Cybersecurity is not just about ransomware and viruses, it also includes information leaks that might come from a competitor. Yet in all cases, the primary means of security is human awareness and it all boils down to one word: prevention.
"Cybersecurity is a state of being. The idea is to place oneself or company in a state of cybersecurity," explains Pierre Dal Zotto,a professor of IT systems and coordinator of the Digital, Organizations and Society chair (DOS) at Grenoble Ecole de Management.
"The first challenge is to think about possible protocols and processes that can guarantee an organization's data safety, availability, integrity and confidentiality. While cyber attack tools are constantly evolving, we can currently imagine most of the possible risks," adds Pierre.
PEBCAK: encouraging an aware user
Cybersecurity is built on awareness at both individual and organizational levels. PEBCAK refers to a user-related problem (literally: Problem Exists Between Chair and Keyboard) and questions the key role of end users in cybersecurity. "Cybersecrutiy is first and foremost a human problem and a training problem. In concrete terms, this translates to everything from plugging in a USB key from god-knows-where to clicking on an email labeled 'urgent', a link, an attached file, or simply leaving a password visible on one's computer. So the primary thing to work on is the awareness of employees, managers and directors in terms of cybersecurity. For this reason, cybersecurity training should be seen as an investment and not a cost," underlines Pierre.
To prevent is to anticipate!
Cybersecurity is built on a state of mind and processes. But it is also dependent on calling upon the right service providers with the right expertise. "Companies specialized in 'pentests', or penetration tests, will enable an e-commerce website to check for any weaknesses," says Pierre. It's also essential to think systematically about an action plan in case of data being leaked or hacked. Three questions are fundamental: What is at risk? How can you limit the risks? And how can you respond to a problem?
It's also important to consider the legal risks caused by data security. According to French regulatory guidelines, companies have 72 hours to declare a breach of personal data to the proper French authorities (CNIL).
"This is all the more reason for cybersecurity to be based on a subtle balance of training investments, reasonable security processes and an acceptable level of ease of use. You definitely cannot rely solely on technical solutions. There's no point in using the best encryption algorithms if the password is on a post-it next to the computer!" concludes Pierre.
Basic advice for companies
- As much as possible, separate personal and professional activities on two seperate computers.
- Use a Virtual Private Network (VPN) if the company has one.
- Set a strong password with capitals, minuscules and special characters. And use a phonetic memorisation technique. E.g., My desk has one book, a computer and earphones! which would give the password: MdH1b,aCaE! (don't use this password, it's visible to everyone online!).
Telecommuting: how to protect your data?
When computers and mobile devices leave the organization's network to be connected to another wi-fi, the risk of cyberattacks increases. When telecommuting, awareness must be increased in order to ensure the highest levels of security, in particular for sensitive information such as financial or confidential data.
- Use the company's VPN if possible
- Don't mix personal and professional computers and don't exchange usb keys
- Don't leave your screen unlocked, in particular if you have children.
- Update your OS, software and antivirus programs.
- Be very careful with any attached files and links in emails, in particular those related to Covid-19 news.
Cybersecurity according to French National Agency (Anssi)
The French national cybersecurity agency (Anssi) defines cybersecurity as follows: "A desired state for an information system that enables it to resist to events from cyberspace that might compromise the availability, integrity or confidentiality of any stored, analyzed or shared data as well as related services. Cybersecurity relies upon techniques for information security, fighting cybercrime and implementing a cyber defence."