The European Commission, together with other EU institutions, has kicked off a campaign to introduce October as the ‘European Cybersecurity Month’, aimed at raising cyber-awareness across the bloc amid increasing concern around online safety.
This edition of the European Cybersecurity Month (CSM), the eleventh so far, seeks to highlight concerns around social engineering, a tactic used by hackers to get sensitive information and data from individuals and companies.
According to the EU cybersecurity agency ENISA’s 2023 Threat Landscape report, the top three cyber threats facing the EU are social engineering, ransomware and malware, with over half of attacked firms having paid ransom demands.
“Cybersecurity is an extremely important subject, and we have seen over the past few years that cybersecurity has become a subject addressed more and more seriously by regulators throughout the world,” explained Dita Charanzov?, Vice-President of the European Parliament during the campaign kick-off event series, which will run until Thursday (28 September).
“Cybersecurity attacks against EU institutions, EU governments, and public institutions pose a real threat to democracy,” Charanzov? added, stating that EU law enforcement agency Europol has identified a notable rise in ransomware attacks against public institutions and large companies.
Cyber-October for SMEs
To mark the month, ENISA and the Commission in partnership with EU countries aim to create a platform to trigger more action on cybersecurity.
There are three aspects of a cyber threat to consider: its type, level of exposure and conversion rate into actual cyber incidents, Grzegorz Minczakiewicz, the Commission’s director in charge of IT security explained.
The aim is to draw “the lessons on what are the main factors of those attacks,” Minczakiewicz added.
“Social engineering is a big issue for companies, with over 80% of data breaches due to human error,” Iva Tasheva, part of ENISA Ad-Hoc working group on Enterprise security, told Euractiv. The Ad-Hoc group details many of the cybersecurity awareness-raising activities which focus on small and medium-sized enterprises (SMEs).
Phishing, smishing, and vishing are examples of social engineering techniques that are extremely cheap for a cyber intruder. While ‘phishing’ is executed mainly by email, ‘smishing’ and ‘vishing’ are cyber-attacks carried out by SMS and phone calls.
These techniques open the door to a wide range of attacks, with potentially devastating consequences for businesses and individuals, explained Tasheva.
For SMEs to maintain a high level of cybersecurity is a “massive undertaking”, pointed out Juhan Lepassaar, ENISA’s Executive Director.
According to the Commission’s Eurobarometer, almost one-third of SMEs are very concerned about the risk of hacking online bank accounts. Further, 31% worry about impersonation attacks such as phishing and 29% are concerned about viruses and spyware or malware.
“Start with your own risk assessment. Your approach to supply chain management should be risk-based and proportionate,” Lepassaar advised SMEs.
Cyber-month vs. Cyber-weeks
While ENISA’s Tasheva described the event to be “an occasion to gather forces and gain traction around the pain points for cybersecurity”, some questioned the effectiveness of the campaign.
“Although this initiative is of course welcome, I do not think it is sufficient to achieve long-term effects,” Valentin Weber, Research Fellow at DGAP’s Centre for Geopolitics, Geo-economics and Technology told Euractiv.
“A one-month initiative will not be able to replace the fundamental discussion of this topic in society at large,” he added.
According to Weber, it would be much more effective to hold events throughout the year that regularly remind people of cybersecurity hazards, as he is convinced that the most effective awareness campaigns are those that regularly warn people about threats.
These could be called ‘cybersecurity weeks’ and each event could have a different focus, he suggested.
“Nevertheless, the European Commission can be credited with stepping up to address the issue,” Weber acknowledged.
Patrick Wheeler, director of the workforce development program CyberWayFinder, told Euractiv that he also supports sustained efforts to improve cybersecurity.
“We must follow such events with a deep look at the damages being done to the fabrics of our social society; whether a ‘death of a thousand cuts’ by individual fraudsters, toxic online behaviours driven by platform algorithm attention optimisation or a direct attack on the core of our European democracies, these all must be addressed,” Wheeler said.
“By highlighting these topics during the month, we put in place important groundwork that shows the benefits the EU institutions, among others, are attempting to bring in protecting us all,” Wheeler concluded.
[Edited by Nathalie Weatherald]
Read more with EURACTIV