IT recap: NIS 2 update

Revenir à la page
Newsletter
Mélanie Lebrun
30/4/2024

Hello 🌷,

Welcome back to the April edition of the IT Recap.

This is a very legal edition, so I've added a few light touches to make it easy to digest!

📅 O n the program today:

  • The NIS 2 directive
  • France Travail, not a good job
  • The future of Tiktok
  • SREN, the law that goes [too] far
  • The jumble column
  • Cyber attacks of the month
  • News from Youzer

👉 Go!!

Before we begin, I invite you to follow us 👉️

­

🏙️ The NIS 2 Directive

NIS 2: that European directive due out in 6 months 😨

Don't panic, I've done some investigative work to get a better grasp of it.

1️. The date of transposition of the European directive into French law (October 17) doesn't mean it's the compliance date for companies.

→ It's the date when we'll know all the lines of the law, the big ones (which we already know quite a bit about) and the little ones that are still under discussion.

2️. Yes, there will be sanctions and that's what's got everyone panicking but, as Morten Løkkegaard Member of the European Parliament says: "If we don't have fines, sanctions, people won't comply, that's the reality of things."



3️. The rules are stricter and the framework more delimited than for NIS 1

4️. More companies are concerned, going from 15,000 regulated operators to 100,000 entities. We're talking about essential and important entities.

5️. In the event of a cyber incident, there are 3 main steps to follow in reporting:

  • notify the incident
  • 72 hours later, update with more information
  • 1 month after 72 hours, produce a detailed report.

If necessary, produce interim reports.

👉🏼 From my point of view, the big changes that can be really interesting:
▪️ Management will be involved in NIS 2, they will have to be trained in cyber issues, and they will be liable in the event of non-compliance.

If IT departments often feel alone and unheard in their need to secure systems, this could be a real game changer.

▪️ Penalties will become more expensive than paying ransoms (a calculation that is currently being made...). Companies will therefore have more interest in cleaning up their IS and opting for rules of good conduct than in playing the cyber-lotto of hacking.

Want to dig deeper into the subject? I've written a super loooong article 😁

Update on the NIS2 directive

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the latest news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next Récap'IT at the end of the month 😊

🫣 France Travail, it's not a good job!

France Travail was the victim of a large-scale cyber-attack involving the theft of data on people registered over the last 20 years, i.e. around 43 million accounts (so this year, I was lucky enough to receive an e-mail from the mutual insurance company telling me that my data had been hacked, and from France Travail - yippee!).

The CGT unions have published a letter revealing some rather borderline information...

During a risk analysis carried out for the integration of Cap Emploi in 2022, serious vulnerabilities were detected: "an attacker usurps theidentity of a Cap Emploi agent and accesses Pôle emploi IS data via the virtual machine". The report recommended "reinforcing authentication to the virtual machine with a second authentication factor (2FA) in accordance with ANSSI requirements", which was never implemented.

Following the attack, the MFA was set up within 1 to 2 weeks.

The report also revealed serious flaws in the principle of least privilege, which had not been applied. Cap Emploi employees all (?) had unrestricted access! The same problem was found with service providers working for the IT Department, who were granted the same rights as in-house staff.

The CGT also highlights unlimited access to the IS for external employees.

Source : X

Cyber attack on France Travail

­

🤳🏼 Tiktok continued

Last time, I explained that there was a war going on between the USA and China over Tiktok.

The surface arguments from the USA are: China (enemy country) is collecting the data of millions of Americans and we, the MPs, must defend them!

The real arguments from the USA: no way! There's a phenomenal amount of data that could be collected and that we're missing!

What's more, under the FISA law, the FBI can access any data without having to warn anyone.

So the U.S. asks ByteDance to sell Tiktok to an entrepreneur from a U.S.-allied country. 😈 Well, who but an American entrepreneur can afford Tiktok? A committee close to Donald Trump has already expressed interest.

BUT for all that, we had to get Congress to vote on the request.

This has now been achieved with the utmost cunning. On April 20, a major aid plan was voted through, including measures for Ukraine, Israel and Taiwan. What else was included? The obligation to sell Tiktok!

How's Tiktok doing in Europe?

Well, the application has made a name for itself with Tiktok Lite, which rewards users according to the actions they perform each day.

Users earn virtual coins which are then exchanged for small gifts, the very principle of gamification and therefore of addiction (in addition to spending hours behind the screens).

Tiktok has suspended its rewards system following a complaint from the EU.

" We're really looking at a mix between the worst that can exist on premium games, and the worst that can exist in terms of social platforms that capture the attention of young people. It's the worst of the worst," concludes ADN journalist David-Julien Rahmil.


Source : Challenge

The Digital Century

The U.S. government wants Tiktok

­

👀 SREN: the law that goes [too] far

SREN, do you know what we're talking about? Not the Snow Queen's reindeer ❄️ but the bill to secure and regulate the digital world.

The text is ambitious, but a little extreme...

It aims to regulate, among other things:
👉🏼 Hateful or insulting comments online
👉🏼 Age control for adult content

The problem is, while the objective is noble, the means of achieving it are highly complex.

If we control the age of users, it means we know their identity and track their activity.

This goes completely against the RGPD.

