Cyber­Fun­da­men­tals, a tool to redu­ce the cyber pro­tec­ti­on gap

The Centre for Cybersecurity Belgium (CCB), the Belgian competent authority for cybersecurity, provides a tool to increase the cybersecurity protection for companies of any size and active in any sector. This tool can be used by the government, companies and the insurance sector to align necessary measures to protect public and private sectors. CCB calls upon collaboration with the insurance sector to maintain the framework to help companies in reducing basic cyber risks and to increase insurability of the remaining risks.

The digitisation of our living environment, both private and business, is increasing day by day. It goes without saying that criminals see this as an opportunity to shift their activities to this domain as well. On top of this the current geopolitical situation leads to more incidents in the domain of cyber. The number of cyber incidents is constantly increasing, and attacks are becoming more and more complex. Step by step, this complexity is leading to a cyber imbalance: there is a growing imbalance between the number of cyber resilient organisations and those organisations struggling with it. This is a concern that continues to grow and is a major source of the cyber protection gap. Solutions to bring all organisations to an acceptable level of resilience should include several elements such as suitability for use in large and smaller organisations, an affordable risk-oriented solution where a collaboration between the public and private sectors is preferable. After all, in this scenario, there is only one common adversary…the cybercriminal.

Meanwhile, several initiatives saw the light of day to provide that solution. Frameworks such as NIST-CSF, CIS... and standards such as the ISO 27000 and IEC 62443 series. To direct  this multitude of initiatives into one proportionate approach the CyberFundamentals Framework was developed and validated against the attack vectors of real cyberattacks in Belgium.

By implementing the framework an organization can mitigate a quantified portion of the risk and can demonstrate this to clients, regulators, investors but also insurance companies. This work is now often done by each stakeholder to some extent leading to situations where entities keep filling in questionnaires and getting external audits. If they could only spend the majority of that time to cybersecurity improvements…

CyberFundamentals or CyFun^® draws on the years of experience of its architects in private and public environments with a focus on a pragmatic definition of cyber measures whose implementation can be checked against a maturity ladder. A system solution that is feasible for both larger and smaller organisations. Its compactness is particularly striking: at the "Basic" level, we speak of only 34 measures, which are scaled up to 117 unique measures in the "Important" level to arrive at 140 unique measures at the "Essential" level. CyFun^® is not just based on frameworks such as NIST-CSF and CIS, and standards such as the ISO 27000 and IEC 62443 series but has a unique approach; The framework is fuelled by the cyber incidents that took place in Belgium over the past years. Data that the Centre for Cybersecurity Belgium (CCB), the owner of the framework, has continuous access to. Those incidents are reflected in the set of measures of CyberFundamentals as "key measures" and partly because of that approach, CyberFundamentals could be validated as particularly valuable for the Belgian cyber landscape. After all, 82% of all real-world incidents are blocked off if the 34 measures of the CyFun^® "Basic" assurance level were rolled out at a fully mature level. This figure goes to 94% for the "Important" assurance level and even 100% to the "Essential" assurance level. The Centre for Cybersecurity Belgium will track the relationship between real-world cyber incidents and the CyberFundamentals Framework to ensure that the framework continues to reflect reality and therefore remains proportionate to the cyber risks faced by organisations.

A key component of the CyberFundamentals Framework is its reliability and credibility. A self-declaration using the CyFun^® self-assessment tool carries little weight if it is not reviewed by an external independent party. Therefore, a CyberFundamentals Conformity Assessment Scheme was designed and has since been validated by the Belgian National Accreditation Body, BELAC. This conformity assessment scheme provides for an external Conformity Assessment Body, accredited by BELAC and authorised by the CCB, to attest the correctness of the self-declaration using the CyFun^® self-assessment tool. Accreditation is the key to making that attestation acceptable everywhere, which is crucial for the Belgian economy. More than that, it provides a reliable picture of an organisation's cyber resilience risk level, which is a useful tool for the insurance sector to reliably assess insurance risks when providing cyber insurance.

Meanwhile, legislators have also recognised the CyberFundamentals Framework as a means of demonstrating presumption of conformity with cybersecurity legislation, as for example NIS2.

The CyberFundamentals Framework, a Belgian initiative, is quietly being seen by more and more organisations as a balanced and affordable way to increase their cyber resilience in proportion to the cyber risks they face. This is not going unnoticed in other European countries either.

The Centre for Cybersecurity Belgium (CCB) is convinced that the CyberFundamentals Framework is an important building block in making Belgium one of the least vulnerable countries in Europe. In this process, collaboration with the private sector, such as the insurance sector, is essential to reduce the cybersecurity protection gap.