Cyber Security: Training people to thwart the new threats

At the end of 2016 the notoriety of the Mirai malware spread beyond the narrow IT world to the public at large when it infected the Dyn company’s DNS for nearly 10 hours in a distributed denial-of-service attack on web giants such as Netflix, Spotify, Twitter, and eBay. Many companies took comfort in the idea that these spectacular attacks affect only “major corporations” – a grievous misperception. “In 2016, one in every two companies was a victim of a cyber attack,” says Cédric Cailleaux, Technical Manager at Axians (Energies), “SMEs and micro businesses are just as affected as CAC 40 corporations.”

Companies have made safety into a well-established routine when it comes to wearing hard hats and climbing ladders, but it remains an abstraction when it comes to keeping data secure.

Denial-of-service attacks, such as those affecting Netflix and Twitter, and ransomware – the two major types of cyber attack – are “widespread because the weapons for carrying them out are readily available on the Internet,” says Cédric Cailleaux.

For example, Satan “as-a-service” ransomware enables a novice hacker, called an “affiliate”, to block access to a company’s data by encrypting it and then demand a ransom in exchange for the decryption key, with the hacker receiving 60% of the ransom and the remainder going to the “software provider”.

Similarly, says Cédric Cailleaux, “you can buy 20-minute denial-of-service malware on the web for $30.” It paralyses the company’s server with a flood of spurious requests and can lead to loss of revenue.

A holistic approach to security

How can companies protect themselves from such attacks? “Companies often instinctively opt for a technical solution such as a firewall, an anti-spam system, or a URL filter,” says the cyber security expert. “But in doing so, they create protection segments that weaken the overall system. Axians therefore takes a holistic approach to security.” VINCI Energies’ dedicated ICT brand focuses simultaneously on three intertwined aspects of security: technical, operational, and organisational.

Operational security involves, among other things, giving Information System and Information System Security managers more visibility regarding the protection of their systems. It also involves carrying out a technology watch to gain a good understanding of the threats, building a risk culture, and continuously raising awareness.

In one company, Axians deliberately sent phishing emails to a range of departments as a lure in order to start a dialogue with the employees who unwisely clicked on them. The logistics department, for example, received a message stating that “Your consignment was not delivered. Click here”, when HR managers made the mistake of opening an attractive resume sent as an attachment – a widely-used method for breaking into computers. Once the ill-advised responses had been identified and employee awareness raised, training was provided in the form of e-learning programmes or webinars.

Risk culture

The shared risk culture is the backbone of organisational security and the third aspect of the 360° approach that Cédric Cailleaux recommends. “Companies have made safety into a well-established routine when it comes to wearing hard hats and climbing ladders,” says the Axians expert, “but safety remains an abstraction when it comes to keeping data secure.”

Learning to manage risk involves first asking what needs to be protected, i.e. “the most sensitive assets, since you can’t protect everything,” says Cédric Cailleaux, who points out the most widespread shortcomings across organisations ranging from SMEs to multinationals. “Of 50 companies that were asked about it at a recent meeting, only two had introduced an ISSP, an Information System Security Plan.”