A Multi-Sector Approach to a Shared Security Challenge
A Multi-Sector Approach to a Shared Security Challenge
Over 400 cybersecurity specialists gathered at the Information Security Days Luxembourg on April 12, 2016. Participants had the opportunity to attend a roundtable organized by Proximus NXT titled “A Multi-Sector Approach to a Shared Security Challenge.”
Cédric Mauny, Department Manager Security Audits and Governance Services at Proximus NXT, invited a panel of information security professionals from various industries to share their insights.
The discussions focused on threats affecting all socio-economic actors, strategies to address them, and the conditions necessary to exchange information, defense models, and best practices securely and effectively.
We met four of the speakers, each bringing the specificities of their sector while sharing the conviction that joint efforts are essential against a common threat.
Ferrero: “Security Knows No Borders”
With over 34,000 employees, 21 factories, and 10 major international brands, Ferrero ranked third in the global confectionery industry in 2015. “At Ferrero, we sell chocolate worldwide,” says Daniel Mathieu, Head of IT at Ferrero International and Luxembourg CIO of the Year 2015. “The flip side is that Ferrero’s brand visibility exposes it to attacks from all over the globe. Spam, suspicious, and fraudulent emails, as well as phishing attempts, account for nearly 95% of the emails we receive—creating risks of false positives and data loss when important messages are quarantined by anti-spam software.”
Ferrero’s Luxembourg entity is at the heart of a centralization process initiated in 2010. “Over the past three years, we have built an international team in Luxembourg composed of people from 12 different countries, supporting over 70 national organizations,” explains Mathieu. “It is therefore crucial for us to have a strong security system. We have partnered with major cybersecurity players to stay optimally informed about risks and threats. We have also built a network within our supplier ecosystem and among consumers.”
“We pay particular attention to the security of critical data,” he adds. “We use internally developed databases and software components employing encryption techniques, accessible only through carefully controlled networks to maintain data flow control, integrity, and security. Access to innovation and R&D data—like recipes—is limited to a few privileged users with strong authentication.”
Expanding the Circle of Exchange
“For us, security knows no borders: a problem appearing in Brazil can affect Luxembourg tomorrow. That’s why we also need to share knowledge and practices with our local partners,” says Mathieu.
He notes that information security communication in Luxembourg is largely focused on the financial sector. “It would be desirable to extend this circle to other sectors. At Ferrero, we have several peer groups where we share cybersecurity best practices.”
Two types of interlocutors are key, according to him: “On one hand, we share information with trusted peers, and on the other, we ensure clear communication to business units and users whenever an incident occurs, explaining the nature of the attack and our response.”
E-Health: A Rapidly Evolving Environment
Didier Barzin has been the Chief Information Security Officer (CISO) of the National eHealth Agency since 2013, ensuring better use of information in the health and medico-social sector for coordinated patient care. “As the operator of a platform for sharing and exchanging information,” he explains, “the Agency has made data confidentiality and availability its cybersecurity priorities.”
To reduce data integrity risks, hospitals, institutions, and healthcare professionals in Luxembourg are connected via Healthnet, “a private network securing exchanges,” he adds. Furthermore, the Agency has created a dedicated CERT (Computer Emergency Response Team) to handle sector-specific vulnerabilities, particularly new risks linked to connected medical devices.
“The eHealth Agency is also part of a European program for exchanging medical information for EU patients hospitalized in Luxembourg,” says Barzin, referring to the epSOS project (Smart Open Services for European Patients), which already facilitates information exchange between Luxembourg and Portugal. Transfers are routed through a national hub to mitigate risks and prevent misuse.
The Value of Health Information
Barzin believes the main risk is platform unavailability due to an attack, potentially compromising patient care. But what value do health data have for cybercriminals? In the U.S., the OCR (Office of Civil Rights) has tracked breaches affecting over 500 people since 2009. The 2015 Wall of Shame report identified 268 breaches impacting more than 113 million medical records.
“While media often highlight health data value on the Dark Web, I am skeptical. However, there is a financial incentive for hackers to steal medical data—they could exploit it to sell bogus remedies to vulnerable patients,” he notes. “The real value of health data is economic: improved patient care through information sharing reduces costs for healthcare funds.”
Providing Stakeholder Assurance
Until recently, Luxembourgish healthcare professionals used IT systems handling sensitive data without assurances on data security. “Last May,” says Barzin, “the eHealth Agency achieved ISO 27001 certification for its information security management system.” This certification confirms both the Agency’s cybersecurity maturity and the professionalism of the team managing the process.
Pictet & Cie (Europe): Balancing Transparency and Reputation
Jean-Yves Mathieu has 25 years of experience in information security. Active in Luxembourg since 1990, he has worked at EY, CTG, and Fideuram Bank. He co-founded the Luxembourg College of Information Security Professionals (CPSI) and the Luxembourg Association for Data Protection (APDL) and is a member of ISACA Belgium. After eight years as CISO at J. Safra Sarasin, he joined Pictet & Cie (Europe) in August 2015 as Head of Information Security Risk Management.
“The Best Antivirus Is the Human Being”
“At our bank, every newcomer, whether intern, executive, or external consultant, must attend an information security awareness session,” says Mathieu. Tailored by role, it covers financial impacts, reputational risk, phishing, password hygiene, client identification, fraud detection, and privacy best practices. “The more employees feel involved in daily practices, the more effective the awareness training,” he adds.
Reputation Risk and Regulatory Framework
Although sharing information is beneficial, Mathieu emphasizes caution. Sensitive information—such as vulnerabilities or blocked attacks—must be shared via secure channels or selective networking (e.g., CPSI or CIRCL). GDPR will soon require strict personal data protection, with heavy penalties for non-compliance.
He stresses the need for a reliable communication channel so that a company’s identity is not disclosed, protecting its reputation. In Luxembourg, organizations like CASES and CIRCL can provide such services.
Luxmetering: Direct Economic Impact
Luxmetering G.I.E. manages Luxembourg’s national smart electricity and gas metering system. Paul Hoffmann has been Director since 2013. “The most critical factor for us is the impact an attack could have on our services,” he says. For instance, firmware injection into meters could disrupt electricity supply to hundreds of thousands of homes, businesses, and administrations for months. As critical infrastructure, this has a direct economic impact.
Security-Centric IT Systems
“Our IT systems are designed around security requirements,” says Hoffmann. “Our security policy includes ongoing internal audits and regular supplier audits. We work closely with GOVCERT, CIRCL, and even ethical hackers to stay ahead.”
Rapid Information Collection and Sharing
Hoffmann stresses the need for rapid cybersecurity information to respond quickly. “We audit our infrastructure daily, not just a few times a year, to minimize threats. We also share information internationally and inform the public about incidents. The IoT, smart metering, and smart grid sectors are new, so cross-border information sharing is essential.”
Leveraging Luxembourg’s Small Size
Hoffmann believes the human factor is critical. “Every company should have a Security Starting Kit to raise employee awareness of the risks of a single mouse click.”
“The threat is common across sectors. We must work together, share knowledge and practices, and exchange information effectively through platforms, discussion forums, and events. Luxembourg’s small size allows communication in a trusted environment—the proximity among security professionals is an asset,” concludes Hoffmann.
