Like the Nutri-score for food products, the cyberscore is a rating that assesses the level of cybersecurity of websites. From October 2023, it will be compulsory for high-audience websites, platforms and social networks to display a cyberscore. The aim is to inform Internet users about the security of the sites they visit. Here's how it works.
Attempts tophishing and data theft The Covid years have seen an increase in the number of attacks on personal data on the Internet. The figures speak for themselves: 30 % of cyber attacks have led to the theft of personal, strategic or technical data, according to the 2022 barometer on corporate cybersecurity from the Club des Experts de la Sécurité, et de l'Informatique Numérique (CESIN).
In 2021, a hacker published the data of 700 million LinkedIn users. In 2022, another hacker put 476 million telephone numbers and WhatsApp profiles up for sale on the dark web, including 20 million French numbers...
To combat these modern scourges, the government is deploying a "digital shield", a series of measures designed to protect Internet users. The first of these is the cyberscore.
Cyberscore, a legal obligation
Created by the law of 3 March 2022, the cyberscore should enable Internet users to see, at a glance and without having to be specialists, the level of security and protection of personal data offered by the site they are visiting. The sites concerned will also have to indicate where the data they collect is stored. In this way, the cyberscore complements the obligations relating to the RGPD.
Inspired by the Nutri-score we know from food, the cyberscore is expressed by a coloured visual and a grade, ranging from A (very good) for a well secured site to E (bad) for a sieve site. The same colour codes are used as for the Nutri-score, ranging from green to red. Websites will have to display their cyberscore clearly and visibly.
The rating will be defined on the basis of a safety audit. It will only be valid for 18 months. After this period, it will have to be updated on the basis of data from a new audit.
Which sites are affected?
In practical terms, the obligation to display this new logo will not apply to all websites. It will only apply to the biggest players, sites receiving at least 5 million unique visitors per month.
This will affect search engines, major platforms (Google, Live.com, Netflix, etc.), social networks (YouTube, Facebook, Instagram, LinkedIn, etc.), major e-commerce sites (Amazon, Fnac, Darty, leboncoin, Vinted, etc.), video systems (Zoom, Skype, etc.) and the main online media.
This means that SMEs and micro-businesses will be spared, at least initially. There is nothing to suggest that this scheme will not one day be extended to smaller players.
In any event, the law stipulates that a decree will draw up a list of the platforms, social networks and e-commerce sites concerned.
What will be the sanctions in the event of a breach? to this obligation?
Websites and online platforms that fail to comply with this new obligation to display information could face a hefty fine. The French Directorate-General for Competition, Consumer Affairs and Fraud Control (DGCCRF) may impose a fine of up to 375,000 euros on companies that fail to display their cyberscore on their site.
How will the cyberscore be assessed?
This score will be determined by a security audit that the sites concerned will have to carry out with service providers certified by the Agence nationale de la sécurité des systèmes d'information (ANSSI) on securing the data they host.
A ministerial order has yet to specify the procedures for assessing the security of websites affected by the cyberscore. We already know the criteria used by ANSSI and CNIL to assess a site's security.
It starts with the quality of the infrastructure, both hardware and software. The use of a firewall and tools for detecting vulnerabilities is the cornerstone. Encrypting data during transport using the TLS and HTTPS is just as essential. There is also protection against attacks XSS (Cross-Site Scripting), which involves the hacker injecting data into a web page to retrieve user data (contact details, passwords, session data, etc.). Another good practice, among others, consists of not storing sensitive information in the cookies and data stored locally on the Internet user's terminal.
In the final analysis, the effectiveness of such a government measure is questionable. The cyberscore is primarily aimed at the general public and their legitimate need for information. It calls on those responsible for site security to follow good practice, and also on Data Protection Officers (DPOs) to comply scrupulously with the requirements of the RGPD.
While we wait for the cyberscore to be implemented, ORSYS offers a wide range of cybersecurity training courses. In particular, you will find user awareness training. Security managers and DPOs can choose from a whole range of advanced training courses and certifications to enhance their knowledge and skills.
