Cybersecurity in business: Best practices for strengthening your cyber resilience
Since the Covid crisis, the number of cyber threats has increased by 400% in France. At the same time, half of the companies have seen a significant increase in cyberattacks (figures from the National Assembly). The ANSSI warns of the persistence of a “high level” cyber threat and the tendency of digital pirates to target less protected entities. In this context, companies must adopt a number of best practices to protect themselves from these threats and strengthen their cyber resilience, ensuring a rapid return to activity in case of an attack. How to develop an efficient cybersecurity policy?
Why protect your business from cyber threats?
It’s a fact: cyber incidents are on the rise. A report published by IBM Security highlights that 83% of organizations have already experienced more than one data breach in 2022. For the same year, Check Point Research reports a 38% increase in weekly cyberattacks against businesses compared to 2021.
These attacks have serious consequences for organizations at all levels: they disrupt their operations (with more or less prolonged disruptions depending on the nature of the incident) and impact their reputation (data theft tends to break users’ trust), sometimes in the long term. They also carry a significant financial weight: IBM Security shows that the cost of a data breach averaged 4 million euros in 2022 – a figure up 12.7% from 2020.
Beyond these major consequences, it is essential to remember that cybersecurity is also a legal obligation. Companies are required to comply with regulations, particularly by meeting the requirements of the GDPR (General Data Protection Regulation).
The question is not whether to define a cybersecurity policy for a business, but how to implement it.
How to implement a cybersecurity approach in your business?
Each company is different. However, a strategy to implement a cybersecurity approach must necessarily involve adopting a number of best practices. Here they are.
1. Assess cyber risks
What risks is your company exposed to? The answer depends on several parameters:
- The nature of your business and the criticality of the data collected. For example, organizations that handle banking data or personal information are considered critical. The loss or unauthorized disclosure of this data can have serious consequences, including fraud or breaches of privacy.
- The security of the IT environment, whether it’s the IS, the provider hosting your data, your Cloud platform, or the overall environment security, which is measured by the security of the weakest link in the entire chain. It is therefore important not to neglect anything.
- The size and exposure of your organization, with small and medium-sized enterprises (SMEs) being particularly targeted by cybercriminals due to more apparent vulnerabilities. According to the CPME, 42% of companies with fewer than 50 employees have already suffered one or more attacks or attempted cyberattacks. However, large companies are not immune either. Media companies, SaaS businesses, e-commerce platforms, and online gaming platforms are also prime targets for cyber attackers. Even if they are often much better protected than SMEs, the potential damage in terms of lost revenue or reputation caused by a data breach or denial of service attack, for example, is often significant.
2. Protect your IT infrastructure and your network
The vulnerability of your IT environment depends inevitably on its level of security. It is therefore essential to ensure that your IS and your network benefit from the highest possible level of protection. In this respect, it is possible to act on several points:
- By ensuring that your applications and software are regularly updated.
- By establishing a rigorous policy for managing access to the network and web platforms, and by restricting access to the most sensitive data.
- By ensuring the security of the servers on which your data is stored (ideally in European datacenters, to guarantee their sovereignty).
- By implementing a regular data backup system, in a location independent of the original server, and which allows you to restore them as soon as possible.
- By adopting highly secure tools: antivirus and firewall, of course, but also a Cloud technology adapted to the criticality of the data (public, private or hybrid Cloud, SecNumCloud qualification, etc.).
- By thinking about service availability issues from the outset of the infrastructure design: What is the acceptable duration of availability? What is the acceptable loss of events? The answer to these questions will determine the architecture choices and deployment strategies.
3. Define an internal cybersecurity policy
In a company, the proper application of cybersecurity measures requires a complete and explicit internal policy, and ensuring that all employees are aware of it. This cyber policy includes measures such as…
- A management method adapted to critical data, particularly in terms of access (strong authentication system);
- The introduction of strong passwords;
- Securing the devices used by mobile employees (with particular attention paid to the risks related to Shadow IT);
- The application of a strict separation of uses within the company (with, for example, the creation of user accounts dedicated to web browsing, or the restriction of authorizations granted according to the application and the use made of it);
- Training employees on essential cybersecurity concepts.
4. Make employees aware of cyber risks
This is, indeed, a key point. Because cybersecurity is not exclusively the responsibility of IT departments: this risk concerns everyone, and all employees must participate in protecting their organization. This means presenting them with:
- The existing cyber risks, as well as the precautionary measures to be taken (choosing secure passwords, using company-provided hardware when working on the move, prohibiting the connection of storage media brought in from outside to office machines, etc.).
- The various types of attacks: ransomware, phishing, social engineering, DDoS attacks, man-in-the-middle attacks…
- The need to report security incidents as soon as possible.
5. Establish an action plan in case of an incident
The purpose of a cybersecurity approach is not only to protect the company: it also aims to give it the weapons to react in case of an attack. In this sense, it is essential to have an action plan dedicated to cyber threats to deploy when an event takes place. This plan should include the following:
- A set of procedures to detect a cyber attack and isolate the problem as soon as possible.
- A data recovery process to ensure business continuity.
- A procedure for managing crisis communication with stakeholders, the media and the public.
- Taking out insurance against cyber risks, in order to limit financial losses.
6. Implement a continuous improvement process
The final best practice in cybersecurity is to put the company on a continuous improvement track. A process must be established to evaluate the measures taken (via regular audits), perform simulations to identify potential vulnerabilities, and launch penetration tests (pentesting).
This is all the more crucial as the company cannot rest on its laurels: threats are constantly evolving, and cybercriminals adapt (very) quickly to security innovations.
The implementation of a cybersecurity approach in your company is based on four major pillars: preparation for attacks (risk assessment, IS and network protection, development of a security policy), employee awareness, disaster management, and continuous improvement (to keep your security rules up-to-date).
These are complex projects, and you can benefit from the expertise of Iguana Solutions (ISO 27001 certified) to guide you in the development of an efficient security policy and in the reinforcement of your cyber-resilience.