Cyber security is a human issue before it is technological. This is why all companies — whatever their size — must work on bringing awareness of these issues to their employees. Today, companies are targeted, because hackers ultimately are looking to access their customers and suppliers. Cyber security is therefore no longer a niche activity and, above all, is no longer something that can be ignored or put aside.
I – Companies Facing Cyber Security Threats
Today’s hackers have changed since the early days of the Internet. Cyber attacks have become sneakier, and hackers no longer try to take on company security systems head on. Instead, one option for them is Social Hacking.
Social Hacking is a technique used by business employees via mailing (for example) to penetrate the business network. This is why a quarter of the attacks recorded target employees.
Another technique often used is a rebound attack. This makes it possible to reach companies with sensitive information, such as those in the medical or defense fields. Hackers go through one of the company’s suppliers or customers to attack by rebound, taking advantage of the links maintained between these companies.
Another important point: hackers don’t just steal data. For example, the vast majority of international trade is done by boat. Hackers can hijack entire ships. And they already have! How? After cutting off communications to the vessel, they directed it to a safe place, and the cargo was not seen again until the ransom was paid. This type of cyber-attack could cost the target business hundreds of million dollars!
Agricultural equipment (tractors, harvesters, riding mowers, etc.), which is now connected to the internet, is another target of choice. It becomes possible to deviate from their initial trajectory. Hijacked, coordinated, and controlled, this material becomes a potentially dangerous weapon.
In the same vein, by simply buying a virus from the darknet for a few hundred dollars, a single individual can block a factory, a road, or even an entire city.
How Companies Are Adapting
Depending on the type of business attacked and the type of information stolen, the solution is not the same across the board. Some industries are forced to give in to blackmail by cyber criminals, while others categorically refuse.
Take, for example, the Rouen hospital. In November 2019, the Rouen University Hospital was the target of a cyber attack. The extreme sensitivity of the stolen information and the lack of backup forced the entity to pay to recover the data. The aim here was to save lives in intensive care, to plan the right operations at the right time for the right patient, to communicate the right health data to the doctors who will prescribe treatment, among others. Quickly retrieving patient data was therefore essential.
In contrast, we can look at the seaside resort of La Croix-Valmer. The municipality’s computer servers were attacked at the end of July 2018. The files were encrypted and the hackers demanded a ransom. According to the municipality, no amount of money has been paid.
Indeed, despite the immobilization of services for a week, the municipality has managed to keep the personal data of the inhabitants safe from attack. This time, the hackers did not gain anything.
3 Ways to Limit the Risk of Cyber Attacks?
1. Develop adequate technical means
The first key step to secure a network is to acquire a firewall that allows partition networks. A typical business generally has several of them: the document network, the accounting network, etc.
This compartmentalization technique makes it possible to cope with an attack, preventing it from spreading to other networks than the one through which the hackers entered. The IT systems manager adds anti-virus, anti-spam, and other services and solutions to optimize network protection.
2. Never ignore awareness
When securing your network, it is also essential to educate your users about cyber security through events, conferences, webinars, etc. An informed user—aware for example that 40% of attacks take less than 30 seconds for the virus to take possession of the entire network—fwill think of disconnecting his computer quickly if he finds that it is under attack.
3. Achieve the security targets required to obtain certifications
Some industries need to prove their level of cybersecurity. This can be established by pursuing certifications. The term “security target” also designates the minimum security required by the industry to achieve a certain protection result. By reaching these security targets, the business can host sensitive data.
II – A Macro Context that Evolves According to Cyber Risks
The cost of computer hardware and software has increased in recent years, as have the salaries of IT professionals. For VSEs and SMEs, IT risk is now well understood and integrated. They are aware of the issues that arise from it and seek to protect themselves. On the other hand, many still believe that they are not a “real” target. The “Why me?” mentality continues.
The Economy of Cyber Security
These companies know, however, that they must invest in security, but this necessity is costly and restrictive! For example, more and more companies are banning the use of USB keys on their IT equipment, which is shaking up employee habits.
Fortunately, insurance is starting to cover cyber security risks for businesses. The first offers appeared a few months ago. This investment is, therefore, becoming more and more attractive for companies. Especially in the current context where the risk of cyber security is very high and will continue to increase exponentially until it becomes the biggest risk for companies.
What about legislation in the world of cyber security?
Recently, legislators have understood that there is value in data. The most precious asset of organizations is data. The CNIL is the first entity to set up initiatives to secure data and responds in particular to the emergence of GAFAMs which have become too powerful to continue to evolve without a defined framework.
When Facebook announced the launch of its virtual currency, 700 million people expressed interest. Facebook is therefore potentially the largest bank in the world, even before it exists.
This boom in the data and IT security market worried states and legislators who did not seem to fully realize what this boom meant for society. We are therefore starting to see actions implemented in France and Germany to protect data.
