In the European month of cyber security, the European Network and Information Security Agency (ENISA) released its first annual report, containing data on reported cyber security incidents within the European Union (EU) in accordance with article 13a of the EU’s telecom reform directive (Directive 2009/140/EC).
The 2011 report was based on information received from 29 countries (all EU countries, and some of the EFTA and EU candidate countries) and found out that eleven countries reported in total 51 significant cyber incidents, while 9 countries reported there were no incidents. The total number of users in these 20 countries was 166 million.
In addition, the number of countries which have not implemented article 13a, requiring EU member states to make summary reports on major outages once a year to ENISA and the European Commission, was also 9 out of the total number of 29.
The most of the 51 severe cyber security incidents reported to ENISA by eleven countries affected mobile telephony or mobile internet- around 60%.
In addition, the incidents which affected the most users (around 300 000) were related to mobile telephony or mobile internet.
On the other hand, the most common root causes were found to be hardware/software failures and third party failures.
Some additional curious data from the report included the length of Incidents with root causes natural phenomenon (storms, floods, for example)- 45 hours on average, as well as that hardware/software failures were the most frequent cause of mobile communication outages, and this percentage was notably higher than for fixed telephony or fixed internet.
Last but not least, ENISA estimated that the number of incidents that will be reported over 2012 will most probably increase 10 times because most countries already have mature implementation of the incident reporting process.
At the end of August, the EU’s ‘cyber security’ agency as they call it, released a report concluding that there were implementation gaps within the existing cyber security legislation relating to the fact that many incidents remained undetected or not reported.
The findings of the study showed that many cyber security breaches remained undetected. If detected, however, they were not reported to authorities and not known to the public. This lack of transparency, concluded ENISA, complicated the efforts in the industry to understand and address cyber security incidents, as well as left customers in the dark about the frequency and impact of cyber incidents.
According to ENISA, the main issue behind lack of detection and reporting of incidents was that ‘there is no overall view across the digital society of the incidents, the root causes or the impact for users'.