The information security obligations imposed by the Decree Act are not complied with and organizations are already being warned, but may soon also be fined. the AThis visit was made today by Vice Admiral Gameiro Marques, General Director of the National Cybersecurity Center (CNCS) and the National Security Office (GNS) in a Building the Future session dedicated to cybersecurity.
It concerns the application of Decree-Law 65/2021, which lays down the obligations of organizations providing critical services, one of the fundamental bases of legislation in this area.
“Until August 22, we had a pedagogical attitude. It didn’t go very well” explained Gameiro Marques, adding that when they consulted the knowledge base, they found that most organizations had not met the requirements. Secretary of State for Digitization and Administrative Modernization, Mário Campolargo, had already admitted that the figures were not positive.
“Portuguese is not going there with pedagogy, so we changed our position. We’ve notified about 400 entities, now we’re tracking the minimums that should have been met and were not met, and we’re going to start issuing fines‘ he detailed. “It will have to be like this, I’m sorry but the reality of our society is like this,” he defends, recalling that they are not doing this for the benefit of the CNCS but to oblige the companies that provide essential and critical services to our country comply with what is stated in the decree law transposing the NIS directive.
“The law was transposed in 2018 and last year we gave 74 training courses across the country with 1680 people who obtained the certificate, to teach them which safety requirements they must meet. When we see these results, it is frustrating,” Gameiro Marques admitted.
NIS 2 conversion plan handed over to the government today
As for the NIS 2 directive, which entered into force on January 16, Gameiro Marques says the conversion plan will be presented today to the Secretary of State for Digitization and Administrative Modernization. The general director of the CNCS admits that this conversion is more complicated, because it is a law and the legislative process goes through the Assembly of the Republic, but he recalls that “we have a year to go down this road”.
The aim is to have an impact study of the implementation of NIS 2 already this year, in October, with more entities now listed with enhanced cybersecurity commitments.
Compliance with cybersecurity obligations was one of the themes of the debate “The economics of cybercrime: threats and opportunities” who also had Carlos Cabreiro. The director of the computer and technological crime unit of the judicial police recalled that cybersecurity incidents have grown exponentially in the past two years and crimes involving computer means, with a reflection in cybercrime.
“These crimes [de cibercrime e crimes com recurso a meios informáticos] already represent 52 to 55% of all crime,” details Carlos Cabreiro, which includes pure and hard computer crimes such as ransomware, burglaries and other crimes using computer means, admitting that it will be difficult at this point to stop the practice of configure a crime where it is not necessary Evidence collection mechanisms that have no underlying IT resources should be used.
Regarding the quality of a hacker, the inspector says that it is not very well defined, because there are “ethical hackers” and who by not committing crimes can be a valuable tool for tracking cybersecurity in organizations.
“The Portuguese are no better or worse than the others. We already had good examples of people who worked together and had this cybersecurity perspective, and of course there are others who turned to crime and ended up being punished,” explains Carlos Cabreiro.
The PJ inspector also remembers that cybercrime is increasingly transnational. “The networks are cross-border, it’s a blurry border and it’s hard to pinpoint, because when they commit crimes together, they don’t look at nationality,” he justifies.
to the inspector one of the biggest concerns with companies is that there are so-called black figures, and that much of the crime goes unreported. “What kept us busy this year [de 2022] is that the main motive for attacks on large companies was not economic reasons, but the destruction of data”, he says, saying that this is a concern that will accompany us because it is not known whether the stolen information will subsequently be used for other purposes.
During the morning sessions Nuno Nunes, CSO of B2B at Altice Portugal, had addressed the question of how companies should prepare and shared figures on the impact of cybercrime. According to shared data, the impact on organizations will be $6 trillion by 2022, a sixfold increase from 2020 values, with the outlook indicates it should reach 10.5 trillion by 2025.
“We have to think about how we are going to transform our way of working, how we are going to reduce it,” he warns, recalling that “the risk will not go away,” defends Nuno Nunes
The manager remembers that 70% of the goals have been chosen, and that 80% of crimes are committed by organized criminal crime entities, so companies should pay attention to all indicatorsincluding information circulating on the Dark Net with possible access details to their systems.
Looking at the security of organizations and not just technology, acculturating hacking with predictive models, integrated with databases and networks with NOC and a holistic view of the network are part of the technology positioning that Altice Empresas has implemented and made available to the market and which, according to Nuno Nunes, is the vision that enables organizations to prepare for possible attacks and mitigate these risks.
