In just a few years, cybercrime has exploded. "It has become a real economy, with its professions, its experts and its calls for tenders... We have gone from an ‘amateur’ profile to mafias, and even states," explains Dimitri Druelle, Cybersecurity & Privacy Group Practice Manager at Gfi Informatique.
To measure the extent of this phenomenon, we only have to look at the figures: the different sources agree that this market is estimated at $400 billion per year. When we know that ‘traditional’ crime (drugs, human trafficking, arms, etc.) represents $1 trillion all activities combined, we realise the importance of this invisible market.
“Cybersecurity is a never-ending game of cat and mouse, and unfortunately cybercriminals are always one step ahead of companies. All the more so since businesses are cruelly lacking in expertise and resources: in France, for example, according to the ANSSI1, only 25% of job openings in cybersecurity have been filled.”
Yet, Dimitri Druelle is encouraging. "There are a few simple rules to follow to protect businesses. Too often, attacks are successful because companies have not done the ‘strict minimum’. This was the case again this year with the wave of WannaCry ransomware, a malware, which like Blaster fifteen years before it, took advantage of a flaw in Windows, whose patch had been released several months earlier, but that companies were slow to implement. Good IT hygiene protects against the simplest attacks.”
Overall, it is important to understand that the subject of cybersecurity has changed, not only in scale, but also the model. "In the past, we worked according to a fortress principal: the information system operated behind a thick wall of security equipment. (Firewall, DMZ, proxy, …) and we hoped to ward off assailants. Today, with smartphones, mobility, the Cloud and digital transformation have pushed information systems to open up to the outside. Building barriers no longer makes sense. We must implement a new model, which can be compared with health: we are constantly surrounded by viruses and harmful bacteria, we breathe them in every day, but if we have both good hygiene and good practices (such as vaccinations) we don't get ill..."
It is therefore important to strengthen the IS just as we would strengthen the immune system. The comparison is relevant in more than one respect. “It is very complicated to protect ourselves from a very infectious and lethal disease without drastic sanitary measures, but by ‘updating’ our bodies with a vaccine we can avoid catching the flu, which can be deadly for the most vulnerable.”
For an IS, practicing good hygiene means: regularly updating the IT equipment, having an up-to-date antivirus, having good knowledge of your system, conducting a continuous risk audit... The objective of a CISO is to protect the company from attacks that are like a ‘cold’ or ‘flu’, to ensure that it is not attacked by the first comer. "If a cybercriminal specifically wants to get into your system, they will. However, if they encounter resistance, there is a good chance that they will move on to another company: and they will be spoilt for choice.” The ANSSI's guide to good IT hygiene practices is a good reference for the basic measures to be implemented in any company.
The regulatory framework exists and is constantly being strengthened. “As a company, you have the obligation to put in place security measures disseminated in several pieces of legislation, depending on your activity and your status," explains Dimitri Druelle. The GDPR, which will come into force next May, obviously includes the question of personal data security as well as respect for citizens' rights. The strong sanctions foreseen (up to 4% of global turnover) are beginning to attract the attention of Executive Committees. But even without waiting for the European regulation, last year's Digital Republic law already raised the CNIL's2 administrative fines from 150,000 to 3 million euros. In addition to these financial stakes, there are also liability issues. Recently, in the context of major data leaks, as was the case at Equifax and Target, the CISO, the CIO and also the CEO were dismissed.”
Other texts are also important, such as the European "Network Information Security" Directive, currently being transposed into French law, which incorporates the spirit of the French Military Programming Law and extends it to Operators of Essential Services (more than 1,000 public administrations and private companies) who will have to implement specific security measures, including the use of ANSSI-qualified trust services.
“If you host health data,” adds Dimitri Druelle, "you have to comply with other obligations, such as the Health Data Host Repository. And so forth, on a case-by-case basis. Of course, the existence of the ISO 27001 standard should also be taken into account. It applies to all and manages safety through risk. It is the basis for implementing durable processes for continuous improvement of safety.”
In conclusion, to protect yourself from malicious acts and negligence (which is just as dangerous), the very first step is to set up an audit of the cyber-risks of your company. This will naturally lead to the identification of priority measures. When it comes to cybersecurity, showing your credentials is futile: you have to be efficient and pragmatic, that's all!