In France, 55% of surveyed companies said they are increasing their cybersecurity budget for 2017 (1). This can be explained by the fact that the number of incidents linked to computer security—all sectors combined—rose by 38% between 2015 and 2016 (2). While data security may be a subject that comes up again and again, that does not mean that companies always take an adequately forward-thinking approach to it. Infrastructure, agility, awareness, legal framework, and integration at all levels, these are the five tips concerning cybersecurity for professionals in 2017.
Make your IT infrastructures an asset, not a vulnerability
It is a mistake to think of IT infrastructures as mere conduits in the matter of cybersecurity, because everything is connected through them, and that is where data protection can be strengthened. The advent of the Internet of Things only accentuates that trend. It is essential to protect connected objects, and to secure their use and the applications that manage them.
The large-scale attack perpetrated last September against French web hosting company OVH is a perfect illustration of this point. The attackers hacked into nearly 150,000 IP surveillance cameras to form a network of “zombies” capable of launching a major DDoS (Distributed Denial of Service) offensive, targeting the hosting company’s servers. That cyberattack was among the largest ever recorded worldwide, and yet the French company withstood it. As OVH stoically stated following the attack, “we have infrastructure that holds up” (3).
Another notable example of large-scale hacking that occurred recently was a massive offensive launched on 21 October against Dyn, the service that manages an essential part of the infrastructure of many online services (4). That service, which associates certain domain names (such as Twitter.com) with the servers hosting their websites, was bombarded with requests. That caused major websites, such as Spotify, Twitter, and AirBnB, to slow or even break down for some users. What stands out about that case is that “Dyn did not suffer a breakdown of its entire system”, as the company was keen to point out. There again, the attack was orchestrated through a botnet (a network of Internet-connected programs) made up of connected objects infected with malware.
All newly connected objects should be mapped and audited to keep them from being transformed into zombies. To do so allows the company to steer clear of negligent manufacturers, patch the protective systems, partition and secure networks, protect the system that manages all the connected objects, and so on. All these are crucial steps that are often neglected.
Data security in the genes of every company
Each year, the leaders of major groups reiterate the declaration that IT security is a priority for their company. Cybersecurity must no longer be thought of as an optional insurance; it must be inscribed into the genes of every company. For example, the concept of data security is only partially addressed in the industrial sector, even within industrial processes. Any company, regardless of sector, must consider the possibility and the consequences of an attack on its systems, from the design phase to production and all the way to placing the product on the market. New tools, such as machine learning, may provide the means to detect any abnormal event on the network or along a production chain.
The agility paradox
“Your company must be agile, but it must also be protected.” This professional dichotomy is nothing new, but it continues to be an unresolved conundrum for many IS departments. On the one hand, the company must be attentive to its new customers, able to accelerate its own development, monitor innovations in the sector and adapt to changes, and all this—more often than not—within a very short time frame. On the other hand, there are ever more customers and people to talk to, as well as methods of communicating with them, which means the risk of potential IT threats is also growing. To meet this dual requirement, the company must streamline exchanges and mutual knowledge between business teams and IT teams. For example, new cross-functional roles are appearing in organizations, such as the chief data officer, one of whose main roles is to ensure personal data protection.
Adapting to the legal framework
The regulatory aspect of cybersecurity is becoming increasingly burdensome for all companies, across all sectors. The days when companies only sought to beef up their IT security following an attack have been consigned to the past, nearly. These days, IS departments must adapt to the regulations. To find upstream solutions, more and more often they are turning to service providers who know the regulations inside and out. That requires the company to be able to adapt its services, as well as its products and their applications, to new legislation.
In Europe, the culture of data protection is much more firmly established than in the rest of the world, and companies need to adapt to such disparities. But even within Europe, there are differences from one country to the next in terms of data security legislation. Germany and Switzerland, for example, are especially protective of their data, which is less the case in France, the Netherlands, and some of the Nordic countries. Giant multinationals understand this and have begun to adapt to the European market. To take the example of Microsoft, the company made the decision last September to set up two infrastructures in Germany dedicated to Azure, its cloud computing platform. That move reassured the European regulatory authorities about the location of the data held by the American behemoth.
Spreading awareness – a long-term undertaking
Even after 25 years of cybersecurity, the top priority is still to make users and companies aware of the risks they face. There is an ever-growing number of weak points and hackers only get craftier with time. Spreading awareness of those threats has to be an ongoing and priority message. New cracks appear all the time, and keeping a close watch on them is clearly one of the basic duties of any security manager. That said, it is essential to keep the users in the security monitoring loop; training, informative messages, explanations about the various means of access and password security. To ensure the company’s cybersecurity, all these are points that must not be overlooked. In professional life, for the company’s data to be protected, the human factor must be counted among the areas of weakness. While some progress has been made regarding user practices, it is not yet enough to limit the risks.
In spite of all the security experts and the certifications developed to protect companies and the solutions in place, the problem of data security has never been more relevant than it is today. But the vulnerability will always come from humans. For that reason, it is vital to factor user competence and human behaviour into corporate security issues. Only that way will there be a strategic shift in the battle for cybersecurity. And who knows, might 2017 be the year we turn the tide?
Vincent BAZILLIO, Technologies Marketing Manager Data Center & Cloud / Cybersecurity, Axians
Want to learn more about our solutions ?