Mihai Lupascu
This statement was made by Mihai Lupascu, director of the National Agency for Cyber Security, at a forum on these issues in Chisinau. He also noted that information leakage is often the fault of consumers themselves, who provide their data out of ignorance or inattention. Therefore, such a component as financial education is also important.
In order to reduce cyber risks, companies are recommended to purchase and install special software for scanning corporate networks and applications, as well as for ensuring anti-virus security.
Mihai Lupascu told Logos Press that Moldova has a law on cyber security, harmonized with the EU directives in this field. Several by-laws have been elaborated to it. Therefore, Moldova has made good progress in terms of legislation, but now it is a question of applying the norms.
At the moment, there are consultations at enterprises from different sectors and ministries on the European directive NIS2. According to this document, organizations exposed to the risk of cyber attacks must “implement comprehensive measures to manage these risks, including threat identification, vulnerability assessment and incident response plans”. The directive requires businesses to conduct regular penetration testing and security audits.
“The good news is that in many countries this process has been slower than ours,” says Mihai Lupascu. – Moldova has more opportunities for rapid development, we are a small country. Now we are identifying risks in the provision of services in the banking and financial sectors, in medicine, communication and communications, as well as in energy, transportation, postal and courier services, etc.” he says. These are large and medium-sized companies (more than 50 employees). We determine the degree of the greatest risk among suppliers and make a list of them. There are about 100 of them in Moldova”.
In medicine, the protection of patient data and confidentiality is important. In the financial sector, the requirements are stricter. The National Bank has long and constantly monitored their activities in this context. Recently, the regulator published a regulation of minimum requirements for information security, which implies the identification of high-risk servers through annual testing and auditing. This requires the purchase of software that provides scanning of the entire network, applications, as well as the requirement for anti-virus security.
These requirements are imposed on all operators in the financial market. Previously they were only for banks, but the regulations have been adjusted so that they now apply to all operators that operate in this market. This includes microfinance and insurance companies and electronic payment systems.
Banks are ahead in these matters because they have been using risk identification methods for a long time. They also benefit from cooperation with international payment systems – Visa, Mastercard and others. This obliges them to comply with cybersecurity requirements. Therefore, they are better protected.
Today, not all companies are open to ensuring an adequate level of cyber defense. This requires investment. As a security expert in the banking industry notes, not all structures today have a specialist directly involved in this area of activity. Companies do not conduct audits, and they remember about cyber defense only in a crisis situation. Although, as the interlocutor notes, the market offers various software, including free software.
“Security is a continuous process of improvement,” says Alexey Shulenkov, consultant at DAAC Digital. – Our company provides services, and in this sense it is covered by the regulatory framework developed by the agency. Security issues will always be on the agenda. But companies are continuously attacked with the risk of data loss or business interruption. So it’s not about wasting money, but about reducing risks to the business, including from loss of funds.”