However, certifications are extremely expensive. Only the big players can afford them. On the other hand, if an entity can invest in its fleet and its security, this is not necessarily the case for its business partners. The latter is therefore a gateway, via the rebound technique, to the more sensitive data of large companies.
Risks to be Identified Upstream
Identifying risks upstream is one of the major challenges of Cyber security for business. It is essential to know (and understand) what we are trying to fight. As such, we can distinguish three main families of threats: cyber attacks, the risks inherent in Cloud services, and human negligence.
Cyber attacks result from a desire to harm, for greed, or to put an organization in difficulty (for a competitive purpose, to extract information from it, etc.). Among the most common attacks are:
- Attacking via computer virus, which aims to access a faulty or poorly protected IS to destroy all or part of the business’s data or to remove sensitive information (manufacturing secrets, property rights, etc.). Other types of attacks can target the business’s website, such as flooding it with unnecessary information to cause a crash.
- Phishing is using an email or a fake website to induce an individual error and collect confidential data or make a machine vulnerable to the injection of malicious software (malware).
- Ransomware infects workstations by locking the screen and/or encrypting important data to which the user no longer has access. To work normally or recover confidential information, the latter is encouraged to pay a ransom.
- The so-called “president” attack, a method of extortion by which a malicious third party impersonates a member of management, generally to extract money or information.
- Social engineering techniques are psychological manipulations aimed at extracting information from a user fraudulently, to gain access to an information system.
Protecting yourself against these attacks means erecting barriers, and therefore adopting a real cyber security approach in business.
The risks linked to cloud services and human negligence are interdependent. Storing data online does not generate any real risk until the tools are misused (or incorrectly configured in the first place), or when users are negligent concerning basic safety instructions.
Using cloud applications that have not been approved, SaaS / IaaS / PaaS configuration errors, accidental sharing of sensitive data, etc. — these risks increase as cloud tools take up more space in the organization.
And the main threat to organizations is internal: 80% of companies face the risk of compromised user accounts. This practice, which consists of using personal applications for professional purposes (with all the associated risks), is called “Shadow IT”, or “shadow computing”.
The danger is not negligible: 86% of Cloud applications used within organizations have not been authorized by the ISD, according to a CipherCloud study.
The problem does not lie in cloud storage, which offers more advantages than disadvantages in terms of security. Instead, the problem lies in the lack of awareness of employees. Cyber security in business is more a human issue, than a technological one.
Best Practices to Strengthen Cyber Security in Companies
Because of the growing challenges of cyber security in companies, what are the best practices to strengthen digital safeguards?
- Adopt the right tools. There are tools to be implemented upstream to prevent risks, detect threats, analyze them, and to correct/reinforce any technical flaws.
- Update existing software. Business tools must be updated regularly to take into account the most recent threats. It is true of antivirus software, and other programs that are used by the employees regularly.
- Identify sensitive data to protect. Not all information is created equal; some are more valuable than others. It is necessary to identify the data that is at risk and to focus the effort on its protection – especially within the framework of the GDPR, which ensures the proper use and security of user data.
- Save the data and put it in a safe place. This helps prevent essential business data from being altered, degraded, or deleted, with major consequences for the business. Restoring data and/or the system, thanks to a backup solution, helps limit the negative effects of a cyber attack.
- Strengthen access rights. With SaaS solutions and cloud storage, a simple password is no longer enough. Access must be protected by strong authentication mechanisms.
- Create a business continuity plan. This is an essential precaution to preserve the activity of a business and allow it to get back on track as quickly as possible following an attack.
- Educate employees about cyber security in the workplace. This is the key point: according to a study published by the University of Alabama in Birmingham in 2015, 75% of organizations see employee neglect as the main threat to sensitive data.
- Employee Awareness is the Keystone of Cyber Security
Let us emphasize the last best practice on our list. The number one issue of cyber security in companies is that of user awareness and training.
Employees are often not very involved and tend to neglect the recommendations made to them. In 2017, the Deloitte firm was the victim of a hack that lasted several months: the hackers accessed the IS via a poorly protected administrator account (by a simple password).
The issue stemmed from an employee who made his life easier by opting for a simple authentication mechanism that wasn’t very secure.
The human dimension is therefore essential. Behind their computer, smartphone, or tablet screen, employees are on the front line when faced with “cyber” risks.
It is this privileged position that also makes them the weak link in the chain of cyber security in companies, as evidenced by the “success” achieved by malware, ransomware, and other social engineering techniques that play on the credulity of people to reach their goal.
There is therefore a whole educational work to be carried out upstream. Strive to promote individual and collective good practices, face-to-face training, e-learning sessions, and at a pace suitable to your team. Test people with sample attacks regularly.
There are so many methods to teach employees the basics of cyber security in the enterprise, and the role that each of them can play beyond the tools.