《華為：歐洲中小企業的網絡安全（2023）（英文版）（13頁）.pdf》由會員分享，可在線閱讀，更多相關《華為：歐洲中小企業的網絡安全（2023）（英文版）（13頁）.pdf（13頁珍藏版）》請在三個皮匠報告上搜索。

1、Q&A GuidePromoting Cybersecurity for SMEs in EuropeCo-funded by the European Union GlobalDigitalFoundationTABLE OFCONTENTS0001WHY SMEsMATTER01CHAPTERWHAT CANBE DONE02CHAPTERPg 02-04SUPPORT ATA EUROPEAN LEVEL03CHAPTERPg 14-19USEFUL CYBERSECURITY INFORMATION AND RESOURCES FOR SMEs.04Pg 05-13Pg 20Cyber

2、security for SMEs in EuropeSMEs contribute to the EU economy through the creation of high-quality jobs.The promotion and protection of SMEs in Europe are key political priorities for EU policymakers.WHY ARE SMEs SO IMPORTANT FOR EUROPE?Cybersecurity for SMEs in Europe03WHY SHOULD SMEs HAVE ROBUST LE

3、VELS OF CYBER-SECURITY?Recent Covid-19 pandemic confinement restrictions accelerated the need for SMEs to further digitalise their operations and offerings.The digitalisation of a large share of European SMEs happened very quickly.This growth in digitalisation was unfortunately marked by an increase

4、 in cybersecurity attacks.According to the World Economic Forum(WEF),there was an increase of 667%in phishing attacks during the initial months of Covid-19 in 2020.A number of these SME businesses were unprepared for cyber attacks with many employees unaware as to how to mitigate against cyber risk.

5、It is not correct to assume that cyber attacks target large companies only.There is clear evidence that the SME sector is being systematically targeted by cyber criminals too.In an ENISA survey in 2021,57%of SMEs believe that their companies will go out of business as a result of a cyber attack.This

6、 clearly results 25milThere are 25 million SMEs in Europe.100milSMEs employ 100 million people in Europe.SMEs underpin the building of a more innovative society.SMEs are drivers of digital transformation&economic growth.99%SMEs represent more than 99%of all firms in Europe.+50%SMEs contribute to ove

7、r half of the EU GDP.02WHY SMEsMATTER01CHAPTERin very negative consequences for the SME that has been attacked.In a broader sense,it also undermines business confidence and disrupts the process of digital transformation across Europe.Cyber attacks against SMEs can have a disruptive effect on the EU

8、economy.The cybersecurity of SMEs is critical in securing the supply chain in Europe.Supply chain cybersecurity can be defined as the resilience of each com-pany,product and service involved in delivering a final product or solution to the end user.The number of supply chain attacks is increasing ex

9、ponen-tially.The ENISA Threat Landscape Report 2022 has found that supply chain attacks account for 17%of all cyber attacks in 2022,compared to only 1%in 2021.Many attacks where the networks or the information of customers is compromised relates to a security breach of a supplier.Higher levels of cy

10、bersecurity for SMEs will further protect EU cyber resilience.SMEs serve critical sectors of the European economy by con-tributing services and products to IT providers or to utility operators.As a way to penetrate otherwise secure critical infrastructure networks,cyber hackers do target SME supplie

11、rs to gain access to key networks and data.The cybersecurity of SMEs is an essential component in preserving the security of the people of Europe.If technology is unsecured and SMEs use it,this clearly generates vulner-abilities and poses higher risks for users.0417,0%Supply chain attacks accounted

12、for 17%of all cyber attacks.20221,0%Supply chain attacks accounted for only 1%of all cyber attacks.2021Cybersecurity for SMEs in Europe05WHAT CAN BE DONE02CHAPTERWHAT ARE THE KEY CHALLENGES FOR SMEs IN THE PROMOTION OF HIGHER CYBERSECURITY STANDARDS AND CYBER SKILLS?A key concern for SMEs is the con

13、tinuation or expansion of business opportunities and doing so in a safe and secure manner.To achieve this objective,SMEs need to take account of the evolving cyber threat landscape.Key challenges related to the cybersecurity of SMEs include the following:A human elementAccording to Verizons 2022 Dat

14、a Breaches Investigations report,82%of data breach-es involve a human element.This is linked to the lack of cybersecurity awareness of some employees and users.It is challeng-ing to address this underlying problem human behaviour and habits.Securing sensitive data and protecting it from theft should

