The increasing digitization of the economy, via the development of IoT and the use of digital tools, has drastically increased the risks of cyber attacks for companies. With 8,800 companies helped in the digitization of their activities by the Government’s recovery plan, and the massive development of teleworking caused by the health crisis, the surface area of vulnerability of companies to the risks of cyber attacks is all the more extensive.
In September, the international cybersecurity forum (FIC) was held in Lille. The theme of the 2021 edition was: “For cooperative and collaborative cybersecurity”. Cooperative because it is based on the volunteering of digital players in the implementation of good practices and pedagogy, but also collaborative because it requires the participation of all professional players and citizens in their personal uses.
It is therefore legitimate to ask: what role can companies play in the development of this so-called collaborative cybersecurity approach?
DSSIs, proactive players but no longer the sole guarantors
Organizations tend to rely almost exclusively on cybersecurity in the role of Information Systems Security Directors (CIOs). This risky reasoning omits the question of the means granted.
With the development of teleworking and the mixed use of professional and personal devices, as is the case with computers for example, the role of DSSIs exploded in 2020. During this year, it is estimated that 90% of companies in France had to do so. in the face of at least one malicious act. This is the case of Umanis (ESN) which suffered between 13 and 14 November 2020, a cyberattack by ransomware (ransomware) allowing cybercriminals to steal certain data and demand a ransom of 1,450,000 euros.
As this situation is set to continue, DSSIs are more than ever at the heart of the protection of companies’ IT systems. In order to reduce the risks, it is imperative to raise the awareness of all stakeholders. The development of training “Cyber Campuses”, like that of EuraTechnologies in Lille, demonstrates the need to integrate and train all of the company’s employees, whatever their function. We are thus moving from a centralized cybersecurity to a decentralized approach oriented towards the company and no longer based solely on the DSSI.
Cybersecurity: a priority for COMEXs and boards of directors
Faced with a general lack of knowledge of cybersecurity needs within boards of directors, it is more necessary than ever to demonstrate education on the risks of cyber attacks that could impact the company’s activity.
DSSIs must be able to present regular reporting, whether quarterly or half-yearly, on direct or indirect threats to the company. How should it be constructed? This includes essential elements such as potential flaws in the company, whether internal (employee behavior, site architecture and tools) or external (payment providers, internet providers).
The next step is to convince the board of directors to set up an internal audit committee in charge of calling on a third party player whose mission is to define the strategic areas for improving the cybersecurity policy.
Once the audit has been carried out, the DSSIs can then use it as a basis to formulate recommendations. This educational work also makes it possible to request the human and financial resources necessary for the company’s cybersecurity policy from the Executive Committee and the Board of Directors.
Everyone’s business and shared responsibility
What categories of actors are targeted during cyber attacks? While all the players in a company can be targeted or used as a vector, hackers primarily target general management and finance departments. These actors, often relatively poorly informed about the risks of cyber attacks, represent a boon for hackers.
The participation of all of the company’s stakeholders involves, in particular, awareness-raising campaigns. The implementation of so-called “fake phishing” campaigns makes it possible to test the good reflexes of employees in terms of cybersecurity: whether through vigilance in handling emails, not using public wifi without a VPN, etc.
These good reflexes are based on relatively simple elements that make it possible to identify phishing attempts: urgency of the email / presence of syntax or spelling errors / dubious aesthetics of logos or visuals / presence of a URL unrelated to the ‘questionable sender / translation.
Companies have every interest in setting up risk awareness campaigns, combining training during integration and test operations. The DSSI and its teams can then assess the degree of maturity of employees regarding these issues and decide to strengthen certain areas according to needs and the evolution of threats.
These threats are illustrated in particular by the greater vulnerability of companies resulting from the development of uses linked to the IoT. This is particularly the case with distributed denial of service (DDoS) attacks, aimed at preventing the proper functioning of services by saturation. These attacks via the flaws of connected objects found their illustration in 2016 with the Mirai botnet, used in particular to attack the French web host OVH, resulting in the paralysis of many services and sites such as Twitter, Netflix and PayPal.
If cybersecurity is based on the work of experts and requires resources to facilitate its implementation, succeeding in such a strategy can only go through the involvement of all employees in their use of digital tools and collaborative work at most. high point.
Through Majid At the, DSSI, SQLI