“Cybercrime at an all time high” ; “Bigger than WannaCry: a giant cyber attack is coming”... As newspaper articles present cyber threats as evermore hazardous, we are often lost -and frightened- about how to prepare to face this gruesome eventuality. Media even present this as a fatality, as if it were soon to be the era of Terminators ! Fortunately for us, Cameron’s vision is not for today, those events are not inevitable and there are many ways to mitigate cyber risks. Here are a few insights aiming to resolve these issues.
A first step towards cyber risks mitigation is a firmly business-oriented information security strategy implementation, including cybersecurity stakes in business operations. This overall policy should involve an incident response process. In fact, as even the best technical tools cannot guarantee total security for your firm, it appears essential to make available strong expertise on incidents. This expertise allows for rapid response actions and mitigation in the event of any security breach. And while internal skills are fundamental to any cybersecurity undertaking, diversifying expertise via external points of view and analysis remains necessary.
Faced with a sometimes daunting digital transformation, one must be careful to integrate security in projects from the bottom up, and not only once that project is completed. This is where methods such as ISP (“Integrated Security in Projects”) come in. Requiring the involvement and cooperation of project owners, prime contractors, risk managers and IT specialists, this method enables a preventive and tailored security solution.
Thinking cybersecurity not only as a cost but as a true money saver
Admittedly, devising and maintaining a proper strategic cybersecurity plan is costly. But you may have heard the old adage “an ounce of prevention is worth a pound of cure”, and as exposure to cyberattacks increases, cost of repair often outweighs initial cost. In October 2016, the internet infrastructure company Dyn learned it the hard way, suffering a severe DDoS attack (1 To/s). As Corero reported, “the data analyzed a representative sample of 178,000 domains hosted on Dyn before and immediately after the 2016 attacks, and revealed that more than 14,000 internet domains dropped Dyn as their DNS service provider in the wake of the incident”. If Dyn suffered an 8% drop in customers, consequences worsen amongst smaller businesses as SMEs often believe that they are not likely to be attacked, therefore lacking protection.
Sensitization, cornerstone in every security system.
As IBM reported in its 2017 Cyber Security Index, 95% of all IT security incidents involve human error. When an employee doesn’t know how to secure his own computer or to protect himself from social engineering, he jeopardizes a well rounded -and expensive- security system. Conducting awareness campaigns seems critical to training staff members on the new uses of digital technology, therefore proactively allowing your employees to be the main actors of your firm’s cybersecurity strategy.
Strength through unity: the virtue of combination for an efficient strategy
None of these solutions can operate effectively if not implemented together. Enforcing those methods and policies allows for the establishment of powerful synergies, as sensitization and new skills spread throughout the entity. Cybersecurity is a multifactorial and strategic issue that cannot be ignored, especially in the digital age, where any lack of security can result in serious concerns. Methods and policies described previously (ISP, awareness campaign, IT formation, recruitment of expert consultant in cyberdefense/resilience) are some best practices to protect companies, much needed when it comes to ever evolving threat vectors.