Hello 🌷,
I'm back with the April edition of Récap'IT.
This edition is very legal, so I've added touches of lightness to make it digestible!
📅 Today's agenda:
👉 Go !!
Before we start, I invite you to follow us 👉️
NIS 2: this European directive is due to be released in 6 months 😨
Don't panic, I've done some investigating to get a better understanding of it.
1️. The date for transposing the European directive into French law (October 17) does not mean that this is the date for companies to comply.
→ This is the date on which we will know all the lines of the law, the major ones (which we already know quite a bit about) and the minor ones that are still under discussion.
2️. Yes, there will be sanctions and that's what's panicking everyone, but as Morten Løkkegaard, a member of the European Parliament, says: "If we don't have fines, sanctions, people won't comply, that's the reality of things."
3️. The rules are stricter and the framework more defined than for NIS 1
4️. More companies are concerned, from 15,000 regulated operators to 100,000 entities. We are talking about essential and important entities.
5️. In the event of a cyber incident, there are 3 main steps to follow in the declaration:
If necessary, produce interim reports.
👉🏼 From my point of view, the major changes that could be really interesting:
▪️ Management will be involved in NIS 2, they will have to train on cyber issues and they will be liable in the event of non-compliance with the law.
If IT departments often feel alone and unheard in their needs to secure systems, this could be a real game changer.
▪️ Penalties will become more expensive than paying ransoms (a calculation that is currently being made...). Companies will therefore have more interest in cleaning up their IS, opting for rules of good conduct than playing cyber-lotto hacking.
Want to delve deeper into the subject? I wrote a super loooong article 😁
Receive the best IT news of the month.
Market trends, IT trends, cyberattacks in France... a summary of the news
France Travail (French public service for employment) was the victim of a large-scale cyberattack involving the theft of data of individuals registered over the past 20 years, totaling approximately 43 million accounts (this year, I had the pleasure of receiving an email from the health insurance company informing me that my data had been hacked, and from France Travail, hooray!).
The CGT unions have published a letter revealing somewhat sensitive information...
During a risk analysis carried out for the integration of Cap emploi in 2022, serious flaws were detected: "an attacker impersonates a Cap Emploi agent and accesses Pôle emploi's IS data via the virtual machine". The report then recommended "strengthening authentication to the virtual machine with a second authentication factor (2FA) in accordance with ANSSI requirements", but this was never implemented.
Following the attack, MFA was implemented in 1 to 2 weeks.
The report also revealed serious flaws in the principle of least privilege, which had not been applied. Cap Emploi employees all (?) had unrestricted access! This problem is also found with service providers who work for the IT department with identical rights to internal staff.
The CGT (General Confederation of Labour) also highlights unlimited access to the IS (Information System) for external employees.
Source: X
Last time, I explained to you that there was a war between the United States and China to have Tiktok.
The superficial arguments on the part of the USA are: China (an enemy country) collects the data of millions of Americans and we, the deputies, must defend them!
The real arguments from the USA: no way! There is a phenomenal amount of data that we could collect and that escapes us!
In addition, let's remember that the FISA law gives the FBI the possibility to consult any data without having to notify anyone.
The USA is therefore asking ByteDance to sell Tiktok to an entrepreneur from a US-allied country. 😈 well, but who apart from an American entrepreneur can afford Tiktok? A committee close to Donald Trump has already expressed interest.
BUT for all this, it was necessary to have this request voted on by Congress.
This was done with the utmost deceit. On April 20, a major aid package containing components for Ukraine, Israel, and Taiwan was approved. What else was included? The mandatory sale of TikTok!
And how is Tiktok doing in Europe?
Well, the application distinguished itself with Tiktok Lite, which rewards users based on actions they must perform each day.
Users earn virtual coins that are then exchanged for small gifts, the very principle of gamification and therefore addiction (in addition to spending hours behind screens).
Tiktok has suspended its rewards system following an EU complaint.
« Here, we are truly dealing with a blend of the worst aspects of premium games and the worst aspects of social platforms that capture the attention of young people. It's the worst of the worst », concludes David-Julien Rahmil, a journalist for ADN.
