Cyber attacks are becoming more and more numerous every year, with sometimes disastrous consequences for small and medium-sized companies. What concrete measures, material and human, can managers adopt to protect themselves from these dangers?
In a context of increasing digitalization and massive increase in telecommuting, the risks related to cybersecurity in companies have multiplied. According to the French National Agency for Information Systems Security (Anssi), the number of ransomware attacks - also known as ransomware - has increased fourfold between 2019 and 2020, across all sectors and types of establishments, from local authorities to industrial companies.
These threats, which also include malware hacking, account hijacking and phishing, can have dramatic consequences for companies that fall victim to them: financial losses due to business disruption or interruption, theft or loss of sensitive data, exposure to blackmail, erosion of customer trust, etc. Faced with these risks, small and medium-sized companies can be particularly vulnerable, whereas large structures with greater financial resources can benefit from high network and data protection systems.
For any SME manager, it is therefore crucial to apply a certain number of good practices in order to identify and prevent a maximum of potential cybersecurity dangers.
Know your information system
The first essential step in cybersecurity is to draw up a complete map of your company's information system. How many computers are connected to a public or private network? What types of passwords are used? How does the data circulate within the company and in what type of database is it stored? Has a cybersecurity tool been installed and if so, is it regularly updated?
These are all questions that will give a clear picture of the entire system: computers, programs, databases, networks, etc. To this should be added an inventory (exhaustive and regular!) of the computer equipment in use, whether it is software or interfaces used. Because yes, even an old computer that has been put aside, provided that it has not been formatted and that it is still connected to the company's internal network, constitutes a risk.
Self-assessment or calling in a professional to assess the risks
This mapping allows you to :
detail and evaluate possible risks and vulnerabilities, whether they are internal (failures of the system in place, such as security tools not updated or controls not carried out by the staff) or external (cyber attacks, hacking, data theft) ;
to have a global vision of the company's protection tools and, if necessary, to set up a more adapted system.
This exercise can take the form of a self-assessment at regular intervals, organized by the company itself, which requires getting closer to the various departments, understanding their respective activities in order to better understand the general organization and thus be able to estimate the risks accurately. Be careful, however, when conducting this self-assessment, to adopt the most objective point of view possible!
The company manager can also choose to call upon a professional expert in cybersecurity to perform an audit. Although it is not necessary for an SME to hire a full-time cybersecurity specialist - unless there is a high probability of breaches or attacks in the long term - it is nevertheless advisable to repeat this type of assessment regularly.
And then, what do we do?
This risk mapping exercise should not be an end in itself. Technology and digital tools are constantly evolving, as are cybersecurity risks and the ways in which they are spread. The company itself is developing or changing, whether by launching new activities or new products (especially when the company develops software/applications), by the arrival of new employees or the renewal of the tools it uses.
Protection systems must therefore evolve accordingly, by being updated and monitored regularly: either via an expert audit, or via a self-assessment conducted every six months to a year. This analysis over time will allow the company to determine precisely the effectiveness of the security measures put in place.
Some specialized companies also offer turnkey cybersecurity solutions, such as anti-phishing or anti-malware email protection tools or e-commerce protection tools.
Communicate and raise awareness among teams
While security tools are essential, they are not sufficient. Opening an attachment containing malware in an email, using similar passwords on all interfaces, storing sensitive data on a personal computer or laptop... The human factor remains a weak link in a company's IT system. According to the latest report from the Cybermalveillance.gouv.fr platform, phishing remains the number one cyberattack vector in France.
Therefore, it is essential to promote communication with your teams on these issues and to implement educational and awareness actions. These can take the form of a security policy distributed internally or a weekly or monthly workshop on good cybersecurity practices (for example, "how to create strong and varied passwords", "what is multi-factor authentication" or "how to protect yourself from phishing").
In the long run, it can be beneficial to share the results of this mapping of the information system and the potential risks identified with all employees, allowing them to become cybersecurity players within the organization: an informed user means an increased level of security for the company!
Cybersecurity and data protection are major challenges for companies, in a world increasingly prey to cyberthreats... But solutions to anticipate vulnerabilities and identify possible dangers exist, as well as pragmatic best practices to strengthen the security of your company and ensure a serene digital transformation.
Comments