.png){kind=logo}
.png){kind=logo}
.png?width=16&name=Group@3x%20(1).png){kind=small}
Sign in
The report from CESIN (Club des Experts de la Sécurité de l'Information et du Numérique), which has been publishing its annual barometer with OpinionWay since 2015, shows that while many positive developments regarding corporate IT security have been made, there are still steps to be taken.
According to a recent report by the French Senate: "one company out of two does not secure its workstations and one out of three does not even use antivirus software. Awareness is not yet translated into effective prevention, as the budget allocated to cybersecurity does not exceed €1,000 per year for six out of ten French companies.
In order to change this situation, let's review together the basic actions to protect yourself.
Your 4 essential steps:
1st step: act on the human "weak link"
"Nearly one incident out of two (...) is due to human factor" as testified by a business leader at the round table organized by the French Delegation to Businesses on March 25, 2021. The Senate report of February 2022 explains this in part by a lack of cyberculture, even among the younger generations: "82% of respondents do not know what a firewall is, 76% say they do not know what malware is, 73% do not understand the term VPN and 71% cannot define the term HTML. However, they do know what viruses (65%), cookies (65%) and bandwidth (49%) are.
To avoid this situation, your employees must be aware of and trained about the threats in order to have the appropriate reactions: adopt strong passwords, think about the origin of an attachment, check that the HTTPS protocol is notified in the address bar of the web browser. All these good reflexes can be learned and the company can/should contribute to it.
You can rely on some official websites, for example, the The National Cyber Security Centre created by the UK government , where you can find many updated advices, trainings or guides that can be easily consulted, such as the Cyber Aware page, full of tips and advice; or the Cybersecurity & Infrastrucutre Security Agency CISA, by the US government, where you can fin amongst their tips and bulletin, timely information about current security issues, vulnerabilities.
Do not hesitate to pass them on to your employees.
A mandatory awareness: NIS directive and GDPR
With the publication of these two European texts, the NIS Directive and the GDPR, all companies, including the smallest and most isolated from IT, now have an obligation to ensure IT security. They must "manage the risks that threaten the security of networks and systems" (Article 14 NIS Directive), "guarantee the rights and freedoms of the data subject" (Article 5 RGPD) or "guarantee a level of security appropriate to the risk (...) and ensure the security of processing" (Article 32 RGPD). Failure to comply with these obligations can be punished by fines or even imprisonment.
Reminder: you must educate all your staff about cybersecurity and have written records of it. You must have a "privacy by design" procedure. Any relationship with an employee or a client must include a signed contract with terms guaranteeing data security. Many sectors are concerned: lawyers, suppliers, operational staff, the CEO, the IT department, the CISO and even the accounting department... Regular audits must be carried out with a written record for your customers and the competent authorities.
So, be it legally required or not, you must take this step very seriously, as it is also increasingly requested by your customers.
Required compliance and ISO/IEC 27001 and 27110
Inspired by Anglo-Saxon standards and the financial rating criteria of certain agencies such as Moody's, but above all required by insurance companies, your clients now ask for precise specifications on cyber security. As such, you are responsible for the digital security of the sensitive data that your clients entrust to you, who can take legal action against you if you fail to meet your commitments. Thus, we observe the level of cybersecurity of all companies developing while meeting the expectations of their customers creating a virtuous circle beneficial to both parties.
One of the solutions adopted by companies is to obtain the ISO/IEC 27001 certification delivered by accredited organizations, such as COFRAC in France.
This process may take a while and require some investment to achieve the desired compliance.
The ISO 27001 standard certifies the implementation of an information security management system (ISMS). This "ISMS: Information Security Management System (...) includes the information systems, processes and people concerned by the protection measures". Then, "ISO/IEC 27001 lists a set of checkpoints to be respected in order to ensure its relevance, to allow its use and to make it evolve". The objective is to "protect functions and information from loss, theft or alteration, and computer systems from intrusion and computer damage".
According to a Senate report of February 2O22: "ISO/IEC 27001 (...) has recently been supplemented, in February 2021, by the ISO/IEC TS 27110 technical specification, "Information security, cybersecurity and privacy - Guidelines for developing a cybersecurity framework", developed in collaboration with the International Electrotechnical Commission (IEC), to "create, or refine, a robust protection system against cyber-attacks". These private standards allow your companies to obtain a public cybersecurity certification that will reassure your customers.
2nd Step: identify and fix the network’s technical weaknesses and vulnerabilities
With the Covid crisis, many companies have chosen the cloud to receive and protect their sensitive data while switching to remote work. Although some companies have been able to provide the required equipment and cybersecurity, in some cases it is the telecommuting employees who have accessed the cloud with their private equipment or hardware: the "BYOD" (bring your own device). A virtual goldmine for hackers, these devices, with limited or no security, offer many ways to penetrate any protected network.