15、 be an essential element of employ-ee cyber skills training.Investment 93%of SMEs are of a micro nature,with less than 10 employees and without any dedicated IT or security personnel.Like fire or house insurance,cybersecurity invest-ment is critically important in protecting the products and service

16、s of SMEs.It can take time and specialist expertise to assess the cyber risk and to identify the critical processes and assets that need to be protected.We have to stop situations where companies realise the need for cy-bersecurity only after a significant incident evidently when it is too late.06SM

17、Es face difficulty in accessing trained security professionals for tai-lored advice on integrating cyberse-curity into their operations.According to an ISC2 Cybersecurity Workforce Study 2021,Europe was lacking over 200,000 cybersecurity specialists.This all leads to an increased responsibility for

18、SME managers and employees to keep up to date with an ever-changing cybersecurity landscape.The Fortinet Cybersecurity Skills Gap Report 2022 revealed that 80%of organisations have suffered one or more breaches that could be attributed to a lack of cybersecurity skills and/or to a lack of cybersecur

19、ity awareness in the work-place.The European Cybersecurity Skills Framework was published by ENISA in April 2022.This framework identifies the critical cybersecurity skills set that is required for the workplace.It also provides the appropriate tools for HR personnel to better understand what is exa

20、ctly needed to recruit cybersecurity staff.Lack of skills and competenceCybersecurity for SMEs in Europe07WHAT PRACTICAL MEA-SURES NEED TO BE TAKEN TO HELP IMPROVE CYBER-SECURITY FOR SMEs IN EUROPE?There are four key measures that should be considered in building a security strategy that can minimis

21、e the risk of operational interruptions,data compromise and data loss:Identifying critical enterprise process-es and resources,security threats,vulnerabilities and risks.Implementing security measures,such as strong access control,awareness and training,vulnerability and patch management,data backup

22、 and recovery processes.Using up-to-date anti-malware,secu-rity incident detection and staff/user reporting procedures.Maintaining incident and disaster recovery plans and putting in place the appropriate communication struc-tures to engage with stakeholders.08WHAT SHOULD SMEs DO TO REDUCE THE MOST

23、COMMON TYPES OF CYBER THREATS?The most common types of attacks on SMEs include malware,phishing,web based attacks,ransomware and distrib-uted denial of service(DDoS).Strict access control:secure password management Over 60%of all cybersecurity breach-es involve user credentials.Poor and weak passwor

24、d practices pose a real risk to cybersecurity.Using a strong,unique password with at least 12 characters and letters,numbers and symbols.It is strongly recommended to use a password manager in order to generate,manage and store passwords in an encrypted form.Applying/activating multi-factor au-thent

25、ication(MFA)for the applica-tions and systems that SMEs use or make available.MFA acts as a further layer of security protection for SMEs.Managing vulnerabilities It is incumbent on SMEs to ensure that vulnerabilities in their prod-ucts are identified and mitigated.Vulnerability patches and mitigati

26、ng measures for the products/services that they use(as flagged by suppli-Cybersecurity for SMEs in Europe09ers or national authorities)can be applied in a timely manner.Antivirus installation and maintenance is an essential step in protecting the operating systems and applications of SMEs from other

27、 threats.Secure data backup Backing up the essential data for business activities in at least 2 loca-tions outside a corporate network.Using full disk encryption to ensure that in the case a hard disk is lost or stolen,the data remains safe.Encryption keys can be securely protected.Firewall installa

28、tion and maintenance Installing a firewall in order to im-prove security by isolating a trusted network from an untrusted network.Patching and hardening the firewall.Using a whitelisting approach(default deny)to only allow for the specific traffic that is required by the services used by the busines

29、s.Updating the firewall software regularly,and wher-ever possible automating the process.Wireless/Wi-Fi Protected Access(WPA)Using WPA3 wherever possible and a strong unique password with Wi-Fi network encryption containing at least 20 letters,numbers and special characters.10Virtual Private Network

30、(VPN)for access outside a corporate network A strong VPN can provide secure remote access to a network and applications.Maintain an Incident and Disaster Recovery Plan Defining and maintaining an incident and disaster recovery plan to respond to security breaches so that SMEs are able to regain cont

31、rol over their business operations and data.WHY IS IT SO IMPORTANT THAT MANAGERS IN SMEs CLEARLY COMMUNICATE WORK RESPONSIBILITIES CONNECTED TO CYBERSECURITY ISSUES?Managers in SMEs need to communicate very clearly to their staff and explain concisely what is expected from them to mitigate against c