Another sticking point is that pornographic content, which is particularly targeted in this law, is not confined solely to certain sites but on the majority of social networks.

Today the situation is complicated for the bill because:
🔹 there is no concrete solution to be RGPD compliant,
🔹 if we scrutinize users' browsing, we can know their sexual, political, trade union or religious orientations, which are extremely sensitive data,
🔹 this law goes against European DSA laws and the e-commerce directive for platforms.

When a member state wants to modify its digital access, it must notify its future text to the European Commission. However, the latter has issued a detailed opinion, which means that France must review its copy as it is in breach of European law.

Today, the Internet is not a lawless zone, and offensive, racist or discriminatory comments are punishable by law.

Marc Rees, a journalist with the media outlet l'informé, says: "Before looking to the future, let's respect the present"

The National Assembly has voted in favor of the bill, but the European Commission is promising heavy sanctions if the text is adopted as it stands.

👉🏼 In short, the SREN law is unlikely to succeed under current conditions.

Source: Le Siècle Digital

SREN digital security law

Would you like to receive our white paper on identity and access management?

Thank you, we have received your request and you will receive the book shortly.
Oops! a field has been filled in incorrectly 😖

Pell-mell

  • Microsoft is multiplying its flaws and breaches, and despite the mounting rumblings, the company faces no consequences for its somewhat dubious security management. The US government continues to buy and use its services and tools.
    " The U.S. government's dependence on Microsoft poses a serious threat to U.S. national security," says U.S. Senator Ron Wyden. "The government is effectively stuck with the company's products, despite multiple serious breaches of U.S. government systems by foreign hackers due to the company's negligence."
    The government's dependence on Microsoft removes the leverage it needs to push back against the company's practices.
  • Google's 'incognito' or 'private' mode, not so incognito after all... Google continued to track a great deal of user data using cookies and applications, and transmitted the data to Alphabet. A process is underway, and Google has agreed to destroy billions of records. "The result is that Google will collect less data from users' private browsing sessions, and Google will make less money from this data," say the lawyers. As you can see, there's nothing private about private mode.
  • Teleperformance, a leading French customer relationship management company, has just taken a big tumble on the stock market following the announcement of Klarna, which is launching an AI assistant for customer service. 2.3 million conversations have been completed, equivalent to 700 full-time employees. This assistant is available 24/7 and speaks 35 languages. So you'll soon be talking to a robot even when you ask to speak to an advisor!
An AI picks up the phone

­

☠️ Cyberattacks of the month

This month's column will be exclusively French, as we've had so much to do. Of course, the rest of the world has not been spared.

Intersport : 52.2 GB of data extracted after cyber attack

PSG: has been the victim of a data breach on its online ticketing service.

Saint-Nazaire and Saint-Nazaire agglomération: a major cyber-attack has brought all IT services to their knees, seriously disrupting the operation of the city and agglomération. Specialists explain that it takes two hours to understand what's going on, two weeks to analyze how it happened and where the hackers got into the system and, finally, two years to find a level of IT service equivalent to that which was destroyed.


Albi town hall: town services inaccessible for several days, ANSSI called in as backup.

Gravelines town hall: a cyber attack causes all servers to be disconnected and internet access restricted for municipal services.

Académie lyonnaise: student, parent and teacher data for sale. 40,000 users are said to have been collected.

Sunlux Group: 160GB of data exfiltrated. The French group is part of a batch of 4 victims of the 'Apos' hacker group, along with one Indian and two Brazilian companies.

Le Slip Français: was the victim of a cyberattack resulting in the theft of certain personal data without compromising passwords and bank details.

Cannes hospital: was the target of a cyberattack at the end of the month, guess who's making a comeback? Lockbit... Yes, he wasn't dead.

­

Y What's new at Youzer?

Focus on packages and mapping tables.

🔸 Packages are an essential part of Youzer, as they transform a user's administrative information into technical information.

The aim of packages is to create different accounts with the right information. To do this, you set up a package that you apply to a user group.

🔸 Correspondence tables help refine and decline packages.

They are a repository for retrieving information from a database.

From a repository, you can perform dynamic calculations on packages, select from a drop-down list, etc.

👉🏼 Package mapping tables:

This makes it possible to transform values taken from the HRIS by using a correspondence table to retrieve the information and send it, for example, to create an AD account.

➡️️ A package = a group of parameterized applications

➡️ ️A mapping table = specifics that apply to a package based on criteria for each user.

Want to see how you can automate the creation and suspension of your user accounts using packages and mapping tables?

See you here!

Thanks for reading this far!

Would you like to discuss a project?

That's what I'm here for 👋.

You find the newsletter top? Sign up here 👇

I subscribe to the IT Recap

Image humoristique qui montre la réaction des administrateurs lorsqu'il faut faire une revue des comptes
Linkedin Melanie Lebrun

Every month, I send you my discoveries and analyses of IT news.
I do a lot of monitoring and I share it all!

I'm Mélanie and I'm Youzer's marketing manager.

About me? I have an unquenchable thirst for learning! I'd rather read a book 100 times than see a movie. I'm a fan of HP 🧙🏼.
I run and rollerblade as a team sport (don't look it up, it's dangerous).