At a time of increasing cyber-attacks and teleworking, corporate cyber-security is more important than ever. One of the risk factors is human negligence. Security consultant Hélène Courtecuisse looks at the importance of making employees aware of good practice and how to go about it..
When it comes to cyber security, there are two ways of looking at the human dimension: consider that the human element represents a weak link, "human negligence", or decide to make it the strong link. Obviously, the two perceptions complement each other, but it is essential not to focus the dialogue on the first, which remains negative and somewhat defeatist.
All the more so because the problem already existed before the era of digital transformation. It was different, because the Internet was just getting started. Systems were not open and, without smartphones or laptops, corporate security did not have the problems that today's mobile world brings. But breaches of confidentiality were no less linked to human negligence. Because there was a great deal of mistrust of physical espionage, companies had to rely on their employees to apply certain good practices, such as locking up documents.
The technology may be different today, but company employees are still being asked to be careful. It's the basic precautions and risks that have changed.
Risks that are difficult to assess
To begin with, the risks are more complicated to grasp. They are more varied, and sometimes much more technical. They take different forms that can baffle non-experts. Not to mention the fact that attacks are "silent" and totally invisible. For example, you may not realise that a website you want to buy from, whether or not it comes from a well-known brand, is infested with malware.
When it comes to cyber surveillance, we're talking high-tech these days. Attacks are more numerous, more sophisticated and much more difficult to counter. Even so, raising awareness of the basic risks among employees, even non-specialists, is not only possible but absolutely necessary.
Obviously, we can't expect to cover every subject in one day. What's more, even specialists can't claim to apply all the instructions to 100 %. In this field, we have to give up any idea of perfection. Instead, we need to focus on training people over time. In the case of OIVs (Opérateurs d'importance vitale - operators of vital importance), which are companies subject to the military programming law (banking, food, etc.), there are moreover an obligation to provide training for all employees at least once a year. Best practice must evolve with technology.
Threats to be (re)aware of
There are currently two main categories of cyber threats:
Phishing
An impressive number of phishing e-mails are circulating. They encourage people to click on a link, open an attachment and provide personal information. Clicking is dangerous enough, but some people still fall into the trap and provide the information requested. The problem, apart from a lack of awareness, is that phishing e-mails are becoming increasingly credible. Where some time ago you could spot a phishing e-mail by its dodgy spelling, now we have almost perfect formatting that blends in with the rest, for example fake invoices with the company logo.
Malware and ransomware
Malicious software that can take many forms. Particularly subtle, ransomware installs itself like a program. It starts by disabling the antivirus, then works its way up the network, often attacking backups first. It then proceeds to encrypt all the files on the computers and servers it can access. In this way, attacked companies have no choice but to pay the ransom to recover their data. Unfortunately, paying the ransom does not guarantee that the data will be recovered.
The complexity of these threats is increasingly based on processes financed by a "financial crisis". new mafia ". We have to forget the image of the lone hacker in his garage: today we're talking about organisations with financial resources that recruit hackers as employees. In short, cybercrime has become industrialised.
Training employees in cybersecurity: a matter of context
To deal with these threats, it is important that people understand the cybersecurity instructions they are given. Otherwise, it's hard to see the relevance of so many lists of recommendations, instructions and good practices that are often restrictive... Training your employees is pointless if you don't ensure that they understand the context better, and therefore that they adhere and remain motivated in the long term to apply them.
The aim is, of course, to look at the technical aspects, by risk category, but above all to gain a better understanding of the good practices involved. Closing your session and putting your documents away, for example, are simple practices that fall into the category of risks due to social engineering, a manipulative practice designed to extort confidential information. In the category of interception risks, it is important to remember to encrypt confidential messages and files when sending them, especially to someone outside the company. And, particularly in relation to the ransomware mentioned above, remember to make regular back-ups of important documents on external media, even if, let's not forget, there is no such thing as zero risk, and you are not immune to loss or theft.
Putting this technical knowledge into context will also enable us to keep abreast of the latest developments. Because technologies evolve, risks change and instructions become less reliable. So we're not necessarily looking to train experts, but first and foremost to encourage people to gain greater mastery by asking themselves questions. Today, the main advice we give is: find out before you trust. Is this site well-known? Does it have good reviews on the search engines? Isn't that link on Facebook dubious? At the end of the day, an employee who is well aware of cybersecurity needs above all to have a little technical knowledge and a certain amount of mistrust.