32、yber attacks in the workplace.Proper cybersecurity training should be given in password management,data back-up and in how to respond to a cyber attack.Training can emphasise that 82%of data breaches occur as a result of human error.It is advised that a plan is developed in how to communicate with s

33、takeholders in the case of a cybersecurity incident.Result of human error82%Training can emphasise that 82%of data breaches occur as a result of human error.HOW CAN FIREWALLS IMPROVE SECURITY FOR SMEs?A firewall tries to improve security by isolating internal systems,applications and data from an un

34、trustworthy net-work like the Internet.The rules defining network access should be specific.Company security guidelines can be defined.Regular audits of firewalls should be carried out.For example,any unau-thorised firewall configuration change should be flagged.Cybersecurity for SMEs in Europe11WHA

35、T CAN SMEs DO TO STOP MALWARE BEING INSERTED INTO THEIR SYSTEMS?The main purposes of malicious code are the following:010203Encryption,modification or theft of information,e.g.to demand ransom or resell the data.Monitoring data flows,e.g.for corporate gain.Taking control of a device,e.g.to cause an

36、incident.Key measures for SMEs to protect themselves against malware:Installing and maintaining specialised anti-malware software.Such software can be installed on mobile devices,operating systems and in networks.The software scans incoming data for malware and blocks or quarantines suspicious or pr

37、oven malicious code before use.There are many different anti-malware software types for sale in the marketplace.Users/Employees should remain alert and refrain from clicking on suspi-cious links in emails or open suspi-cious attachments.Data needs to be backed up.12HOW CAN SMEs RECOGNISE PHISHING AT

38、TACKS?Phishing attacks are a type of social engineering attack,i.e.targeted at people rather than at system vulnerabilities.It is,in essence analogous to traditional types of fraud.By default,phishing is not a complex technical attack.It just requires a good reason such as a fraud scenario to make t

39、he user click on a malicious link,open a malicious file or URL or type/give confidential information.Recognising common types of fraud scenarios can prevent SMEs from falling victim to many phishing attacks.Understanding the different types of phishing attacks will help managers and employees in SME

40、s to develop an instinct to check email and other messages carefully before they click on links or attachments contained within them.Questions that people working in SMEs should ask so as to stop a phishing attack:Is the message solicited or expected?If not,all the questions below should be answered

41、 to identify a phishing attempt.Is the sender legitimate,i.e.using the correct corporate email,profile or phone number?If not,this could be a phishing attempt.Is there a sense of urgency in the message,a scary consequence or a great reward?If yes,this could be a phishing attempt.Is the request claim

42、ing to come from a bank,postal services,tax adminis-tration,or from a law enforcement agency?If yes,this could be a phishing attempt and may emanate from a widespread type of a phishing attack.These types of organisations typically use secure communication channels(e.g.apps).If in doubt,go directly

43、to the sender app/web page and log in to check if any messages appear.Is the message appearing odd,with typos or is very generic?Then this could be a phishing attempt.Cybersecurity for SMEs in Europe13WHAT CAN SMEs DO IN THE CASE OF A PHISHING ATTACK?Phishing attacks are a reality for SMEs.They shou

44、ld consider the following responses:Never click on a link in the case of a suspected phishing attack.Flag the message as phishing to their IT department or to the plat-form used or to the impersonated organisation.Delete the message.In the case of a phishing attack,in-form the security/IT team and c

45、hange passwords and PINs for all important accounts(email,bank,authentication services,operating systems and cloud services).If the phishing attack is successful,systems and data may be compro-mised and become inaccessible.In that case,they could receive a ransomware message.There are some useful re

46、sources containing advice as to how to engage in the case of a ransomware incident such as the Europol No More Ransom site and working with their local CSIRT(Computer Security Incident Response Team).WHAT CAN SMEs DO TO AVOID A WEB-BASED ATTACK?A web-based attack exploits internet infra-structure se

47、curity weaknesses in order to carry out a cyber attack against,for exam-ple a company website,an e-commerce site,a blog or a search engine.Examples of a web-based attack include the installa-tion of malicious code to extract sensitive information such as a consumer database or a payment detail,a mod

48、ification of the data on the website,the deletion of data and the sabotaging of website access.For protection against web-based attacks,SMEs should consider the following:Keeping operating systems up to date.The latest available security updates can be installed in a timely manner.Enabling security

