Corporate cybersecurity: the challenges, the risks, and good practice

#Security 10.08.2019 6min Last update : 10.25.2020

Companies are still largely unaware of how significant the challenges are when it comes to cybersecurity, let alone how to tackle them. Yet, the effects of a cyberattack, a technical fault, or human error can seriously harm a business’s operations. So, it’s essential to put safeguards in place to protect against online threats.

80% of organizations have been hit by at least one cyberattack in the last twelve months, according to a cybersecurity survey published by IT security experts association CESIN (1). Cyberthreats aren’t going away. They are growing stronger by the day. While digital transformation has brought plenty of benefits, such as increased prevalence of tools, interconnected IT systems, and cloud storage, it also comes with a wide range of new risks that companies are not sufficiently protected against. When it comes to cyberdefense, too many organizations still rely on vulnerable systems and stand-alone solutions, even though the threat has become so widespread. There is an urgent need to be aware of the risks and adopt good practices – both technological and human – to improve cybersecurity in business.

Corporate cybersecurity: increasingly pressing challenges

Cybersecurity incidents are the second-biggest type of risk feared by organizations, ahead of natural disasters, according to an annual survey by Allianz (2). Downtime is the biggest concern for businesses, but this is directly related to cyberrisks. Because IT incidents often result in operations being slowed down or even suspended, due to the increasingly marked knock-on effect of a cyberattack. In short, the more a company depends on its IT ecosystem, the bigger the cyberrisks, and the bigger the challenge cybersecurity becomes.

The need for businesses to invest in cybersecurity can no longer be ignored. Five years ago, cyberthreats were only the 15th biggest concern for companies. Today, fears of cybercrime, IT failures, or data breaches are part and parcel of day-to-day business. And for good reason given the very tangible negative effects: slowdown in production (26% of companies), temporary unavailability of the company website (23%), delivery delays (12%), loss of turnover (11%), and production stoppage for a significant period of time (9%). (1)

Looking at some infamous examples: in 2015, a cyberattack hit French television channel TV5 Monde, requiring it to completely rebuild its IT environment over six months. In 2017, manufacturer Saint-Gobain recorded a loss of €220 million after being struck by ransomware NotPetya. The local subsidiary of the Group was infected in just a few minutes through the Ukrainian accounting software it was using. A vast amount of data was modified, and the company had to suspend all its networks. That same year, the WannaCry virus infected more than 300,000 business workstations in 150 countries, grinding whole organizations to a halt.

Identifying risks early on

Identifying risks early on is one of biggest challenges in corporate cybersecurity. It is essential to know and understand what you are up against. We can distinguish between three main types of threat: cyberattacks, risks inherent to cloud services, and human negligence.

Cyberattacks are an attempt to harm an organization, whether motivated by greed or a desire to disrupt operations for competitive purposes, to gain information, etc. This is also referred to as cybercrime and comes in various forms, including:

  • Computer viruses, which aim to access a poorly protected IT system and destroy all or part of the company data, or extract sensitive information (manufacturing secrets, property rights, etc.). Other types of attacks can also affect a company’s website, for example by flooding it with unnecessary information, causing it to crash.
  • Phishing is the use of an email or a fake website to mislead an individual and gather their confidential data or make their computer vulnerable to malicious software (malware).
  • Ransomware infects workstations by locking the screen and/or encrypting crucial data so the user cannot access it anymore. The cyberattacker then demands the user pay a ransom to get back to normal and access their data again.
  • Fake president is a method of extortion in which a malicious third party pretends to be a member of management, usually to extract money or information.
  • Social engineering is a form of psychological manipulation that seeks to fraudulently extract information from a user to obtain access to an IT system.

Protecting against these attacks requires barriers to be put in place, as part of an all-round approach to corporate cybersecurity.

Risks inherent to cloud services and human negligence are linked to one another. Storing data online only presents a risk if the tools are not used properly or are incorrectly configured, or if users are negligent and don’t act in line with basic security instructions. Using cloud applications that have not been approved, SaaS/IaaS/PaaS configuration errors, and accidentally sharing sensitive data are all risks that increase when using the cloud.

However, the main threat to organizations comes from within the organization itself: 80% of companies are faced with the risk of user accounts being compromised (3). This practice is called Shadow IT, referring to the use of personal applications for professional purposes, along with all the associated risks. And the danger should not be underestimated. 86% of cloud applications used within organizations have not been authorized by the IT department, according to a study by CipherCloud.

