Reflets Magazine #143 | Digital Transformation: Don’t Forget About Cybersecurity

54% of businesses reported at least one digital attack in 2021. How do you recover rapidly from such incidents ?  Dorothée Decrop (EXEC M21), managing director of Hexatrust, offers some advice in Reflets Magazine #143. Here is a free online translation of the article… click here to read the rest of the issue (in French)! 

Since the onset of the COVID crisis, organisations have been wrestling with a breakdown of data perimeters. With remote working, employee authentication no longer takes place at the door, and companies can never be entirely sure who is in front of the screen. Cloud services are gradually replacing in-house servers, and it is increasingly common to share files with external partners. Employees use an ever-growing number of applications; some of them are approved by their employers, others not so much. In short, the physical frontiers of the business have been redrawn.

Against this backdrop, the Allianz Risk Barometer for 2022 identifies cybersecurity as the biggest risk facing businesses worldwide, and the second-biggest risk in France. While phishing remains the most widespread form of attack, indirect attacks piggy-backing on external service providers are on the rise (21%, up from 16% in 2019). Businesses can ill afford to neglect this kind of attack, given their potential impact on relations between clients and sub-contractors.

Reinforcing the cyber-resilience of businesses is a matter of urgent importance. However, if we are to rise to this challenge we will first need to overcome five common misconceptions.

Misconception No. 1: Cyberattacks only happen to other people

According to an OpinionWay survey of CESIN members (France’s Digital and IT Security Experts Club), more than half of all companies (54%) reported suffering between one and three successful cyberattacks during the year 2021. The World Economic Forum’s Global Risks Report for 2022 notes that in 2020 alone incidents of malware infection grew by 358%, while cases involving ransomware rose by 435%. 

The question is no longer if an organisation will be the target of an attack – that is a given – but rather whether or not it has systems in place which are sufficiently robust to mitigate the impact of these attacks.

Misconception No. 2: Cybersecurity is best left to the experts

The work of the chief information security officer (CISO) is indispensable in terms of monitoring and correcting any internal IT vulnerabilities. Nevertheless, with 73% of all attacks involving phishing of some sort, in-house cybersecurity is everybody’s business. Raising awareness of these threats among employees needs to be a top priority, and organisations should provide regular training.

In other words, if it is to be effective then cybersecurity policy can no longer be regarded as a sub-component of the overall ICT strategy. It needs to be right at the heart of corporate governance, directly overseen by top management or the ExCom. In the event of an attack, every part of the organisation will be affected, and its tangible and intangible assets will all be at risk: HR will need to coordinate employees, the communication team will need to deal with any reputational damage, the administrative and financial team will be affected by the ransom, the legal team will need to report the crime and handle the GDPR implications, the commercial teams will be affected by the interruption of business and the leak of client data – and, of course, the ICT team will need to resolve underlying issues and improve the management of IT projects.

Misconception No. 3: Cybersecurity is a technical subject

Cybersecurity obviously involves a great deal of technical expertise and mastery of information systems. 

However, and although it might not always seem that way, cybersecurity is about people first and foremost. The people behind cyberattacks are criminals, or even spies. The unwitting vectors of their attacks are employees, who may suffer direct consequences for their careers, something recently evoked by Jacques Cheminat in Le Monde Informatique. The victims are people too, people who may never recover economically, technically or personally from the attack. Last but not least, the people working to defend businesses during attacks and during the recovery process are key stakeholders too – and choosing the right partner is essential.  

Misconception No 4: Cybersecurity is all about constraints

Your cybersecurity policy needs to be founded on three essential pillars: training, processes and tools. It can also provide an opportunity to redefine your competitive strengths, and lay the foundations for lasting partnerships with fellow members of your professional ecosystem, providing partners with reassurance as to your level of protection. Cybersecurity policy is thus rapidly becoming a strategic choice for many organisations, a source of added value, as illustrated by the recent acquisition of Tanker by Doctolib. 

Moreover, financial and ESG (environmental, social and governance) ratings now include criteria pertaining to cybersecurity, which is regarded as an essential dimension of governance as well as corporate social responsibility, not least when it comes to protecting against data theft.

Misconception No 5: Cybersecurity is expensive

In France, the average organisation’s cybersecurity budget accounts for between 3 and 5% of their total IT spending. That figure is closer to 15% in the USA, and 22% in Israel… examples we would do well to heed.

What really costs money, and lots of it, is recovering from business disruption, ransom payments, the theft of strategically important data, compromised information and reputational damage. Organisations need to understand that the money they spend on cybersecurity is an investment in their long-term development, not a cost.

In conclusion…

It is high time that we developed a genuine culture of cybersecurity within our organisations. Cybersecurity is founded on three essential pillars: training, processes and tools. It requires a combination of awareness, adequate investment and professional organisation to prevent risks effectively. Each and every employee has an important role to play in these efforts.

Translation of an article published in Reflets Magazine #143. Click here to read a preview of the issue (in French). Subscribe here to get the next issues (in French)."

Are you looking for a job, switching careers, dealing with a challenge at work or looking to learn new skills? ESSEC Alumni Career Services are here to help.

Image : © AdobeStock