Cybercrime is exploding. Almost half of French businesses were targeted by a cyber attack in 2020. And 16 % of these attacks threaten the very survival of the VSEs, SMEs and ETIs that fall victim to them. In light of this, the Senate has put forward 22 proposals to improve the cyber security of businesses, including the smallest ones. We have selected the 10 key measures.
The health crisis has led to widespread teleworking, encouraged the development of e-commerce and increased the use of personal computer equipment in a professional context. All these factors have increased the risk of companies being exposed to cyber attacks.
Cybercrime against businesses is accelerating
While large companies and most medium-sized enterprises (SMEs) have taken steps to protect themselves, cybercrime has turned its attention to small businesses, with the result that the number of hacking attacks is set to multiply in 2020. The figures are edifying:
- 43 % of companies have experienced a cyber security incident in 2020,
- 16 % cyber attacks have threatened the survival of a company in 2020,
- 300 % increase in ransomware attacks between 2020 and 2021, according to the French National Agency for Information Systems Security (ANSSI),
- 6,000 billion dollars a yearis the cost of cybercrime worldwide in 2021, twice as much as the 3,000 billion dollars in 2015.
In light of this situation, the Senate is putting forward a series of proposals to help SMEs and VSEs deal more effectively with this rampant cybercrime. Spearheaded by senators Sébastien Meurant and Rémi Cardon, the information report The report by the Senate Business Delegation, presented on 10 June, highlights the shortcomings of the public authorities, in particular the lack of knowledge "on the part of the vast majority of businesses" of the public players involved in cybersecurity. It also notes the poor protection afforded to SMEs and very small businesses in the face of these threats.
VSEs and SMEs are the weak link
With the spread of teleworking, the IT departments of large companies have put in place a policy of telecommuting. Zero trust (zero trust): no user on the network is completely trustworthy. Furthermore, the ESG rating (environment, society, governance) now takes cybersecurity into account, making it an essential dimension of corporate governance and corporate social responsibility (CSR).
If large groups and ETIs " have taken defensive measures complicating the task of cybercriminalsls", this has had the effect of diverting cybercrime to smaller businessesare struggling. VSEs and SMEs lack human and technical resources, as well as a culture of cybersecurity. Employees are often the weakest link, or even a Trojan horse for cybercriminals. VSEs and SMEs are compensating for this lack of resources - when they realise the benefits and implications - by turning to the cloud and outsourcing.
Less protected, they become the gateway to numerous cyber-attacks that can spread by domino effect. " This transfer of risk to suppliers, subcontractors and customers continues to weaken the cybersecurity of large companies through feedback. "notes the report. A phenomenon known as supply chain attack ".
What are the main cyber threats?
The ransomware attacks became the main threat in 2020, with the means of intrusion being penetration of the victim company's network via its external access, in particular following the exploitation of an uncorrected security flaw. Second and third place go to computer hacking and online account hacking. made possible by phishing (phishing) by false e-mail or by re-using the same password on several sites.
The smallest companies think they are safe from these cyber attacks. But this is a sometimes fatal illusion: a company can close down after a cyber attack. And the indirect costs sometimes become apparent after a long latency period. For a cyber attack prepared in three to six months, the company experiences an intense three-week crisis and takes three months to return to normal. However, the repercussions can last for three years.
The explosion of the Internet of Things (IoT), artificial intelligence (AI) and the arrival of the quantum computer mean that businesses need to raise their cybersecurity game considerably.
To this end, the report recommends a number of proposals. The ten most important are :
1. Promoting Cybermalveillance.gouv.fr
France has a national support system for victims of cyber attacks, the cybermalveillance.gouv.fr. Revamped at the beginning of 2020, its mission is to assist victims, inform them about threats and how to protect themselves. By 2020, 10,000 companies " came to seek assistance following an attack. "In order to strengthen its workforce and raise awareness among young people, students with the appropriate digital skills could carry out their civic service.
2. Opening an anonymous complaints desk
The senators are proposing to open such a window to encourage companies to report cyber attacks without damaging their reputation. Such a measure would also discourage publicity around malicious software and make it possible to collect reliable statistical data.
"To date, there is no organisation tasked with collecting and anonymising cyber incidents". deplored the senators, adding: " This lack of a database would help to raise awareness of cyber risks.. "
3. Up to €5,000 tax credit for equipment and training
The Senate is recommending the introduction of a tax credit for VSEs and SMEs covering up to 50 % of their expenditure on cybersecurity equipment (software or cloud subscription) and training, up to a maximum of €5,000.
4. Enable insurance companies to reimburse cyber claims
Insurance companies must cover cyber claims. To this end, the senators propose to :
- draw up an exhaustive list of the various claims possible,
- reserve insurance reimbursements for companies that have used software and cybersecurity experts certified by the "ExpertCyber" label ",
- set up a cyber rating agency using the standards of the ANSSI or its European equivalent, the European Network and Information Security Agency (ENISA).
What's more, senators do not want to make the risk of ransomware attacks insurable (ransomware). If the insurer paid a ransom to the cybercriminals, there would be no guarantee that the company would be able to recover its data or restart its business. Insuring against ransomware would encourage replication, fund cybercrime and even terrorism. " Ransoms attract criminals. There has been a decline in attacks on public hospitals, because they do not have the means to pay a ransom. "explains Senator Sébastien Meurant.
5. Developing a range of cyber security solutions
The senators want VSEs and SMEs to have access to a simple-to-use package of cybersecurity solutions.
6. Facilitating the pooling of IT service security managers (ISSMs)
The report calls for the creation of groups of employers with trusted third party status to pool CISOs. This would enable VSEs and SMEs without CISOs to benefit from their expertise.
7. Have accountants and statutory auditors carry out an annual cyber-security audit
The senators have called on chartered accountants and statutory auditors (CACs) to carry out "an audit of the financial statements". an annual cyber-security diagnostic, with specifications drawn up in conjunction with the public authorities, which must be communicated directly to senior management for their information, together with basic recommendations for covering risks ".
8. Developing security by design
In their report, the senators note that "many of the people they spoke to pointed out that software manufacturers were not doing enough to secure their products". To make publishers more accountable, the senators want to strengthen the "security by design" principle for software sold to VSEs and SMEs. This involves legislating on updates by extending the software warranty of at least two years to include security updates.
9. Make managers aware of their personal responsibilities
Just like employees, company directors need to be made aware of cyber security. In the event of a cyber-attack, managers can be held personally liable. " Lfailure to put in place adequate safety measures could constitute a fault that could give rise to civil liability on the part of the company or its director. ". A legal risk that is often overlooked, the senators point out.
10. Train employees and raise their awareness of cyber security
" Every employee holds the key to their company's cyber security "the senators note. In their view, it's up to vocational training to change the game. As a result, two amendments have been tabled to the bill on the fight against climate change to include cybersecurity in the training courses offered by skills operators (OPCO).
The authors of the report also want to create short courses in cyber security (bac +2 level) to train more cyber operators.
