, with large scale effects also in Europe and Switzerland. Thanks to the widely developed healthcare system in these zones, we can imagine that the propagation of the virus will be decelerated. But, in the meantime, businesses have already begun to suffer from the pandemic situation. Experts in macroeconomy predict the gross domestic product (GDP) of the European zone to fall due to the direct and indirect impacts caused by the Coronavirus.

 

Business Continuity & the Coronavirus

Even if the Business Continuity Plan (BCP) should naturally be embedded in a normal business practice, most of the time only large enterprises have implemented it at a companywide level, leaving the small and medium-size enterprises (SMEs) unprepared for such pandemic situations. According to the official 2019 statistics published by the Swiss government, 99% of economic power is based on SMEs, making the vast majority of businesses highly vulnerable to the Coronavirus.

In the context of such a pandemic crisis, SMEs should be prepared to cope with the major disruptions related to the availability of human resources, supply chains, market demands for products and services, business travel, treasury and cash-flow. Failure to activate prepared solutions for such scenarios can have major consequences for the enterprises’ survival.

ACTAGIS provides below a helpful guide for a pandemic plan that SMEs can apply in order to get ready, by implementing adequate measures enabling their continuity in the case of a pandemic situation.

 

Jeff Primus, CEO of ACTAGIS, was interviewed on this subject by CNN-Money on February 26, 2020 (click for video)

Pandemic Plan (BCP) for Enterprises

Plan

  • Define and assign responsibilities.
  • Establish communication channels with the authorities and your key suppliers.
  • Identify the key business processes that enable your key products and services.
  • Set criteria and thresholds for the activation of the BCP.

Analyze

  • Identify the risks, associated vulnerabilities and impacts applying to your company.
  • Prioritize your key processes on which the enterprise will focus its continuity efforts.

Implement, Train & Test

  • Develop step-by-step plans with detailed activities and their stakeholders, considering the impacts generated by employees’ absences, information systems and cybersecurity requirements, teleworking conditions, supply chain disruptions, variation in market demands, traveling issues, financial constraints, chains of dependencies.
  • Enhance the plans by considering alternate solutions and insurance coverage.
  • Develop and implement the “Information Technology Disaster Recovery Plan” (IT-DRP).
  • Establish processes for employee welfare and repatriation from overseas.
  • Deliver awareness and Training Sessions.
  • Construct internal and external communication plans including also the emergency situations.
  • Develop policies to be applied companywide.
  • Test your plans.

Respond if your Enterprise is hit by Coronavirus

  • Apply the hygiene advice recommended by the healthcare authorities and experts and provide the adequate facilities and material.
  • Reduce travels and face-to-face contacts with various stakeholders (suppliers, customers) located in specific geographical regions.
  • Activate the Information Technology Disaster Recovery Plan.
  • Monitor the virus symptoms and activate the homeworking, teleworking plan in order to contain the pandemic propagation.

 

Author: Jeff Primus: Founder, CEO & Senior Consultant, has over 25 years of experience in information systems governance, cyber security and business continuity. Jeff, as an expert of the subject, actively implements ISO 22301 and ISO 27001 compliant Business Continuity & Security Management Systems for the public sector, SMEs and multinational companies in Switzerland, Europe and the Middle East. As a lead lecturer, he teaches Security, Governance and Business Continuity topics at the University of Paris-Sorbonne, University of Geneva and HES-SO-Valais.

 

© 2020 Jeff Primus, ACTAGIS

Time

All Day (Saturday)

01sepAll Day30ACTAGIS is PECB Europe Partner of the Month – September 2018

Event Details

Time

september 1 (Saturday) - 30 (Sunday)

12febAll DayData theft of 800’000 Swisscom customers

more

Event Details

What are the risks that they do not disclose?

Switzerland is not spared, and this type of theft does not only happen to others. It is important to remember that the number of cases of data piracy continues to increase and that the Swisscom case represents only a modest event compared to the billions of personal data compromised via the accounts of Yahoo, MySpace, Ebay , LinkedIn, Dropbox.

As a customer or user, should we worry, since the data stolen from Swisscom is not considered sensitive? The answer is unfortunately yes, since the stolen phone numbers and names are now most likely accessible on the darknet. They attract the greed of a multitude of malicious actors who are willing to exploit them for illicit purposes .