Source: Challenge
SREN, do you see what we mean? Not the reindeer from Frozen ❄️, but the bill to secure and regulate digital technology.
The text is ambitious but a bit extreme...
It aims to regulate, among other things:
👉🏼 Hateful or insulting comments online
👉🏼 Age verification for adult content
The problem is, while the objective is noble, the means to achieve it are very complex.
If we control the age of users, it means that we know their identity and track their activity.
This goes completely against the GDPR.
Another point of friction is that pornographic content, which is particularly targeted in this law, is not limited to certain sites but is present on most social networks.
Today, the situation is complicated for the bill because:
🔹 there is no concrete solution to comply with the GDPR,
🔹 if we scrutinize users' browsing, we can know their sexual, political, trade union or religious orientations, which are extremely sensitive data,
🔹 this law goes against European laws DSA and the e-commerce directive for platforms.
When a member state wants to modify its access to digital technology, it must notify its future text to the European Commission. However, the latter issued a reasoned opinion, which means that France must revise its copy because it violates European laws.
Today, the internet is not a lawless zone; abusive, racist, or discriminatory remarks are punishable by law.
Marc Rees, a journalist at the media outlet l'informé, says: "Before looking to the future, let's respect the present."
The National Assembly voted in favor of the bill, but the European Commission promises heavy sanctions if the text is adopted as is.
👉🏼 In summary, the SREN law is not ready to succeed under the current conditions.
Source: Le Siècle Digital
Would you like to receive our white paper on identity and access management?
This month, this section will be exclusively French because we have had so much to deal with. Of course, the rest of the world is not spared.
Intersport: suffered a cyberattack resulting in the extraction of 52.2 GB of data
PSG: Was the victim of a data breach on its online ticketing system.
Saint-Nazaire and Saint-Nazaire agglomeration: a large-scale cyberattack has brought all IT services to a standstill, greatly disrupting the operation of the city and the conurbation. Specialists explain that it takes two hours to understand what is happening, two weeks to analyze how it happened and where the hackers entered the system and, finally, two years to find a level of IT service equivalent to the one that was destroyed.
Albi Town Hall: the city's services are inaccessible for several days, and the ANSSI has been called in as reinforcement.
Gravelines Town Hall: a cyberattack leads to the disconnection of all servers and a restriction of internet access for municipal services.
Académie lyonnaise: Data from students, parents, and teachers is for sale. 40,000 users are reported to have been collected.
Sunlux Group: 160GB of data exfiltrated. The French group is part of a batch of 4 victims of the 'Apos' hacker group with an Indian company and two Brazilian companies.
Le Slip Français: was the victim of a cyberattack resulting in the theft of some personal data without compromising passwords and bank details.
Cannes Hospital: Was the target of a cyberattack at the end of the month, guess who's making a big comeback? Lockbit... Yes, it wasn't dead.
Zoom in on packages and correspondence tables.
🔸 Packages are an essential element of Youzer because they make it possible to transform a user's administrative information into technical information.
The purpose of the packages is to create different accounts with the correct information, and for this, you will configure a package that you will apply to a group of users.
🔸 Mapping tables help to refine and decline packages.
They are a reference point for retrieving information from a database.
From a repository, you can perform dynamic calculations on packages, a selection in a drop-down list, etc.
👉🏼 Mapping tables with packages:
This allows you to transform values that come from the HRIS by using a correspondence table to retrieve the information and send it, for example, to create an AD account.
➡️️ A package = a group of parameterized applications
➡️ ️A mapping table = specifics that apply to a package based on criteria for each user.
Want to see how to automate the creation and suspension of your user accounts with packages and correspondence tables?
Thank you for reading me this far!
Any feedback, want to discuss a project?
I'm here for that 👋.
Do you find the newsletter great?? Sign up here 👇
Every month I send you my discoveries, my analysis on IT news.
I do a lot of monitoring and I share it all!
I'm Mélanie and I'm Youzer's marketing manager.
About me? I have an unquenchable thirst for learning! I'd rather read a book 100 times than watch a movie. I'm a fan of HP 🧙🏼.
I do running and collective sport roller (don't look for it, it's dangerous).