It is therefore essential to ensure that each network entry point (workstations, mobiles, laptops or other computers, smartphones, tablets, etc.) is protected by general and unavoidable solutions (antivirus, antimalware and firewall) and others that are more elaborate (smartphone encryption, reinforced authentication, secure Wi-Fi, reinforcement of control posts, on-board security, etc.).
One of the reflexes to consider is to separate the protection of the work site (equipment and network) from the protection of workers outside the site, to separate the "site to site" from the "client to site". Between the equipment supplied by the company and formatted in terms of security, which is often considered to be well protected, and the external or home workers who use their own equipment, it is necessary to tag and adopt certain cybersecurity tools such as the VPN or the MFA (multi-factor authentication)
The purpose of the VPN (Virtual Private Network) is to integrate a client into a private network from a remote connection, allowing the user to access services that are only accessible to the devices within the private network. It is therefore "a service through which you can access the Internet securely". "The connection to a VPN server will (...) result in hiding your IP address and change it to the server IP address (...) which acts as an intermediary. Thus, the website you visit will not know your original IP address and your anonymity will be respected.
Using a secure VPN can allow you to encrypt your data to protect it. This is called "tunneling" process (via different protocols such as OpenVPN, IPSec, WireGuard, L2TP, IKEv2...). While using your Internet service provider, your traffic will pass through a protected tunnel where no one can read or spy on your Internet activities except your VPN provider. The use of a secure VPN (with encryption and DNS, etc.) is recommended when using a public Wi-Fi network which often has a low security level.
In addition to the VPN, it is recommended to adopt the MFA: Two-factor authentication
Indeed, the login credentials (account ID and password) are the first targets of hackers. With this information, they can try to hack your accounts and steal your banking or sensitive data or even try to impersonate you. You will therefore need to strengthen the security of this data by using strong authentication, aka MFA.
Definition:
Sometimes referred to as "2FA" (2-factor authentication), or "two-step validation", "MFA" (multi-factor authentication), or strong authentication, is a verification process (...) to prove a user's identity. Typically, this involves logging into a network, application or other resource with more than a simple ID + password combination. Examples include a temporary code sent via SMS, an authentication link, a security question or voice recognition.
The use of MFA makes it more difficult to hack your accounts. Even with your login and password, the hacker will still find an obstacle in front of him to access your account: the second authentication factor.
Note that many companies, including banks, require this authentication mechanism for their customers. This is not surprising, since it is a mandatory measure linked to the PSD2 directive (2019) for banks and payment service providers and for most remote payments, account access as well as sensitive operations (adding a transfer beneficiary, ordering a checkbook, changing address, etc.).
Beware that MFA is not flawless: an attacker can succeed in intercepting SMS messages containing your authentication codes as with SIM SWAPPING attacks. However, compared to simple authentication, MFA strongly minimizes the risk of leakage or reuse of sensitive data.
This cybersecurity measure should therefore be systematically applied whether you are a consumer or a company. Companies that have massively revised their security measures since the pandemic and the growth of remote work have not been mistaken: 63% of them have generalized the use of multi-factor authentication (MFA).
3rd Step: the good reflexes for emails
Check the sender's address carefully. Is it a real address? Or a friend's email?
Does his request seem surprising to you? Contact him via another means to check if he is the sender.
Beware of emails that ask for your personal data. No public organization will ask you for sensitive data such as passwords or credit card numbers.
Under no circumstances should you click on a suspicious e-mail or its attachments or links sent by unknown people.
Sometimes these emails are filled with spelling mistakes, misprints, punctuation errors or even threatening injunctions on your accounts or accusing you of illegal acts, have only one answer: send them directly in your spam folder!
Is it your business account? Then report it to your IS or CISO who will take care of the necessary checks.
Some companies even offer a training program for your employees: 4 out of 10 companies have cyber crisis training programs, and 47% say they are in the planning stages.
4th Step: Make the necessary updates and backups
The programs that the user relies on are subject to regular updates to fix any security flaws that are discovered. Without these updates, hackers will not hesitate to target those who have "forgotten" them. So make sure your operating system, software and antivirus software are up to date if you don't want to be the victim of a bad surprise.
Also, make regular backups of your sensitive data on a secure cloud or a server not connected to the rest of the network. This "back up" is the guarantee that you can restart everything in case of a blockage by cyber attack. Specialists, as well as Norton Security, refer to the "3-2-1 rule": you must plan and have 3 copies of the data (the original and 2 copies). You must then store them in 2 different physical locations. And finally, you need to keep 1 copy "offline", i.e. not accessible via the network, which excludes many cloud solutions.
With these few recommendations and tips, you are already guaranteed a minimum level of vigilance and protection for your company and your employees. But don't think you've reached the maximum level of cybersecurity. In reality, hackers are evolving at full speed in their attacks and are increasingly thwarting anti-virus software and traditional protection methods. Cyber hacking pushes cyber protection to its limits and leads to the emergence of new solutions for more protection. These are the new trends in cyber protection that we suggest you discover in our next article.
by Edmond Kean
