Cybersecurity is important. International cybersecurity standards have long been applied worldwide, with certificates confirming the level of security of organizations that meet their requirements. This practice not only assures users that the services and software products they choose are secure, but also encourages other companies to develop their security systems to remain competitive.
In Ukraine, such standards are not yet mandatory, except for some very specific ones or only for those companies that want to export and do so successfully. Thus, this topic is mostly relevant for organizations in highly regulated sectors that are subject to requirements due to the nature of their activities.
Another reason for the “unpopularity” of international cybersecurity standards among small and medium-sized businesses in Ukraine is that they are incredibly complex. Not every cybersecurity specialist has sufficient competencies to deal with them, let alone small companies, where this task is taken on by someone remotely familiar with cybersecurity or even a CEO. And there are a lot of such cases in Ukraine.
To solve these problems, the DigVel team decided to create a Ukrainian Cyber Resilience Standard, developed exclusively for Ukrainians, taking into account the needs of Ukraine.
The DigVel Cyber Resilience Standard is a set of guidelines for businesses that is based on international practices. Its main focus is on ensuring the continuity of organizations’ operations and rapid recovery after incidents. The Standard is designed for simple, gradual implementation and is adapted to real threats and opportunities of specific companies.
International cybersecurity standards are documents with a set of requirements for the security of information systems and data. They are needed to help organizations protect corporate information and comply with legal regulations.
Having a certificate of compliance with a cybersecurity standard not only allows you to operate without violating the law in countries where a particular standard is in force but also attracts more customers. After all, software or service security is very attractive nowadays, isn’t it?
Some standards are so important that you’ve probably heard of them. For example, the Payment Card Industry Data Security Standard (PCI DSS), which sets criteria for processing payment cards and ensuring the security of their holders’ data. These requirements are mandatory for all organizations dealing with payment processing in all countries of the world.
Another well-known standard in Ukraine is the General Data Protection Regulation (GDPR) of the European Union, which regulates the protection of personal data within the territory of the member states. It is mandatory for companies that deal with the personal data of EU citizens and residents, regardless of the location of these companies. This means that the GDPR is also mandatory for Ukrainian companies that interact in any way with the personal data of individuals residing in the EU.
The EU and a number of other countries, such as the UK, Australia, and the US, also have the ISO/IEC 27001 standard, which requires organizations to establish, implement, maintain, and continuously improve information security management systems.
And there is also ISO/IEC 15408, ETSI EN 303 645, EU CRA, DORA, NIST CSF, NIS2…
The existence of an already large number of standards that seem to regulate virtually the same thing raises a reasonable question:
Among the cybersecurity standards, some are international and some are national security standards of individual countries, which may differ greatly from international standards and from each other, given the current local rules and regulations. Such regulations include standards from the National Institute of Standards and Technology (NIST), which cover a wide range of activities in the United States and are mandatory for many federal agencies that work with government data. Or separate safety standards in Australia and Canada that differ from the general regulations of the United Kingdom.
The problems, challenges, and complications in all countries are the same, but the context is different, and it is this context that dictates the need for separate standards.
The Ukrainian context is characterized by a shortage of personnel and the high cost of cybersecurity specialists for small and medium-sized businesses and government agencies. This includes corruption and a high level of inertia and distrust among the population, as well as a low level of communication. Taking these realities into account, the DigVel Cyber Resilience Standard was created as an adapted solution that combines the best practices of cyber defense and takes into account the limitations of the Ukrainian context.
DigVel’s goal is to make the world, and especially the local Ukrainian one, safer and to maximize cybersecurity awareness among businesses and the public. Accordingly, the main requirement for the Standard while working on it was its transparency and comprehensibility for people outside the cybersecurity world. Naturally, to the extent possible.
It is worth noting that the DigVel Cyber Resilience Standard is by no means equivalent to ISO 27001, GDPR, or NIST CSF—it is not even a national standard in Ukraine. It should be considered a kind of launching pad, a training course before obtaining certification according to international standards.
As you progress through the levels of requirements of the DigVel Standard, you will gain a better understanding of your organization’s cybersecurity system, identify the most serious risks that threaten its operations, and the critical resources that need to be protected first. You will set up basic protection for your company, as well as gain experience and skills that will make it easier to navigate the jungle of international standards in the future.
As mentioned above, the DigVel Cyber Resilience Standard is still being written, but you can start using it to analyze your organization today.
The DigVel Standard is divided into four stages—the levels of cyber resilience that your company will achieve:
The first stage dedicated to identifying the existing risks and threats to the company’s operations is already fully completed. The requirements for this level are summarized in a convenient table, and the process of fulfilling them is described in detail. If necessary, you can contact DigVel specialists who are always ready to help and have experience working with various organizations.
By achieving the first level of cyber resilience according to the DigVel Standard, you will already reduce the likelihood of human-related cyber incidents—one of the focuses of this stage is to raise awareness of cybersecurity among the company’s management and employees—and form the basis for further implementation of protective measures.
By reaching the last, fourth level, you will have your own risk management process and a high level of protection of all business processes from cyber threats. At this point, you will be ready to achieve compliance with global cybersecurity standards if you need to.
Achievement of each level of the DigVel Cyber Resilience Standard will be confirmed by accredited independent auditors. If you successfully fulfill the requirements, you will receive a certificate.
The DigVel team lives and works and wants to continue living and working in Ukraine. But, as the CEO of DigVel, who has been in the Armed Forces since February 2022, said, the current attitude to cybersecurity in the country will kill us. That is why it is worth doing something about it now because in today’s environment, a high level of cyber defense is really a matter of survival.
The situation is improving. And DigVel is joining this movement.
Business cyber resilience not only helps companies survive in times of war but also makes them more competitive and successful. Nowadays, when users are becoming increasingly conscious of cyber hygiene, any oversight—such as the absence of the letter S in your website’s protocol name—can discourage potential customers. Not to mention the attackers constantly looking for loopholes in the security system of their victims, who can be anyone—and some more than once,—and being able to paralyze a company’s work or even destroy it altogether.
The public version of the Standard is available here.
To learn more about DigVel, visit the company’s official website, as well as its Facebook and LinkedIn pages.
Cybersecurity is important. International cybersecurity standards have long been applied worldwide, with certificates confirming the level of security of organizations that meet their requirements. This practice not only assures users that the services and software products they choose are secure, but also encourages other companies to develop their security systems to remain competitive. In Ukraine, […]
https://itcluster.lviv.ua/wp-content/uploads/2024/11/795526379858029436.png