49、options,such as strong authentication for administra-tive access,encryption and backup.Controlling and monitoring websites to detect and prevent vulnerabilities and the delivery of malicious code.14SUPPORT ATA EUROPEANLEVEL03CHAPTERWHAT IS THE EU POLICY TOWARDS SUPPORTING SMEs FROM A CYBERSECU-RITY

50、VIEWPOINT?The EU approaches the improvement of cybersecurity for SMEs in 2 ways:invest-ment and regulation.Cybersecurity Act(2019)One policy instrument that promotes and supports the cybersecurity of SMEs in the EU is the Cybersecurity Act 2019.It lays the groundwork for the enhanced development of

51、EU-wide cybersecurity certifi cation schemes.Such certifi cation schemes can benefi t SMEs looking for cybersecurity assur-ance from their suppliers,as well as act as an instrument to promote and give a competitive advantage to SMEs that invest in cybersecurity.There are three major EU cybersecurity

52、 certifi ca-tion schemes in the making that are focused on Cloud Services(EUCS),5G and the building of Common Criteria(EUCC)for trusted ICT products in the EU.Cloud and 5G are the infrastruc-tural building blocks that will enable both a stronger digitalisation of SMEs and new services development.Th

53、e Common Criteria scheme certifi es the ICT security attributes of products and this may in turn be used by SMEs as part of their product and service off erings.Cybersecurity for SMEs in Europe15NIS2/Cyber Resilience Act(CRA)The new NIS2 Directive(2020)will introduce a series of measures that will r

54、equire operators of certain important services within the EU to implement security mea-sures and carry out an assessment of the cybersecurity risk of suppliers.In excep-tional cases this may include some SMEs from the EU member states.In September 2022,the European Commission published the Cyber Res

55、ilience Act(CRA)that is focused on improving cybersecurity for products with a digital element(e.g.Manufacturers of digital products).According to this CRA proposal,such products must comply with strict cybersecurity,incident and vulnerability man-agement,risk analysis and notification requirements

56、before being placed on the EU market.The governance and legislative approach of the CRA is based on the NLF(New Legislative Framework)process that currently is in place to certify the safety of products for the EU market.Horizon Europe/Digital Europe On the investment side,the EU has allocated 10 bi

57、llion for cybersecurity collabora-tive actions under the Horizon Europe research,innovation and science programme 2021-2027.Funds are available too from the Digital Europe programme for SMEs to promote higher levels of cybersecurity in Europe.These initiatives afford SMEs more opportunities to expan

58、d their footprint in Europe in developing new,innova-tive cybersecurity related products and services.The EU has allocated 10 billion for cybersecurity collaborative actions under the Horizon Europe research,innovation and science programme 2021-2027.16InvestEU/EU Recovery and Resilience Facility Cy

59、bersecurity is also a part of InvestEU,a financial instrument that will support stronger cybersecurity value chains in Europe.Under the EU Recovery and Resilience Facility many EU countries are adopting plans that contain a number of additional investments in cybersecurity.European Year of Skills 20

60、23 A number of new cybersecurity-relat-ed initiatives in the area of cyber skills will be developed by the European Commission and by EU member states in the context of the roll-out of activities under the European Year of Skills 2023.HOW CAN EIT DIGITAL FURTHER SUPPORT SMEs IN DELIVERING HIGHER LEV

61、ELS OF CYBERSECURITY?EIT Digital embodies the future of innovation by mobilising a pan-European multi-stakeholder open-innovation ecosystem of top European corporations,SMEs,start-ups,universities and research institutes.Students,researchers,engineers,business developers and investors can address th

62、e technology,talent,skills,business and capital needs of digital entrepreneurship.EIT Digital builds the next generation of digital ventures,digital products and services.This breeds digital entrepreneurial talent,helping businesses and entrepreneurs to be at the frontier of digital innovation by pr

63、oviding them with technology,talent,and growth support.EIT Digital answers specific innovation needs by,for example,finding the right partners to bring technology to the market,supporting the scale-up of digital technology ven-tures,attracting talent and developing digital knowledge and skills.Cyber

64、security for SMEs in Europe17 Through its Accelerator,EIT Digital identifies and supports the scaling of new European cybersecurity startups.This further contributes to the diversi-ty and availability of SME cybersecuri-ty solutions.The EIT Digital DeepHack programme brings together digital innovato

