In the context of current international tensions, France is subject to numerous cyberattacks. Their consequences can be disastrous for businesses, ranging from paralysis of activities to theft of sensitive data. Sources of stress, cyberattacks complicate the decision-making of IT managers and limit their impact. Anticipation then becomes a necessity. How to prepare to face a crisis? How to react properly once she is there?
" There are two types of organizations: those that have already been victims of a cyberattack and those that will soon be. » says Guillaume Poupard, the director general of the National Agency for Information Systems Security (Anssi), a bit provocatively.
A cyber crisis can be tackled in one of two ways: either you deal with it, with all the risks of emergency measures, or you anticipate it. Unfortunately, the cybersecurity watchdog highlights the lack of foresight on the part of businesses. That's why Anssi is urging them to put preventive measures in place. The agency has identified five priority measures to be implemented in the short term to prepare for any eventuality.
1. Strengthen authentication procedures
The most sensitive accounts, those of the company's information system (IS) administrators and those of the most exposed people (management, senior executives, etc.) must be strengthened. Anssi recommends the implementation of strong two-factor identification authentication.
For example, to access the network, you will need to combine a strong password with a hardware device (smart card, USB token, magnetic card, etc.). At the very least, a code received by SMS can be used as a second means of identification.
This two-factor authentication system has already existed since 2019 for banking establishments.
2. Increase network monitoring
In the event of a cyber attack, reaction time becomes essential. Preparation is therefore essential in order to be able to react as quickly as possible when the time comes. This is why Anssi recommends the implementation of global and permanent monitoring of the network. This will make it possible to identify a possible compromise as quickly as possible and treat it as soon as possible. In the event of a lack of overall supervision, Anssi advises “ centralize logs from the most sensitive points of the information system » such as VPN entry points, virtual desktops, domain controllers or hypervisors.
IT security managers will need to investigate any anomaly that might normally be ignored, such as abnormal connections to domain controllers and any alerts from antivirus and EDR (Endpoint detection and response) solutions.
3. Back up data and applications offline
Carry out “regular backups of all company data, including those present on file servers, infrastructure and business applications, must be carried out” insists Anssi.
To prevent ransomware, backups should be disconnected from the network to prevent encryption. Priority should be given to the use of cold storage solutions (hard drives and magnetic tapes).
Backups should be restored regularly to ensure their integrity and avoid errors during restoration.
4. Identify critical services
In the event of an attack, security actions must be prioritized. To do this, you must first have established an inventory of the company's digital services and prioritize them according to their critical nature for the company's business continuity.
Anssi also asks that dependencies on service providers be taken into account.
5. Prepare crisis management adapted to a cyberattack
A cyberattack can destabilize the functioning of the company. Support functions such as telephony, messaging, but also business applications are often the first to be put out of service. The company will then have to operate in degraded mode, sometimes at the risk of returning to paper and pencil.
Depending on the severity, a cyberattack causes a partial interruption of activity ranging in the most serious cases to a total interruption.
The company must set up a crisis unit and define a response plan aimed at implementing a business continuity plan (PCA) or an IT recovery plan (PRI). Enough to allow the company to operate in degraded mode and restore systems and data as quickly as possible to return to a normal situation.