The problem lies not in the act of storing data in the cloud, which does offer more perks than drawbacks in terms of security by backing up data on external servers and removing it from the physical threats that could affect the company premises. Rather, the problem is a lack of awareness among employees of the risks of not having total control over the collection and storage process. That means corporate cybersecurity is first and foremost a human issue, rather than a technological one.

Growing awareness

More and more firms are becoming aware of the need to create virtual safeguards. But all too often, companies don’t realize just how serious the threat is until it’s too late. Some companies face hurdles, including opposition to putting a culture of risk ahead of a culture of productivity. They wrongly believe that productivity must take precedence over countering risk. Yet, without security there can be no productivity. When a cyberattack strikes, systems need to keep running.

Currently, less than 5% of company budget allocated to IT is spent on cybersecurity (in 59% of organizations) (1). This is far from enough. According to Guillaume Poupard, head of the French National Cybersecurity Agency (ANSSI), “at least 10% of a company’s IT department budget should be dedicated to cybersecurity.”.

Identifying the risks is fundamental. And you also need to have the means to protect yourself against them. But this goes beyond investing money. While you do need to have tools that are right for the job, the first line of cybersecurity is the employees themselves.

Good practice for boosting cybersecurity in business

In view of the growing issues posed by cybersecurity in the business world, what are the best ways to strengthen digital safeguards?

  • Adopt the right tools. A digital threat requires a technological solution. There are tools that can be put in place to prevent risks from arising in the first place, such as Oodrive’s sync & share and electronic signature authentication solutions. These tools can also detect threats, analyze them, and take corrective action.
  • Keep existing software up to date. The company’s current tools, especially anti-virus software, must be updated regularly to take account of the latest threats.
  • Identify sensitive data to be protected. Not all data is created equal. Some pieces are more valuable than others. Identifying the data at risk and focusing efforts on protecting it, in compliance with the GDPR, ensures user data is processed and secured properly.
  • Save and store data securely. This prevents critical company data from being modified, corrupted, or deleted, which could have huge consequences on operations. Restoring data and/or systems, thanks to a backup solution, can help mitigate the negative impact of a cyberattack.
  • Strengthen user rights management. With SaaS solutions and cloud storage, a password on its own is not enough anymore. Access must be protected by strong authentication.
  • Create a business continuity plan. This is an essential precaution to ensure a company can continue to operate and get back on its feet as quickly as possible following a cyberattack.
  • Raise employee awareness about corporate cybersecurity. 75% of organizations see employee negligence as the main threat to sensitive data, according to a study published by the University of Alabama in 2015 (4).

 Employee awareness – a cornerstone of cybersecurity

For CISOs, the greatest challenge to ensure corporate cybersecurity is raising awareness among their employees and training them (1). But even once they are aware, employees still tend to ignore the recommendations that are made. In 2017, Deloitte fell victim to a hack lasting several months. Hackers accessed the firm’s IT system, compromising an administrator account that was poorly protected by a simple password. This was down to human error, an employee who made it easier for the hackers to enter by opting for a type of authentication requiring as little as possible.

The human aspect is the most important one. Employees are the first line of defense against cyberrisks when behind their computer, smartphone, or tablet screen. With such an important role to play, they are also the weakest link in the corporate cybersecurity chain, as evidenced by the string of successful malware, ransomware, and other social engineering attacks, which play on the naivety of individuals to achieve their goal.

Training employees ahead of time on the risks and how to counter them is the best way to go about it. There are plenty of methods, beyond the tools themselves, that you can use to teach employees about the basics of cybersecurity in business and the role that every individual plays: a charter of good practice for individuals and teams as a whole, face-to-face training, distance e-learning that employees can follow at their own pace, simulated attacks, the list goes on.

When it comes to , users are often seen as part of the problem. But they are also a major part of the solution. Adopting the right tools to protect yourself is a great start, but you still need to raise awareness among users, train them on good practice, and show them that they are the best line of defense to ensure digital security in their organization.

 

  1. https://www.opinion-way.com/fr/component/edocman/?task=document.viewdoc&id=2019&Itemid=0
  2.  https://www.argusdelassurance.com/gestion-des-risques/grands-risques/les-10-risques-les-plus-redoutes-par-les-entreprises-barometre-allianz.125752
  3. https://www.silicon.fr/cloud-entreprises-risques-shadow-it-223731.html
  4. http://www.indicerh.net/la-cybersecurite-en-entreprise-quelle-est-son-importance%E2%80%89/#Les_mesures_de_protection_contre_la_cybercriminalite