With our societies becoming ever more digital, all companies, regardless of their size or business sector, are exposed to a growing number of cyber threats. The move towards hybrid working patterns, not just as an immediate response to managing the pandemic but as part of a permanent shift, is also driven by a new kind of social aspiration, increasing the risks. Although these risks are to a certain extent being managed by large organizations despite their larger attack exposure, interconnected supply chains, subcontractors and outsourcing between service providers make the case for collective coordination when strengthening cybersecurity levels, encompassing even small enterprises.
Tribune
by Patrick Guyonneau,
Orange Group Security Director
The strong threat to all companies is forcing us to think collectively about protection
Today’s companies must protect themselves from a growing list of worrying cyber threats – more or less sophisticated – from ransomware to malware, DDoS attacks, phishing, wiper, data leaks and extortion.
While some of these threats may seem technical or even abstract, their consequences are nevertheless very concrete, leading, for example, to shutting down a factory production line, compromising sensitive information or even becoming victim to fraudulent financial transactions, without mentioning the potentially deadly disruption to hospitals.
All of these cyber incidents cause increasingly significant financial losses. On average in 2020, companies in France suffered operating losses, remediation costs, compensation, even damage to reputation exceeding $4.01 million per crisis!
In addition to the increasing types of attacks, companies are now more exposed to threats through accelerating cloud use, teleworking practices, and dependence on sub-contractors’ sometimes insecure IT systems.
More than ever, cybersecurity has become essential to protect companies that are increasingly exposed and value creating, both through the goods and services they produce and the data they generate and enhance.
In this minefield of risks and digital interdependence, cybersecurity now calls for a collective approach. As with a roped group of climbers in the mountains where anyone who falls into a crevasse can drag everyone down with them, each player in the value chain must cooperate, even to help others manage the crisis. Cybersecurity is above all a collective sport.
This need for better protection has not escaped the notice of business leaders. According to a recent PWC study published in January 2022, cyber risk is ranked as the number one threat identified by business leaders worldwide, ahead of health, climate change, and macroeconomic volatility. Terrorism has been relegated while geopolitical conflict has increased.
A collective approach also includes individual effort
Protecting against cyber threats has become a competitive differentiator, with ever-increasing demands from insurance companies, shareholders, and even financial rating agencies. By way of illustration, cyber risk is now a systematic part of the criteria for evaluating companies within acquisition due diligence.
If these regulatory or financial requirements weigh heavily on vital or essential service companies, the growing need for protection now encompasses SMEs and VSEs, players historically not as concerned with cyber but conversely who find it harder to recover from a cyberattack. According to a UN study published in 2020, 60% of SMEs file for bankruptcy within six months of a cyberattack.
A few simple actions such as raising awareness and ongoing employee training in digital best practice is usually the first defense against attacks.
It helps develop a new spirit of defense! If all companies large or small were more vigilant, the entire business world would be more secure and collectively limit lateral attacks via the weakest links, at a much lower cost.
In France, due to lower awareness, public authorities also play a key coordinating role to encourage private and public players to better protect themselves by issuing recommendations and supporting the most essential companies in responding to security incidents and implementing a cyber recovery plan. Such a cooperative ecosystem is needed to permanently overcome such cyber threats. But it is time to overcome the fear of sanctions or the role of the fire-fighting state so that each economic sector can organize and ensure its own protection.
Know your critical assets and services well
Sound cyber risk protection for businesses cannot exist without first applying the ancient Socratic principle “gnothi seauton”: know thyself!
Now the principle of airtight security between a company’s internal and external assets has become obsolete with the Cloud and SaaS (Software as a service) mode, it more essential than ever to prioritize protection efforts to invest in the right place. It starts with mapping the assets to be protected to identify the most sensitive data for the company to survive, establishing a list of essential services for customers, and identifying interconnections with third-party IS (financial, logistics, suppliers, customers, etc.). Understanding where the company lies in its ecosystem’s value chain and also its competitors are, in this sense, major decision-making criteria for defining the right level of protection. A company has to crunch a lot of data to guide its cyber defenses.
It is obvious that a German Mittelstand competitor won’t see the same aggressive behavior as a company in the Far East. Also, if a company’s growth is strongly linked to technological innovation or strategic contracts with its government, the risks of sophisticated, discreet attacks of state origin (APT: advanced persistent threat) are greater than the risk of opportunistic, overt attacks by cybercriminals.
Cross-analyzing the risk assessment and the services and data that need to be secured will define the levels of protection to be applied, encompassing the location, encryption, and redundancy of data, as well as identity management, privilege accesses, system supervision and software version update management to correct vulnerabilities. Incidentally, all these protection tasks are not necessarily the responsibility of security entities, but they do require close coordination to be effective and allow rapid reaction in the event of an attack.
A better coordinated and open ecosystem
While it is unfortunately impossible to ward off all threats, bringing detection and response capabilities closer to the threat – whether technically with increasingly sophisticated and automated Endpoint Detection and Response (EDR) type solutions using AI, or with effective human coordination – will slow opportunistic attacks and limit their consequences. Crisis management, and even more so damage limitation against cryptolocker viruses, is a race against time. When it comes to coordinating human actors, efficiency often requires training and regular crisis simulation. But it is not enough to focus solely on your business, you must be open to the outside to anticipate and see the threat coming. That’s why supplier security management is crucial. It can be passive, for example by applying contractual requirements to ensure business partners have mature systems and/or are rated by external institutions.
It can be active, supervising IT links connecting the value chain’s IS. It can take more sectoral or united forms, sharing cyber intelligence or co-managing crises and remediation within a business sector. In this sense, principal contractors have a role to play, as a prescriber but also as a driving force in securing business verticals. Protecting companies against cyber risks therefore requires an awareness of the threat, knowledge of the strengths and weaknesses of the organization to be protected and a good level of preparation. While cybersecurity spending ROI is often not immediately visible, it is worth bearing in mind that the cost of insecurity can be prohibitive. As the Chinese strategist Sun Tzu already wrote in The Art of War in 5th century BCE: “He who excels at resolving difficulties does so before they arise. He who excels in conquering his enemies triumphs before threats materialize.”