(The video doesn’t start? There is an issue with the RTS streaming. 
Workaround: after hitting “play”, click on the timeline, just right of the dot, say at 0:02, and it will play normally.)

Jeff Primus, CEO of ACTAGIS, was interviewed on this subject for the “19h30” of the RTS on February 7, 2018.

The risks associated with this type of data theft are far from negligible and are not limited to receiving unwanted advertising calls. In reality, several scenarios of attacks remain entirely possible. For example, using “social engineering” methods, it is very easy for a malicious entity to use the stolen data to subtly obtain other more sensitive information. In other cases, the attacker will be able to exploit the stolen data by using a messaging or IP telephony application, in order to discover the vulnerabilities of the users.

By unveiling, early February 2018, that it was the victim of a piracy of its customers’ information at the end of 2017, Swisscom is probably at the top of the list for this type of incident in Switzerland. So why did Swisscom wait 4 months before announcing these facts to the general public? So far, we do not have a satisfactory explanation from Swisscom, but we think they should have warned the victims of this hacking without such a lengthy delay.

With the new European GDPR (General Data Protection) Act and the Swiss Data Protection Act, the situation for Swiss companies could quickly change. For example, the GDPR will require Swiss companies processing European citizens’ data to apply preventive, detective, and corrective security measures and to rapidly announce this type of incident to stakeholders.

In the event of a breach of the regulations, the company in question could pay a fine of up to 4% of international revenu. That should get companies thinking, if they haven’t yet found the motivation to devote a reasonable security budget for the products and services they offer their customers.

© 2018 Jeff Primus, ACTAGIS

Time

All Day (Monday)

18octAll DayACTAGIS is now a PECB SILVER PARTNER

more

Event Details

PECB & ACTAGIS are pleased to announce the accomplishment of a new partnership level. This step is a result of a strong commitment of both companies to share their expertise and offerings with the market in order to bring the best of breed ISO 27001 / ISO 27005 / ISO 9001 / ISO 22301 / ISO 31000 / ISO 20000 / GDPR courses.

Time

All Day (Wednesday)

17mayAll DayWannacry ransomware attack

more

Event Details

Wannacry ransomware attack

The Wannacry ransomware attack proved us again how the human factor coupled with the vulnerabilities inherent to the information systems can cause tremendous damage to the worldwide digital economy.

The schema used is not revolutionary and is based on a conjunction of known techniques.

  1. Exploiting a vulnerability that has been discovered but not patched by the software or hardware vendor
  2. Using the human factor weakness to activate the malware on the operating system
  3. Having access to the low level system instructions that enables the total encryption of the data stored on the system.
  4. Using worms to facilitate the light speed propagation of the attack on the network of the victims
  5. Using the darknet mechanisms in order to receive the ransom via bitcoin

With the scenario described above, the victims are, in the vast majority of cases, disarmed, especially if they were not prepared via security awareness campaigns and if the CIO and CSO did not implement adequate preventive, detective and corrective controls.


Jeff Primus, CEO of ACTAGIS, was interviewed on this subject for the show “Toutes Taxes Comprises”, aired on the RTS on 15 May 2017 (in French).

Since the beginning of the attack more than 150 countries have been hit by Wannacry and the damages to the worldwide economy can easily estimated to billions of dollars, if we consider the business interruptions caused to thousands of companies worldwide.

In order to reduce the probability and the impact of such events, companies should reinforce the awareness level of their users and patch their systems in a frequent and systematic way. Last but not least, a well designed and implemented business continuity architecture, would permit the enterprises and users to recover their information systems and data to a coherent state, as they were just before the attack.

Wannacry screen seen by the victims of the cyber-attack.

We should all be reminded that we are in a field where never ending battleswill probably continue forcing us to be better and better prepared for the future evolutions of more and more sophisticated threats.

The human factor will always be the biggest vulnerability that the attackers will exploit. And the major area where security can be improved.

©2017 Jeff Primus, ACTAGIS

Time

All Day (Wednesday)

Interested? Ask us more!

Your interest

Your name (required)

Your email (required)

Your phone (required)

Your message

Share This
X
X
X