Olivier Ligneul, EDF’s cybersecurity director, called for it during the last edition of the FIC. It is more important than ever to “think ecosystem and operational dependencies”.
This amounts to thinking about safety at the level of a sector. “When you are attacked, the least you can do is warn the players in your supply chain, upstream and downstream, so as to alert them to a potential danger,” the manager stressed.
VSEs and SMEs, key players in the cyber landscape
Large groups, and in particular OIV, have greatly strengthened their defences. But the fault could come from their partners, and in particular from their subcontractors. Very often, these are small companies, still not very mature in cybersecurity.
“It’s the heart of the cyber future. It is a question of protecting the whole chain, and if possible by giving visibility to the final link of the risk carried by its subcontractors”, underlines Loïc Guézo, security director of Proofpoint.
The expert also warns that regulation and market practices will require them to implement security measures in the future. Whether it is a regulatory constraint or a requirement from the client in its calls for tenders, VSEs and SMEs will have to improve their maturity in cybersecurity.
But to ensure their own protection and the continuity of their activities, these companies must already, and quickly, improve. “It is at the level of these companies that lies the greatest risk in France. French VSEs and SMEs are today the least well informed, and therefore the least well protected”, observes Loïc Guézo.
However, this “new soft underbelly for attackers” has largely digitized its activities and opened up its information system. The Covid crisis has resulted in a leap of several years in this area, with the acceleration of the use of cloud services and the development of teleworking.
Digitization rhymes with increased exhibition surface
This is one of the positive aspects of the crisis. Awareness of the threats, however, has not grown at an equal pace. “IT risk governance remains poor, in VSEs and SMEs in particular. But in addition, it has not integrated the new digital offer, which has led to exposure to risk, “warns the expert from Proofpoint.
The internal information system represents a less and less important part of the assets used by companies. These consume services and data hosted outside the usual perimeter, in particular via SaaS (Software-as-a-Service) applications.
This change in the scope of the information system requires rethinking security. Large groups are aware of this and are therefore modifying their approach to security. This can also be seen in the democratization of Zero Trust architectures aimed globally at establishing a bubble of trust around users.
Current Zero Trust solutions probably do not yet allow plug & play or turnkey use suitable for VSEs/SMEs. Securing the hybridization of working methods must nevertheless be taken into account, even if it further complicates security governance.
For Proofpoint, this hybridization presents five main risks in terms of security and compliance. They are not new. However, the opening of the information system and the use of online services accentuate risks such as loss of data and damage to image via social networks.
Map the risks, but act quickly on the main ones
How to upgrade? Loïc Guézo recommends the establishment of a governance framework with a manager and the involvement of managers in order to decide on the responses to be provided to the mapped risks.
This does not exclude rapid and pragmatic actions. On the contrary. And this therefore consists of acting in the face of the most immediate threats for companies, namely intrusions leading to the implantation of ransomware.
“The rule is simple. What represents 80% of the risk? Today is messaging. To maximize ROI [retour sur investissement, NDLR]it is undoubtedly interesting to invest in the security of messaging and the control of digital exchanges with its ecosystem”, analyzes Loïc Guézo.
However, this recommendation assumes that other entry points have been blocked, namely the poor configuration of a service exposed on the Internet and the poor management of patch management.