What should you do to secure your business? First and foremost, it is important to understand that cybersecurity operates on all levels. “A global policy must be rolled out, led by top management”, explains Nicolas Arpagian, VP Strategy & Public Affairs at Orange Cyberdefense. “This leadership will make it possible to establish security as a value-added component for their digital transformation”.
This starts far upstream, with an audit of network infrastructures: businesses must understand their global network architecture and the interconnections between their system and the systems used by their partner firms in order to position “shields” in the right places. Alongside this, a policy needs to be put in place for managing digital identities: who has access to what? This will make it possible to ensure the right level of access to information and minimize the possibilities for data exfiltration. A security audit based on infiltration tests or pentests will confirm the system's strength and the areas to be reinforced.
With a global view of their infrastructures, businesses will be in a better position to choose technical solutions that ensure a higher level of security:
- cloud solutions and hosters combining quick data access with effective protection;
- data encryption (with encoding techniques for example);
- advanced authentication systems;
- intrusion detection and surveillance programmes to identify abnormal practices;
- classification of information based on its confidentiality, international security standards, etc.;
- data backup systems;
- intelligence and monitoring tools to detect malicious discussions concerning the business.
All businesses can also take other actions on a day-to-day basis:
- restricting social media on professional workstations,
- carrying out infection tests on USB keys,
- blocking transfers from private to personal mailboxes or sites that could potentially include malware…
However, the key point shared by all businesses concerns employee awareness and training. The IS department operating on its own is not enough: an IT “health and safety” culture needs to be promoted.
E-reputation: another threat
Cyberattacks have a double impact on businesses: they affect the way their activities operate, as well as the confidence in companies among customers and stakeholders, which can then affect their financial valuations. Data theft can have a major effect on commercial reputations: how can I trust my bank if it allows my personal data to be leaked? But in some cases trolls can also collectively attack a business on social media to criticize it. A “digitally-safe” business must therefore carefully monitor “chatter” on the web and how it can protect itself against this using an online intelligence and monitoring system, adopting appropriate responses to any bad buzz.
Building employee awareness
With the rapid development of BYOD [Bring Your Own Device] and new practices for employees (working on the move, mixed professional and personal uses), their company's security is becoming everyone's business. It is crucial for businesses to ensure that all their employees understand the level of risk involved and the wide range of potential attacks. Through their various devices, each user represents a “point of entry” for the company's system. USB keys, personal downloads on workstations, simultaneous opening of a social network and the intranet…each individual represents a source of potential vulnerabilities!
Today, there are various solutions available to inform the members of organizations about cybersecurity issues:
- security best practice guides and handbooks covering the use of technologies by employees in connection with their work,
- security awareness programmes,
- e-learning programmes enabling employees to work at their own pace to build up essential knowledge,
- serious games with a fun approach to learn or check security reflexes.
Employee awareness is the key point in any cybersecurity policy. The human link underpins everything, looking beyond the various protection tools. As the technical aspect of IT security issues may sometimes be off-putting, it is essential that the business' Security Department has knowledge of the activities and processes deployed on the ground in order to understand the issues faced and put in place arrangements to raise awareness that will be meaningful for employees.
Building circles of trust
Cybersecurity in businesses goes hand-in-hand with exchanges of information and cooperation with all the stakeholders concerned:
- the authorities, through organizations like the central office for action to combat crime connected with information and communication technology (OCLCTIC) in France;
- the French national information systems security agency (ANSSI), which carries out general checks on IT systems and networks covering various public and private organizations;
- incident response centers (Computer Emergency Response Team, CERT);
- security research labs in other businesses from the same sector.
The company can also surround itself with trusted suppliers, whose security choices offer guarantees. It can demand accredited services from its suppliers (e.g. a certified datacenter). Security labels, such as those awarded by the ANSSI in France, offer assurances for partners with reliable networks and represent an added attraction for customers. For some of them, labels or accreditations are an essential condition for buying services. This approach is expected to become increasingly widespread: with the European data protection regulation, which will come into force in May 2018 in the European Union, companies are becoming responsible for their subcontractors' IT security.
Lastly, establishing a circle of trust means choosing an operator with a global view of IT security. Orange Cyberdefense advocates a heuristic and realistic approach to cybersecurity, with a formalization of the security policy upstream, followed by the deployment of adapted tools in line with the operations involved, and various intelligence and monitoring arrangements to be effective over time. The aim is to ensure that protection is aligned with the business' characteristics and its priorities in terms of the data to be protected, minimizing the level of constraints (password changes, encryption, etc.). While it is impossible to guarantee zero attacks, as there are too many vulnerability points, Orange makes a commitment alongside businesses in the event of serious issues to limit the impact of any attacks and losses. In the event of a crisis, businesses are supported by dedicated teams.
Cybersecurity, an issue that is still underestimated
Cybersecurity issues are still not seen as a priority for businesses. The sense of security among employees is misleading: only 36% of them think that their company has already been subject to a cyberattack, whereas the real figure is 66% of businesses. At senior management levels, although 83% of executives are aware that an IT flaw can threaten their company's balance, cybersecurity is ranked as only the fifth most important strategic priority.
What factors lie behind this paradox? Costs and complex implementation are the main obstacles holding back the deployment of a global cybersecurity policy, followed by the difficulties involved with distributing best practices internally. However, this needs to be looked at urgently: 46% of employees are still not aware of how they should behave faced with cyberattacks.