Digital rule #1: adopt a security policy against the risks of cyberattacks
A company must learn to identify and then assess the threats and motivations that cybercriminals could use against it. It can order an audit, in order to identify its possible digital flaws and other risk areas that could arouse the interest of hackers.
This method communicates valuable information to the company and helps it to launch its digital security project. Ideally, the establishment of an analysis aimed at identifying the attractive assets of the company in the eyes of cybercriminals should take place every year.
The appetite of cybercriminals comes from four main motivations according to Syntec Numérique, one of the French professional unions of the digital industry:
- ideological motivation;
- financial motivation;
- espionage or cyberterrorism motivation;
- motivation with a broader goal (the cyber attack is only a first step to facilitate other cyber actions).
Each threat identified must be followed by the implementation of measures to defuse it. In order to reassure and demonstrate to its shareholders and customers that it is taking the lead, the company has every interest in communicating its cyber strategy to them.
Digital Rule #2: Appoint a Cybersecurity Manager
The rapid development of cybercrime against companies must encourage each board of directors or steering committee to create a department dedicated to cybersecurity. At its head must be appointed a cybersecurity officer. Aware of the risks of cyberattacks, he develops and implements good cybersecurity practices throughout the company.
The cybersecurity manager must benefit from certain powers in order to establish his cybersecurity governance strategy. Thus, he fully belongs to the steering committee and participates in meetings to report alerts to general management. He has the authority to request a multi-year budget from his department. Then, he uses it to define and maintain the company’s digital security policy. Depending on the size and needs of the company, he sets up a team dedicated to IT security. Finally, it draws up its annual report on cybersecurity: risks thwarted, incidents, projects and budget requests.
According to Syntec Numérique, 77% of companies say they are highly dependent on the information system.
Digital Rule #3: Allocate budget for cybersecurity
Any company, from the SME to the multinational, must sanctuarize a budget dedicated to digital security. Depending on the company’s activity, this share should represent between 5 and 20% of the IS budget. The distribution of the budget is also of great importance. The majority of it provides for identified risks, but about 25% should be saved to react quickly to unforeseen threats. More generally, each company project should include IT security in its costs.
Finally, part of the budget must also be used to raise employee awareness of the risks of cyberattacks, with the establishment of internships and training.
Digital rule #4: make employees aware of the risks of the Internet
All it takes is a single human error, a single breach, and cybercriminals enter a company’s computer system. To avoid dramatic consequences (data theft, ransomware, phishing, etc.), employees must participate in the fight against cyberattacks.
Enrolling employees in courses and training provided by a cybersecurity school is the best way to raise awareness. As the innovation of hackers is growing and constant, this awareness must take place regularly. Without forgetting the implementation of an IT charter which specifies to employees the best practices of cybersecurity.
Number Rule #5: Control Company Information
Fraudsters require a base of sensitive information in order to make their attack attempts credible. Indeed, a fraudulent e-mail must resemble in all respects a real message to convince an employee to make a transfer, to click on a banner or to entrust sensitive information.
This information, hackers find it on the Internet (legal notices, company website, social networks) or extract it from employees through a scam. Companies have every interest in establishing a constant watch on the dissemination of data concerning them. This involves monitoring social networks and researching information about the company via Google. Raising employee awareness is also advisable to prevent them from multiple risks. In the event of disclosure of sensitive information, the company must contact the employees or sites concerned to delete it. Assistance from the National Commission for Computing and Liberties (CNIL) can assert their rights.
Digital rule #6: secure computer systems
Digital rule #7: security at the heart of every IS project
Technological developments regularly challenge security approaches. New connected objects appear on the market, social networks abound, as do mobile applications. Security must therefore be placed at the heart of projects that require an information system.
The analysis of risks and impacts, the implementation of measures to reduce risks, action plans in the event of an attack are an integral part of each project. As well as the budget allocated to all its prerogatives. The cybersecurity department also conducts vulnerability tests on a larger scale and makes sure to integrate new, more efficient security mechanisms.
Numerical rule #8: favor trusted providers
Cybersecurity is essential within a company. However, care should be taken with actions outside the company. To strengthen the measures already in place, the cybersecurity team must give its opinion on the choice of IS service providers. They must guarantee the security of their data and infrastructure. To help companies, the National Information Systems Security Agency (Anssi) issues various labels to proven service providers.
In addition, “France Cybersecurity” awards a label each year to products, services and advice related to cybersecurity. This certification is based on several criteria, such as the French origin of the products, their quality and their performance in the field of computer security.
Number Rule #9: Check Frequently
Security protocols must stick as closely as possible to the risks of cyberattacks. This is why an annual audit must verify the compliance of the measures and processes activated by the IT security policy. It must be accompanied by more regular checks on the systems most likely to present security flaws. In addition, there is daily monitoring of security updates and the level of vigilance of employees.
Numerical rule #10: keep an increased vigilance
The dependence of many companies on their computer system forces them to remain vigilant at all times. At this level, doubt always prevails. At the slightest suspicious e-mail, even sent by the president or the hierarchical superior, it should not be opened. Better to ask for confirmation by phone than to click on a malicious link. This vigilance of all is acquired through cybersecurity training and an effective IT charter.
VSEs, SMEs and ETIs represent 34% of ransomware victims in 2021 (+53% compared to 2020), according to Anssi.