Cybersecurity: Technology does not answer everything!
While the threat of cyberattacks continues to increase, many companies are wrongly protected.It is time for them to really anticipate this threat, to build a structured cybersecurity policy around solid foundations as well as adapted and effective governance in the face of this type of risk.A platform signed Benjamin Cauwel, Security Senior Manager at Accenture.
There is not a week going on without a new cyber attack case hitting the news.Last July, a supermarket chain was forced to close almost all of its 800 stores, the funds of which were paralyzed.Some time earlier, it was the closure of an American pipeline that pushed an airline to modify some of its flight plans and caused an increase in the price of fuel in the United States.
Since the Notpetya virus which, in June 2017, had cost the affected companies more than a billion euros, the list of direct or indirect victims of ransom (or ransomware) continues to lie down at a spectacular rate, even ifMany companies prefer to ignore their setbacks.In France, according to the National Agency for IT Systems (ANSSI), the number of companies affected was four times higher in 2020 than in 2019.
Any company is a target
Whatever its sector of activity, its size or its geographic location, the question for a company is no longer whether it will be struck by a cyber attack, but when.According to the “2021 report on global risks” of the World Economic Forum [1], cybercrime is one of the most likely risks with those associated with global warming.Beyond financial losses related to disorganization or interruption of activity, the consequences can be dramatic.
No sector of activity is safe from these attacks against ransom request.If classical espionage, turned towards theft of industrial data and secrets, mainly affects strategic or technological activities, ransom attacks sweep much.Neither the SME of construction nor the school is spared.Victim of a cyber attack, a Lyonnaise company in high -end lingerie has thus been forced to place itself in receivership to ensure its survival.
This table should be sufficient to take the subject of cybersecurity in arms.Especially since there is no reason for the situation to improve in the medium term.Cybercrime today takes multiple faces, giving the threat a diffuse and protean character.
Just as disturbing is the democratization of cybercriminal technologies: thus ransomware as a service (Raas) platforms, which offer everyone to buy a ransomware kit already exist on the internet.
Trompe-l'oeil resilience
However, many leaders have not yet taken the measure of risk and many companies wrongly consider themselves protected.But their resilience is in trompe-l'oeil.Often, their cybersecurity policy comes down to adding costly and sophisticated protective strata without ensuring the solidity of the foundations, like a pastry chef who would hide under layers of icing tape with a dry cake.In addition, despite alerts, budgets aimed at strengthening their cybersecurity are often limited or even refused.Indeed, it is not uncommon for a dissociation to assess the cyber risk between the security manager and the executive committee within companies, but also between companies.
Those who have already been hacked have set up processes of detecting faults, reaction and continuation of activity without asking the question of financial resources.They know that if their computer system no longer works, their activity is paralyzed and losses can rise to several tens of millions of euros per day for the largest groups.The others generally believe that they are not affected or are ready to face an intrusion.
In addition, when a large company is attacked, the main difficulty of the response is regularly linked to governance: who makes decisions?The holding company or the subsidiary? Who was responsible?The CEO, the Director of Information Systems (DSI), the Technical Director (CTO), the security manager (RSSI)?How to manage the time difference, different cultural approaches, disparate legal and regulatory frameworks?However, anticipating or adorning a cyber attack is a race against the clock.Each hour lost to manage power struggles or other unforeseen events may increase the impact of the attack and financial losses.
Faced with the development of cyber attacks, it is essential to return to the basics to prevent the company from collapsing as a cards castle to the first attack: the information system will remain the cornerstone of the security posture of allcompany for the next ten years.
In order to best prepare, companies must set up a structured approach including an external audit of the information system (technical and functional), the definition of a master plan (based on a hierarchy of the threat according toA cost/benefit criterion), the immediate introduction of a real activity continuity plan (PCA), the definition of governance and the command chain in the event of an attack, the establishment of a centersecurity operational (cybersoc) or even the creation of a Computer Emergency Response Team (CERT or SCIRT).Without these elements and this anticipation, the resilience of the company will only be a wish.