new-hazards|5 mins Read
Online hazards are part of the online experience: how can we best deal with them?
February 8, 2022
In barely 10 years, corporate cybersecurity has become a major issue. Cyber threats are now everywhere, meaning that we have to increase our vigilance and use appropriate tools for reducing our exposure to the risk of piracy. We take stock of good practice.
IT threats are skyrocketing. For example, in the second half of 2022 alone, global cyberprotection leader Acronis revealed that it had blocked some 21 million URLs on the various devices that it protects. That's a 10% increase on the first half of the year. Piracy targets IT equipment and online accounts. And all companies are affected. The level of exposure varies depending on the size of the company and the sector in which it operates, as well as – more crucially – how well protected its vulnerabilities are.
In the digital age, the way in which IT systems are configured can either invite or block intrusion. There is no shortage of points of entry. It could be a security flaw in the operating system (OS) of a smartphone, PC or laptop, tablet, printer or server. Or it could be a poor configuration or a particular piece of software installed (such as a videoconference programme). And increasingly, the risk of intrusion can come from fake Wi-Fi networks, or when the use of USB keys booby-trapped with computer viruses – ransomware – is still possible. In fact, according to some industry commentators, ransomware could cost us a total of US$30 billion globally in 2023.
Hijacking an online account is the ultimate aim of a hacker – that grants them access to company data. Hackers are able to do this either by taking control of a piece of equipment beforehand that contains login credentials for the victim's various professional and / or personal accounts, or by compromising one of the passwords in use.
To stop this from happening, discarding weak passwords and replacing them with significantly more complicated formats made up of a mix of letters, digits, special characters and uppercase / lowercase letters is highly effective. This precaution proves useful when a piece of hardware is lost or stolen – it makes it very complicated or even impossible for anybody to maliciously connect to it from the outside.
Email represents a weakness in any IT system. Companies use email to communicate with employees, suppliers, partners and clients. Given the wealth of information and the sheer quantity of data contained in email systems, it is no surprise that they are a favourite target of computer pirates.
Who does not receive at least one fraudulent email per day designed to extract sensitive data from them (phishing)? A real scourge! By opening up such emails and clicking on a fraudulent link or downloading an infected attachment, the company or its employee is running the risk of having their identity stolen, or of downloading a virus or malicious code (ransomware) that will make it easier to have their data stolen or their conversations and sensitive information hijacked.
This phenomenon can also take the form of a phone call, in which case it is referred to as vishing. Fortunately, no company gives people the option to reveal their credentials and passwords over the telephone.
There is a lot to watch out for when it comes to bolstering email security. First of all, look at the domain name used. Often it is not quite the same as the real one. For example: @axa-partners.com or @axapartner.com instead of @axapartners.com.
Then there is a whole series of checks to consider:
Cybercriminals will do anything to access our companies' data. Although attacks targeting company leaders – who may fall for CEO scams in particular – can be lucrative, employees are more frequently targeted, including mobile employees and remote workers. Raising employees' awareness and encouraging them to get into the right habits and use appropriate tools will reduce the company's risk of falling prey to cyberattacks.
Raising employees' awareness may involve adopting an IT charter. By defining rules and setting out examples of best practice, it provides an overview of the type of equipment available and general instructions for using it, alongside the precautions to take when using telephones, emails, when browsing the Internet or sharing files, etc. For it to be comprehensive, it should also include all aspects to do with mobility and working remotely.
According to studies, human error plays a part in more than 95% of IT security incidents. Reducing the number of attacks also involves providing employees with regular and repetitive training – on a face-to-face basis or remotely – about the fundamentals of cybersecurity and the right habits to get into. This teaches people to recognise the methods used with cyberattacks, so they can take appropriate action to protect themselves. Furthermore, training plays a part in ongoing improvements to our companies' digital culture.
It is still important to bridge the gap between theory and practice with real-life simulations. Pitching employees – unbeknownst to them – against fictitious attacks further raises their awareness of the very real risk of piracy and sharpens their reactions. The results of these simulations – involving phishing emails and ransomware – can be used to assess their ability to detect intrusion attempts and decide whether or not a new, better adapted, training cycle needs to be run.
All of these initiatives involving identifying, preventing and delivering training about cyber threats for employees constitute the first line of defence for our companies. Indeed, cybercriminals are increasingly clever, so simply installing tools and securing mobile devices is no longer enough. Cybersecurity is no longer an issue for just IT departments. It is part and parcel of everyday life for employees, service providers and clients. We all have a role to play in ensuring it.