Cybersecurity in business: challenges, risks, and practices
The challenges of cybersecurity in the business remain poorly understood and poorly taken into account. However, the effects of a cyber-attack, technical failure, or human negligence can seriously impact an organization's activity. It is essential to have security to guard against these "cyber" risks.
80% of organizations have experienced at least one cyberattack in the past twelve months. Far from weakening, cyber risk is becoming more and more significant. The digital transformation and its corollaries (increased dependence on tools, the interconnectivity of information systems, generalization of storage in the Cloud, etc.) have generated a whole range of new risks against which companies are not sufficiently armed. In terms of cyber defense, too many organizations still rely on failing systems and individualized solutions, while the threat has become global. It is urgent to become aware of the risks and adopt good practices (technological and human) to improve companies' cybersecurity.
Cybersecurity in business: increasingly central issues
Cyber incidents are the second most feared risk for organizations, ahead of natural disasters. Because IT incidents often result in an interruption or slowing down of activity due to the increasingly marked interconnection between it and the IT systems. In short, the more the company depends on IS, the higher the "cyber" risks, and the more central the issues of cybersecurity become.
The need for cybersecurity in business has become a reality that organizations can no longer escape. It was five years ago, and these risks only occupied the 15 positions of the barometer. Today, fears about technology crimes, computer failures, or data breaches are everyday organizations with concrete (negative) effects. It includes the slowdown in production (for 26% of companies), temporary unavailability of the professional website (23%), delivery delays (12%), loss of turnover (11%), and stopping production for a significant period (9%).
To take a few (sadly) famous examples: in 2015, the cyberattack against the TV5 Monde channel required a total reconstruction of the IS, over a period of six months. In 2017, following the Maryland police ransomware attack and Saint-Gobain recorded a loss of millions of dollars. Thousands of data were corrupted, and management had to suspend all networks. In the same year, the WannaCry virus infected more than 300,000 professional workstations in 150 countries, entire crippling organizations.
Risks to be identified upstream
Cyber-attacks result from a desire to harm, for-profit, or put an organization in difficulty (for a competitive purpose, extract information, etc.). We then speak of "cybercrime." Among the most common attacks:
- The computer virus attack, which aims to access a faulty or poorly protected, IS to destroy all or part of its data or remove sensitive information (trade secrets, property rights, etc.). Other types of attacks can attack the company's website, for example, flooding it with unnecessary information to cause a crash.
- Phishing (phishing) uses an email or a fake website to induce an individual error and collect confidential data or make her vulnerable machine to the injection of malicious software (malware).
- Ransomware (literally "ransomware") infects workstations by locking the screen and/or encrypting important data that the user can no longer access. To work normally or recover confidential information, he is encouraged to pay a ransom.
- Social engineering techniques and psychological manipulations are used at fraudulently extracting information from a user to gain access to an information system.
Protecting yourself against these attacks supposes erecting ad hoc barriers and adopting a real cybersecurity approach in business.
The risks associated with cloud services and human negligence are interrelated. Storing data online only generates real risk when the tools are misused (or incorrectly configured at the base), or when users are negligent with regard to basic safety instructions. The use of cloud applications that have not been approved by SaaS / IaaS / PaaS can cause configuration errors, accidental sharing of sensitive data.
The problem is not with cloud storage, which offers more advantages than disadvantages in terms of security (if only by backing up data on external servers, away from the hardware threats that hang over them. company premises). The lack of employee awareness about the risks associated with not controlling the collection and storage processes can be a great risk. Cybersecurity in business is a human issue before being a technological issue.
How to limit cybersecurity risks
Companies need to consider both technical issues carefully and the role that staff must play in cybersecurity to better protect themselves. From a technical point of view, counting on the right solution at an enterprise level is essential. And to be such, this solution must cover file encryption, backup, financial data, customer data, online payment systems, cloud security, industrial control systems, and endpoint security, including IoT devices. In addition, the adoption of best practices in terms of network access, system administration, efficient patch management, and application controls must not be missing.
A progressive awareness
A growing number of companies are realizing the need to create cybersecurity. Too often, however, this awareness comes from victims of attacks. The others still have too many brakes, in particular, the opposition between "risk culture" and "productivity culture. It is thought that the second must take precedence over the first, even though safety is one. In the event of a cyberattack, the system must last.
To date, corporate cybersecurity represents less than 5% of the budget allocated to ICT (this is true for 59% of organizations). Identifying risks is a good thing. But we must also give ourselves the means to protect ourselves against it. However, in this area, investments are not everything: while it is essential to adopt the appropriate tools to control cybersecurity relates to the employees themselves.
Best practices for strengthening cybersecurity in business
In view of the growing challenges of cybersecurity in business, what are the best practices to strengthen its security?
- Adopt the right tools. To a digital threat, a technological response: there are tools to be put in place upstream to prevent risks and provide that solutions for data storage and sharing, for authentication by electronic signature, etc.), to detect threats, to analyze them, and to correct/reinforce any technical flaws.
- Update existing software. Company tools must be updated regularly to take into account the most recent threats. This is true of antiviruses, but not only.
- Identify sensitive data to protect. Not all information is created equal, and some are more valuable than others. It is necessary to identify data at risk and focus efforts on their protection - especially in the context of the GDPR, which ensures the proper use and security of user data.
- Create a business continuity plan: It is an essential precaution to preserve a company's activity and allow it to get back on track as quickly as possible following an attack.
- Make employees aware of cybersecurity in business. That's the key point: According to a study published by the University of Alabama at Birmingham in 2015, 75% of organizations see employee neglect as the main threat to sensitive data.
Employee awareness, the keystone of cybersecurity
Offer training to everyone: Use cybersecurity checklists and train your team to be up-to-date and fully aware of this issue, and integrate specialized personnel such as a Chief Information Security Officer-as-a-Service and Data Protection Officer-as-a-Service. Consolidate your company's compliance with key standards such as the new European Regulation for the Protection of Personal Data (GDPR) and compliance with the PCI-DSS standard.
With the stakes so high, never before has it been so important to stay up to date on cybersecurity issues and ensure your business is protected. There is, therefore, educational work to be carried out, upstream, with employees. Charter to materialize individual and collective good practices, face-to-face training, and e-learning sessions allowed distance training and at the pace of each individual scenario through fictitious attacks. There are so many ways to teach the employees the basics of cybersecurity in business, and the role that each of them can play - beyond the tools.
When it comes to cybersecurity, the user is often seen as part of the problem. In reality, it is mostly a big part of the solution. Getting the right protection tools is a great start, but we still need to educate users, train them in good practices, and show them that they are the most efficient levers to guarantee the digital security of their organization.
Author: Vicki Lezama