Photo des locaux du groupe AFNOR copyright AFNOR

Published on 02 May 2022

What do you do in the event of a cyberattack? AFNOR shares its experience

The standardization non-profit AFNOR suffered a cyberattack in 2021. It’s information systems were down for several days, and it felt the operational repercussions for almost three months. Olivier Peyrat, Director General of the AFNOR Group, and Frédéric Leconte, Director of IT Services at the AFNOR Group, share the lessons learned from this experience.

 

 

Operating since 1926, the French Association for Standardization (AFNOR) designs and deploys solutions based on voluntary standards with an exclusively French, European, or even global dimension. The Group serves the general interest in its standardization activities and provides services in such competitive sectors as training, professional and technical information and intelligence, assessment, and certification. It is part of a connected ecosystem of more than 69,000 customers around the world, a central position that makes it a prime target for cybercriminals.

 

Photo d'Olivier Peyrat

Olivier Peyrat,
Chief Executive Officer
AFNOR Group

 

Photo de Frederic Leconte

Frédéric Leconte,
Chief Information Officer
AFNOR Group

 

 

Can you tell us about the cyberattack?

 

It began on Thursday 18 February 2021, in the early morning. We noticed that some of our files had been encrypted and our servers were becoming inaccessible. Three days earlier, a phishing email had been sent from an attack server. Traditionally, hackers stay in the shadows for a long time to gather as many vulnerabilities as possible in their target, but here, the modus operandi of this group was radically different. Once inside our system, they acted very quickly.

Frédéric Leconte
Director General at the AFNOR Group

 

 

How did you react when you detected the intrusion?

Frédéric Leconte : Once our information system was shut down, we also wanted to understand very quickly what had happened. A cybersecurity service provider helped us trace the source of the attack and its implications. In three days, we were able to reconstruct with certainty the entire chain of contamination.

Olivier Peyrat : We alerted the entire IT team immediately. Then we made the decision to shut down our information systems and ask our employees to cease using their digital tools. It was not an easy decision to make, but we had to do it to protect our employees, customers, and partners.

 

How did you communicate when your information systems were down?

F.L. : Communication was indeed a key issue at that time, whether within AFNOR or vis-à-vis our suppliers and customers. To share information internally, we used a mass texting system and activated an emergency website that we had previously deployed. Externally, we installed an emergency email service accessible via webmail. All incoming phone calls were redirected to a service provider.

O.P. : In February 2021, we were still in the midst of the pandemic, with many employees working from home. It was therefore essential to keep in touch and support our 1,200 employees so they could continue to work, despite being disconnected by the cyberattack.

 

How did you organize your teams to overcome the crisis?

F.L. : From there, we started cleaning up our information systems and rebuilding our entire infrastructure brick by brick. Priorities were decided every day at Executive level. After eight days, our site was operational again, but it took a further three months to deploy our complete information system.

O.P. : We set up several crisis cells: including one dedicated to the IT Department to focus on the technical response and others by business line to respond to our customers or partners. We also set up a crisis cell at the decision-making level in connection with the Executive Committee.

 

Following this attack, what have you put in place to strengthen cybersecurity?

F.L. : After the attack, we upgraded our tools and rebuilt our system infrastructure differently. The goal is that any backdoors (malicious computer programs) left behind by hackers cannot be reactivated.
 

O.P. : We have been proactive within the AFNOR Group for example by strengthening all our passwords and getting statistics on how we’re improving our overall protection. By involving each employee, we want to prevent any weak links from emerging. Today, everyone knows that they are potentially both a vector and a sentinel in the event of a cyberattack.

 

What advice would you give organizations to prepare for this type of attack?

F.L. : Even when you are prepared, this type of event is harder to manage than you think. But don’t let the magnitude of the task lead to paralysis. Every action counts. Completing each stage of preparation makes you more resilient and able to restart more quickly if the unthinkable happens.


O.P. : It is vital for managers to be regularly informed and trained. We’re now working upstream with cyber experts (internal or external) to better measure the real gravity of the situation and the possible scenarios. This enables us to regularly measure our level of dependence on information systems and our ability to operate in degraded mode if necessary. Second tip: you must communicate regularly with your employees, your customers, your ecosystem – and honestly – as it’s necessary to explain what is happening at each stage of the crisis. We tried to communicate quickly with the right tone and transparency via social networks.

 

To this end, how do cybersecurity standards aid organization?

F.L. : These tools make information systems more robust. In this area, the ISO 27001 voluntary standard is a way to ensure that all processes are in place to manage risks and prepare action plans during attacks. At European level, the Cybersecurity Act of 2019 should also be transcribed into standards soon.

O.P. : To help companies organize themselves better, we are preparing an AFNOR Spec dedicated to cybersecurity. Orange Cyberdefense experts are contributing to this document, and it will identify the best practices used by victims of cyberattacks, to ensure business continuity. The aim of these tools is to share expertise and know-how to help improve collective resilience to cyberattacks.