Deployed in all departments to allow remote work or made necessary by the closure of physical entities and the implementation of "click and collect", digital technology has imposed itself on many SMEs which have since launched into it. more than a year with the Covid-19 health crisis, often without a safety net.
A third of the shops and service companies out of the 720 surveyed by the Digital Economy Association in December 2020 report having used digital tools to maintain their activity.
More present on the web, they are therefore more exposed.
Almost six in ten French companies have faced a computer intrusion attempt and one in five has been the victim of a ransomware attack (ransom demand for unblocking the system and data).
This is what the latest barometer of business cybersecurity from the Club of Information and Digital Security Experts (CESIN), published in January 2021, reveals.
Gangs, extortion and ransomware ... Investigation into very organized gang hackers
The most frequent are phishing attacks (80%).
In this case, the unfortunate click of an employee on an email is enough to trigger the intrusion and paralysis of the company's computer system.
Then come the exploitation of computer vulnerabilities (52%), the scam of the president (42%), where the hacker impersonates the company director by hijacking his email address (or even reproducing his voice!), And connection attempts (41%) by “cracking” a password or username.
Being small does not protect
Thus, "2020 has shown that cybersecurity is the business of all companies and that one is never too small to be a target", warns Christian Poyau, of the Medef technological changes commission, which offers a test online.
"Small businesses are not spared and can be put in great difficulty by these untimely hacks of their data", underlines François Asselin, president of the CPME (Confederation of small and medium-sized enterprises), partner with the Medef of a practical guide , “The essentials of digital security for managers”.
The National Information Systems Security Agency (Anssi) has for its part published a small guide in 12 questions for VSEs / SMEs.
Above all, the first step in securing is to know yourself better: define your vital activities and the most sensitive data.
All our contacts advise to carry out an internal audit.
“You also have to calculate how quickly (days, weeks, months) the company, if it is attacked, can recover its initial functioning.
And also whether we are able, internally, to identify the problem, ”insists Jonathan Uzan, cybersecurity manager at the Boston Consulting Group (BCG).
Morning essentials newsletter
A tour of the news to start the day
Subscribe to the newsletterAll newsletters
Computer hacking in business: beware of fraud to the president
Here are the six points to prioritize to better protect yourself.
1. Raise awareness among all employees.
At all levels of responsibility, employees must be made aware of good practices.
“We think especially of attacked networks, malicious emails.
But we must not forget about smartphones or computers stolen from outside and physical intrusions.
A person comes for an interview and puts a USB key in a device to steal data, ”cites Clément David, co-founder of Padok, as an example.
His company specializes in cloud and security.
He says that one of his clients had five computers stolen, three of which were unlocked by employees.
A basic audit and awareness can limit 70% of the risks.
They teach everyone to react well, estimates the president of Padok: “People are often panicked, do not dare to warn that they have clicked on a fraudulent email.
We must tell them that they will not be judged.
»And that he must quickly warn his boss.
2. Cloud or no cloud?
In a few years, the cloud has established itself as the easy and practical solution for storing increasingly heavy files.
The service provided by the provider - Amazon, Microsoft, Google, or others - depends a lot on the amount of data to be stored.
“The system is not infallible, warns Loïc Guézo, secretary general of the French Information Security Club (Clusif).
Depending on the offer, the supplier may only provide backup of the files, their security then depends very much on the entrepreneur ”.
Moreover, in the 6th CESIN barometer, 86% of companies believe that the tools provided by cloud solution providers do not make it possible to secure data and that specific devices are needed.
Employees must also be vigilant, because hackers generally try to retrieve credentials from emails, to connect themselves to the cloud.
The company can ask the supplier to install physical servers within the premises.
Thus, all files remain in a private network controlled by its owner.
A more expensive solution, which requires increased management of computer systems.
3. Recruit an expert or hire a service provider?
It all depends on the size of the business.
Internal or external, the important thing is to be able to count on someone who will take all the less time to unblock the situation if they know the company, or have carried out an upstream audit.
So much time saved when it comes to intervening to extinguish the fire.
Who to call?
The offer is plentiful.
A list of qualified service providers is available on the Anssi website.
4. Is it a good idea to hire a “nice” pirate?
Some computer geniuses put their talents at the service of a good cause.
They test the flaws in a system by breaking into it legally.
We speak of "white hat" to describe these "bounty hunters", responsible for hacking the site to reveal security flaws in exchange for a sum.
Start-ups like YesWeHack help companies find their ethical hacker.
The latter will then support society and provide it with new means to protect itself.
“The number of requests from SMEs doubled in 2020,” notes Rodolphe Harand, associate director of the start-up.
Computer security: he hires a coder and discovers… that he is a repentant hacker
5. See if you are insured against piracy.
Checking your current contracts is the first thing to do.
Taking out a specific guarantee for cyber risk allows you to have quick access to all the experts - legal, technical, communication - and to request compensation for the financial loss suffered (cost of IT intervention, drop in income if stoppage activity…).
But beware, "qualifying and quantifying a company's risk is extremely complicated," recalls Jonathan Uzan, from BCG.
"Insurers offer specific guarantees, but they are now reserved for companies that show a white leg", notes Frédéric Chaplain, director at Verlingue, insurance broker.
"They will not obtain it without proving that they have a prevention policy, password management, regular updating ... Many insurers refuse a cyber guarantee if we have not taken out a fraud guarantee" .
In case, the insurance policy may cover the attorney fees.
6. When should I bring in a lawyer?
The lawyer can manage the crisis as a whole: file a complaint (only 47% of victims did so in 2020, according to CESIN), negotiate with cybercriminals in connection with the judicial police (which advises never to pay the ransom) , communicate with employees and customers (who could be harmed);
write a personal data breach notification (mandatory since 2018) to the CNIL;
help manage disputes with clients… As explained by Me Florence Chafiol, associate lawyer at August Debouzy, “it is up to the lawyer to demonstrate that the scam against the president is a cyber attack and falls within the scope of the police cyber ”.