Published May 2, 2022, updated May 2, 2022
The continuous digitization of our societies leads to a simple realization: all companies, regardless of their size and sector of activity, are now exposed to increasing cyber threats. The generalization of teleworking, in addition to the immediate response to the management of the COVID crisis, responds to a certain social aspiration and only reinforces this risk and makes it permanent. While these risks are often correctly taken into account by the largest organizations despite their large attack surface, the interconnection of supply chains and widespread subcontracting between service providers call for a collective reinforcement of the level of cybersecurity, even for most small companies. companies.
in Patrick Guyonneau,
Orange Group Security Director
The strong threat to companies forces us to think collectively about protection
The list of various cyber threats can only cause anxiety: ransomware, malware, DDoS attacks, fishing, cleaner, data leakage and extortion… so many more or less sophisticated means of harm, against which companies must protect themselves.
While some of these threats may seem very technical or even abstract, their consequences are nonetheless very concrete. They lead, for example, to the shutdown of a factory production line, the compromise of confidential information or even fraudulent financial transactions, not to mention the stoppage of hospitals.
All these cyber incidents lead to increasingly significant financial losses. On average, for a company, the accrual of operational losses, costs of remediation, compensation and even damage to the image exceeds US$ 4.01 million per crisis in France 2020!
In addition to the multiplication of types of attacks, it is also the surface of exposure of companies to the cyber threat that increases with the acceleration of the use of the cloud, the generalization of teleworking or even the dependence on subcomputer systems. insecure contractors.
More than ever, cybersecurity has become essential to protect companies increasingly exposed and doubly generating value, both for the goods and services they produce and for the data they generate and value.
In this heightened context of risks and digital interdependence, cybersecurity must, above all, be a collective approach. As with a rope party in the high mountains, where anyone who falls into a crevasse can drag everyone with them, every participant in a value chain is united, including in crisis management of everyone else. Cybersecurity is first and foremost a team sport.
This need for better protection has not gone unnoticed by business leaders. According to a recent PWC study published in January 2022, cyber risk is the number one threat perceived by business leaders worldwide, ahead of volatility in health, weather and the economy. Terrorism seems relegated to a subordinate level as geostrategic risk is reborn in Eastern Europe.
The collective approach does not dispense with an individual effort
Protecting yourself against cyber threats has thus become a real competitive factor, with increasing demands from insurers, shareholders and even financial rating agencies. By way of illustration, cyber risk has become a systematic part of the evaluation criteria of companies in the scope of due diligence with a view to an acquisition.
If these regulatory or financial requirements weigh mainly on large companies called critical or essential services, Growing protection needs are now being felt for SMEs and VSEsactors historically more distant from cyber concerns but whose survival is often more difficult after a cyber attack.
According to a UN study published in 2020, 60% of SMEs file for bankruptcy within six months of a cyber attack. In addition, a few simple actions, such as awareness and ongoing training of all employees in a company in good digital behavior, often constitute the first defense against attacks.
It is a way of developing a new spirit of defense! Cheaper, thanks to the surveillance of all economic agentssmall or big, the whole economic world can safely win and collectively limit lateralization attacks through the weakest links.
In France, for lack of sufficient knowledge, public authorities also play a normative and unifying role encourage private and public actors to better protect themselves by prescribing recommendations, supporting the most critical companies in responding to security incidents or establishing a cyber recovery plan. It is only with a cooperative ecosystem that the cyber threat can be permanently countered. But it is time to go beyond the fear of the police or the role of the fire state so that each economic sector organizes itself and guarantees its protection.
Know your critical assets and services well
A good protection of companies against cyber risk cannot exist without the first application of the ancient Socratic principle “gnothi seauton”: know yourself !
While the hermetic protection logic between the internal and the external of the company becomes obsolete with the Cloud and the IS in SaaS (Software as a service) mode, it is more than ever need to prioritize protection efforts invest in the right place. It starts with a mapping of the assets to be protected. The identification of the most sensitive data for the survival of a company, the establishment of a list of essential services for the customers and the inventory of the interconnections with third party IS (financial, logistic, suppliers, customers, etc.) are essential. Questioning the company’s place in the value chain of its ecosystem and knowing its competitors are, in this sense, the main decision criteria to define the appropriate level of protection. So much information to adapt and guide a company’s cyber defenses.
It is obvious that a competitor of the German Mittelstand will not have the same aggressive behavior as a company from the Far East. Furthermore, if a company’s growth is heavily linked to technological innovation activity or strategic contracts with its government, the risks of sophisticated and discreet attacks of state origin (APT: Advanced Persistent Threat) are greater than the risk of attacks. opportunistic and brutal by cybercriminals.
The cross-analysis of the risk assessment and the services and data to be protected will define the levels of protection to be applied and will focus both on the location, encryption and redundancy of the data, as well as on the management of identities and access to privileges, or the level of supervision of the system. or even managing software version updates to fix vulnerabilities. Incidentally, all these protection tasks are not necessarily the responsibility of security entities, but require close coordination to be effective and allow a quick reaction in the event of an attack.
Better coordinate and be open to your ecosystem
While it is unfortunately impossible to prevent all threats, bringing detection and response capabilities closer to the threat – whether technically with increasingly sophisticated and automated Endpoint Detection and Response (EDR) solutions thanks to the use of AI or effective human coordination – often already makes it possible to delay opportunistic attacks and thus limit their consequences. Crisis management, and even more so the cyber crisis with the damage done by cryptolockers, is a race against time. When it comes to coordinating human actors, efficiency often requires regular crisis training and simulation.
But it’s not enough to just focus on your business, you have to be open to the outside to anticipate and see the approaching threat. That’s why supplier security management is crucial. It can be passive with the application of contractual requirements to ensure the maturity of business partners, which is also possible through rating by external institutions.
It can be active with supervision of the IT links that connect the IS in the value chain. It can take more sectoral or joint forms with shared cyber intelligence or common crisis management and remediation within an industry. In this sense, directors have a role to play, as prescriber, but also as a driving force to guarantee business verticals.
Better protecting companies against cyber risk therefore requires, above all, an awareness of the threat, knowledge of the strengths and weaknesses of the organization to be protected, and a good level of preparedness. While the ROI of spending on cybersecurity is often not immediately visible, it’s worth bearing in mind that the cost of insecurity can be prohibitive. As the Chinese strategist Sun Tzu already wrote in The Art of War in the V BC. JC: “He who excels at solving difficulties solves them before they arise. He who excels at defeating his enemies triumphs before his threats materialize. »