65、rs and entrepreneurs to solve critical business challenges including within the cybersecurity field.The EIT Digital Innovation Factory initiative brings European partners together to create the next genera-tion of digital ventures,products and services.The EIT Digital Venture Programme provides fina

66、ncial support and train-ing to European entrepreneurs to get new deep tech ventures started.The skills gap is being closed through the work of the EIT Digital Masters Cybersecurity Programme.This initiative is already taking place in a number of countries in Europe,including in the Netherlands,Italy

67、,France,Hungary,Romania and in Finland.Issues being addressed by these courses relate to addressing skills shortages in cloud computing security,application security,cyber risk management,security analysis,cryptography,network infrastruc-ture security,systems validation and secure data management.As

68、 the largest digital innovation ecosystem in Europe,EIT Digital is contributing to high-er standards of SME cybersecurity in several ways.This is in order to increase the number of European cybersecurity products and services,which currently stands at around 16%of the global cybersecurity market.EIT

69、 Digital runs a variety of initiatives to support both start-up companies and the scaling up of SME enterprises:16%of the global cybersecurity market.EUEuropean cybersecurityproducts&services.make upHOW CAN THE EUROPEAN CYBERSECURITY COMPETENCE CENTRE AND NETWORK DELIVER HIGHER STANDARDS OF CYBERSEC

70、URITY FOR SMEs?One of the roles of the European Cybersecurity Competence Centre(ECCC)is to support and coordinate a number of research&innovation projects related to cy-bersecurity issues within Europe.This is one example of a coordinated effort across the EU to help ensure that SMEs can translate c

71、ybersecurity research activities into innovative products and solutions for the marketplace.The annual cybersecurity work priorities of the ECCC can give further strong support to SMEs to take part in both the Horizon Europe and Digital Europe initiatives.The ECCC closely engages with the Network of

72、 National Coordination Centres(NCCs)across the 27 member states of the EU.This collaboration can expand upon SME cybersecurity support programmes in individual EU member states and uniformly across the EU.Support capacity building across the 27 EU Member states to promote higher stan-dards of cybers

73、ecurity and an increased uptake in cybersecurity certification.Cybersecurity for SMEs in Europe1918USEFUL CYBERSECURITY INFORMATION AND RESOURCES FOR SMEs.ENISA(European Union Agency for Cybersecurity)Cybersecurity for SMEs(2021).https:/www.enisa.europa.eu/publications/cybersecurity-guide-for-smes S

74、ME Cloud Security Tool(2021).https:/www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-tool European Cybersecurity Month.https:/cybersecuritymonth.eu/Be aware,be prepared Cybersecurity Tips for SMEs.https:/ Cybersecurity Culture Guidelines.Behavioural Aspects of

75、 Cybersecurity(2021).https:/www.enisa.europa.eu/publications/cybersecurity-cul-ture-guidelines-behavioural-aspects-of-cybersecurity/at_download/fullReport European Cybersecurity Skills Framework 2022.https:/www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-frameworkEur

76、opol In the case of a ransomware attack,SMEs can fi nd support for reaction plans and decryption keys as advised by Europol.https:/www.europol.europa.eu/activities-services/public-awareness-and-prevention-guidesETSI Cybersecurity for SMEs.Part 1:Cybersecurity Standardisation Essentials.https:/www.et

77、si.org/deliver/etsi_tr/103700_103799/10378701/01.01.01_60/tr_10378701v010101p.pdfOECD Digital Security in SMEs 2021.https:/www.oecd-ilibrary.org/sites/cb2796c7-en/index.html?itemId=/content/component/cb2796c7-en#chapter-d1e7025World Economic Forum What SMEs need to do for a Cybersecurity future 2021

78、?https:/www.weforum.org/agenda/2021/06/cybersecurity-for-smes-europe/CyberWatching.eu SMEs Guides:https:/cyberwatching.eu/smes-guidesCSIRT(Computer Security Incident Response Teams)in the EU27 https:/csirtsnetwork.eu/0420Copyright 2023 Huawei Technologies Co.,Ltd.All Rights Reserved.The information

79、in this document may contain predictive statements including,without limitation,statements regarding the futurefinancial and operating results,future product portfolio,new technology,etc.There are a number of factors that could cause actualresults and developments to differ materially from those expressed or implied in the predictive statements.Therefore,such information is provided for reference purpose only and constitutes neither an offer nor an acceptance.Huawei maychange the information at any time without notice.