Like the Nutri-score for food products, the cyberscore is a rating that evaluates the level of cybersecurity of websites. From October 2023, its display will become mandatory on sites, platforms and social networks with a large audience. Objective: to inform Internet users about the security of the sites they visit. We will explain everything to you.
Phishing attempts and theft of personal data have multiplied on the Internet thanks to the Covid years. The figures speak for themselves: 30 % cyberattacks led to theft of personal, strategic or technical data, according to the 2022 barometer on business cybersecurity from the Club of Security and Digital Computing Experts (CESIN).
In 2021, a hacker publishes the data of 700 million LinkedIn users. In 2022, another hacker puts 476 million phone numbers and WhatsApp profiles up for sale on the dark web, including 20 million French numbers…
To fight against these modern scourges, the government is deploying a “digital shield”, a series of measures aimed at protecting Internet users. The first of these is the cyberscore.
Cyberscore, a legal obligation
Created by the law of March 3, 2022, the cyberscore must allow Internet users to know, at a glance and without being specialists, the level of security and protection of personal data offered by the site they are visiting. The sites concerned will also have to indicate where the data they collect is stored. In this way, the cyberscore complements the obligations relating to RGPD.
Inspired by the Nutri-score that we know for food, the cyberscore is manifested by a colorful visual and a grade, ranging from A (very good) for a well-secured site to E (bad) for a sieve site. We find the Nutri-score color codes, ranging from green to red. Sites must display their cyberscore clearly and visibly.
The rating will be defined based on a security audit. It will only be valid for 18 months. After this period, it must be updated using data from a new audit.
Which sites are affected?
Concretely, the obligation to affix this new logo will not apply to all websites. It will only concern the biggest players, sites welcoming at least 5 million unique visitors per month.
This will therefore affect search engines, major platforms (Google, Live.com, Netflix, etc.), social networks (YouTube, Facebook, Instagram, LinkedIn, etc.), major e-commerce sites (Amazon, Fnac, Darty , leboncoin, Vinted, etc.), video systems (Zoom, Skype, etc.) as well as the main online media.
Thus, SMEs and micro-enterprises are spared, at least initially. Because there is nothing to indicate that this system will not one day be extended to smaller players.
In any case, the law provides that a decree will list the platforms, social networks and e-commerce sites concerned.
What will be the sanctions in the event of a breach? to this obligation?
Sites and online platforms that do not comply with this new display obligation risk a fairly hefty fine. The General Directorate for Competition, Consumer Affairs and Fraud Control (DGCCRF) may impose a fine of up to 375,000 euros against companies that do not display their cyberscore rating on their site.
How will the cyberscore be evaluated?
This score will be determined by a security audit that the sites concerned must carry out with service providers certified by the National Information Systems Security Agency (ANSSI) relating to the security of the data they host.
A ministerial decree must still specify the methods for evaluating the security of websites affected by the cyberscore. We already know the criteria used by ANSSI and the CNIL to evaluate the security of a site.
It starts with the quality of the infrastructure, both hardware and software. The use of a firewall and vulnerability detection tools forms the basis. Encrypting data during transport via TLS and HTTPS protocols is equally essential. We also find protection against XSS (Cross-Site Scripting) attacks which consist of the hacker injecting data into a web page to recover user data (contact details, passwords, session data, etc.). Another good practice, among others, consists of not storing sensitive information in cookies and data stored locally on the Internet user's terminal.
Ultimately, we can ask ourselves the question of the effectiveness of such a government measure. The cyberscore is primarily aimed at the general public and their legitimate need for information. It calls on site security managers to respect good practices, but also on data protection officers (DPOs) to scrupulously respect the requirements of the GDPR.
While waiting for the cyberscore to be implemented, ORSYS offers you numerous cybersecurity training courses. You will find there in particular user awareness training. Security managers and DPOs will have the choice from a whole range of advanced training and certifications to deepen their knowledge and enhance their skills.
