Corporate cybersecurity: increasing all-round staff awareness
The growing digitization of the economy, via the development of IoT1 and the use of digital tools, has drastically increased the risks of cyberattacks facing businesses.
Now that 8,800 businesses have been assisted with the digitalization of their activities by the French government’s recovery plan2, and following the mass development of remote working caused by the pandemic, businesses have an even greater surface of vulnerability to cyberattacks.
The International Cybersecurity Forum (FIC) was held in Lille in September. The theme of the 2021 event was: “Developing cooperative and collaborative cybersecurity”. Cooperative cybersecurity because it is based on the willingness of digital firms to put in place good practice and training, but also collaborative because it requires all business and non-business users to do their bit even during personal use.
So it is legitimate to ask: what role can businesses play in developing this so-called collaborative cybersecurity approach?
ISSO’s, proactive participants but no longer sole guarantors
Businesses tend to almost exclusively hand over responsibility for cybersecurity to Information System Security Officers (ISSO’s). This risky reasoning fails to address the issue of resource allocation.
With the development of remote work and mixed use of professional and personal devices, as is the case with computers, for instance, the role of ISSO’s skyrocketed last year. During 2020, it is estimated that 90% businesses in France had to deal with at least one malicious act. This was the case for Umanis3 (a digital services company), which was hit between 13 and 14 November 2020 by a ransomware cyberattack that saw cybercriminals steal a certain amount of data and claim a ransom of €1,450,000.
As this situation is likely to last, ISSO’s are more important than ever in protecting corporate information systems. To reduce risks, it is essential to raise all-round staff awareness. The development of training “Cyber Campuses” like the one set up by EuraTechnologies in Lille demonstrates the need to integrate and train all company employees, whatever their position. So there has been a switch from centralized cybersecurity to a decentralized business-focused approach that no longer relies on ISSO’s alone.
Cybersecurity: a priority for EXCOM’s and Boards of Directors
Faced with Boards of Directors that are generally unfamiliar with cybersecurity issues, teaching staff about the risks of cyberattacks that can affect the company’s business is more essential than ever.
ISSO’s must be able to submit regular reports, whether quarterly or half-yearly, about direct or indirect threats to the business. What should they contain? These reports cover essential information such as the company’s potential vulnerabilities, including both internal issues (employee behavior, site architecture and tools) and external ones (payment / internet service providers).
The next step is to convince the Board of Directors to set up an internal audit committee tasked with appointing a third party to identify the strategic areas in which to improve cybersecurity policy.
Once the audit has been conducted, ISSO’s can then use it as the basis to make recommendations. This assessment phase also serves to identify the human and financial resources required to implement the business’s cybersecurity policy and request them from the EXCOM and Board of Directors.
Everybody’s business - A shared responsibility
What categories of staff are targeted by cyberattacks? Though all company staff can be targeted or used as vectors, hackers first and foremost target executive and financial officers. These staff, who are often relatively unaware of the risks of cyberattacks, are easy pickings for hackers.
Awareness campaigns are an important way of ensuring the participation of all company staff. By setting up so-called “fake phishing” campaigns4, we can test whether employees have good cybersecurity habits: i.e. carefully checking e-mails, not using public Wi-Fi without a VPN, etc.
What are these good habits? Spotting quite clear signs of phishing attempts such as5: e-mail urgency / presence of syntax or spelling errors / suspicious look of logos or visuals / presence of a URL unrelated to the sender / suspicious translation.
Businesses are well advised to set up risk awareness campaigns, combining integration training and test operations. The ISSO and their teams can then assess the level of staff maturity on these issues and decide to strengthen certain areas based on both needs and changing threats.
These threats particularly illustrate businesses’ increased surface of vulnerability due to the development of IoT-related uses. This is particularly the case of distributed denial-of-service (DDoS) attacks, which are designed to prevent services from working properly by saturating them. These attacks via connected object vulnerabilities were illustrated in 2016 with the botnet Mirai, which was used to attack targets including the French website hosting service OVH, paralyzing a number of services and sites such as Twitter, Netflix, and PayPal.
Though cybersecurity relies on the work of experts and requires resources to facilitate its implementation, such a strategy can succeed only if all staff do their bit both when using digital tools and working collaboratively.