Cybersecurity: the major new challenge facing companies
Today, individuals and companies are working in an ultra-connected and highly-networked environment that is also witnessing exponential growth in the movement of data. However, the rise of the digital world is also bringing with it new dangers, such as the cybertheft of technology, ransomware and cyberespionage. The growing number of media revelations about cybercrime are probably only the tip of the iceberg. The World Economic Forum’s 2021 Global Risk Report is clear on the subject: cyber risks are moving up the ranking of the world’s biggest threats. It’s time to examine the fragile nature of the digital space — and its implications for both major corporations and SMEs.
Along with the pandemic, 2020 was also the year of a huge rise in the number of cyberattacks, with a four-fold increase in the number of victims1. While the phenomenon was already growing, its marked acceleration during Covid-19 was no coincidence. “With the pandemic, companies suddenly had to introduce remote working on a massive scale, often without being properly prepared for it,” explains Laura Peytavin, an engineer with US cybersecurity software publisher Proofpoint and president of the alumni association of leading French engineering school Télécom Paris. “The result was that the surface area of attack grew significantly.” The phenomenon only added to existing weaknesses that were already being exploited by cybercriminals, including companies’ lack of awareness about the risks, poor management of IT systems and a shortage of good IT housekeeping practice.
A range of modus operandi
“Although the rise of IoT (the Internet of Things or connected objects) has inevitably increased the danger, the biggest risk is still the human factor,” the expert underlines. “The growth in hackers’ activities since 2010 has been amazing.” The blame for that increase lies with the insufficient updating of IT systems, due to a lack of resources, a shortage of staff or basic lack of interest in the subject. Meanwhile, cybercriminals have been constantly developing their types of attack. Social networks are being used to access personal information that helps them to dupe their targets. “Hackers are mapping the various relationships across a company and sending people targeted messages that are more and more believable. They are also making use of cognitive science by playing on people’s fears, tiredness and sense of urgency. It’s been noted, for instance, that the number of attacks increases on a Friday afternoon, when people are less on their guard.”
At the same time, the modus operandi used by hackers are becoming more varied. Examples include the computer virus released by Russian cybercriminal group REvil2 that struck thousands of companies around the world, a cyberattack on Airbus via its subcontractors (notably Altran), denial of service attacks that overwhelm a website3, and the attack on the SolarWinds network management software used by more than 300,000 companies around the world4. From a practical view, although the standard form of attack has used the attached file to an email, it has since been joined by links that download applications from a malicious cloud source or requests for bank details.
For companies, the risks are enormous, and exist at different levels: data integrity (in the absence of back-up storage) along with financial, image and legal risks, among others. In a February 2020 report, the Federal Bureau of Investigation estimated the financial losses from cyberattacks in the United States to be $3.5 billion5.
A culture of vigilance and investment
Faced with such a high-risk situation, what should companies do? After a series of surveys among IT security managers, Proofpoint identified four priorities: strengthen security controls, manage the risks related to suppliers, support remote working and deploy automated security solutions. “For a company, making people aware of the risks should be treated as part of their training, so that a virtuous circle is created,” explains Laura Peytavin. Never click on anything in a dubious email, never plug a USB key into any machine, keep passwords hidden – all these habits have a role to play. “This preventive work will also involve creating a relationship between Machine Learning and the individual,” she adds. “Although an algorithm cannot counter every threat, it can at least provide each employee with a targeted message – complete with the relevant context – to be on their guard.” In other words, educating employees and developing a genuine culture of vigilance requires a minimum level of financial investment. The latter would cover tasks such as encrypting communications, carrying out security audits, regularly updating hardware and software, introducing regular compliance checks, and ensuring that data and both internal and external peripherals are kept secure. Various companies, led by IBM, argue that spending on cybersecurity should account for 9% to 14% of an IT budget, according to CyberShark. On average, companies are actually spending around 6% of their IT budgets on security6.
That said, as experts are keen to hammer home, being equipped does not necessarily mean being protected. In 2020, the combination of a pandemic and the widespread use of remote working forced companies into an urgent review of their IT practices. According to a survey by CensusWide, 83% of major companies transformed their approach to cybersecurity last year in order to protect their data and workloads stored on Cloud servers7. Meanwhile, a growing number of company boards set up cybersecurity committees. Such action was in marked contrast, though, with the response among small firms. Faced with a lack of sufficient resources, whether financial or human, small and medium-sized businesses often underestimate the risks of cybercrime. And yet, an extensive study by Kaspersky Lab found the average cost of a data leak for an SME to be $117,0008.
The vital need for a global approach
The challenge is clearly a global one. Progress in terms of raising awareness needs to be led by governments and public institutions, such as the National Agency for Security of Information Systems (ANSSI) in France, which makes a significant contribution by publishing guides or delivering MOOCs.
Back in November 2001, a European convention established a system of international cooperation to fight cybercrime, enabling governments to be better equipped to deal with the threat by passing relevant legislation. But it’s time to go further. The World Economic Forum believes that cybersecurity needs to be the responsibility of national governments, with the introduction of principles and systems that are adopted throughout the public and private sectors9. At the same time, the European Union would probably benefit from taking its lead from the Unites States, which has been extremely active recently on the issue. In a variation of the methods it uses to combat terrorism, the US authorities established a special task force within the Department of Justice in June of last year to centralise all the information collected from its investigations.
In France, Bernard Barbier (the former technical director of the Director-General for External Security, the country’s equivalent to the CIA), Jean-Louis Gergorin (former head of analysis and planning at the Ministry of Foreign Affairs) and Edouard Guillaud (former Chief of Defence Staff) recently used a newspaper column10 to call on the government to adopt a national strategy for cybersecurity. They also suggested the creation of a “programme of technical and scientific innovation on the same scale as the programmes that enabled us to have a strategically independent nuclear capability.” By doing so, they argue, the government would at last be able to deliver a collective response that is equal to the challenge.