Training companies in cyber security, a subject that concerns us all
In its last issue, the Ionis MAG magazine, published by the IONIS Education Group, offered a platform for Mary Moin, director of SECURESPHERE by EPITA who trains professionals in challenges linked to cyber security.
It is not simple to train company employees in cyber security. The main difficulty lies in the fact that cyber security concerns all employees, regardless of their position. Without exception. Tools are simply not sufficient to reinforce the security of a structure. Each and every staff member has to acquire the skills and good practices that must be implemented at their particular level.
At SECURESPHERE, the EPITA cyber security center of expertise, we have determined three types of employees that must be trained within a company, based on their position. The first group involves all staff members: all those who use a computer or connect to the company network – in other words, virtually everyone. As the first line of defense, they must have good reflexes, particularly in the case of a “phishing” attack, which is a very common practice. The second group concerns the IT team: for example, those who design tools and networks. They need a short, pragmatic and technical training program, so that security systems are automatically integrated into all of their projects from the very beginning. The last group is the experts: those who need to improve their expertise with customized training courses. Cyber security is a broad and very comprehensive field, which is difficult to control in its entirety, even for specialists. Some are experts in “forensics“, others in “pentest” or in defensive security… In all cases, the training programs must be adapted to the constraints of the employees and their particular business context.
Parallel to the line between rights and cyber security, the General Data Protection Regulation (GDPR) promulgated by the European Union, has accelerated things. Entered into force last year, it establishes sanctions in the case of violations concerning personal data. In fact, the text has forced companies to acquire secure tools. In substance, it has a dual interest: for companies, which become increasingly secure, and for users, who can better protect themselves. In this sense, it is in line with the position held by SECURESPHERE: cyber security must be a concern shared by a firm’s entire work force and by all players in the field. By remaining an issue that is solely reserved for a minority, it will not be able to function. This may be compared to road safety, which cannot depend only on automotive manufacturers: indeed, if a driver has the best safety belt available on the market, but does not wear it…Protection, a business ally
There is a large gap between the growing knowledge of business managers and the fact that they have taken very little action. On the one hand, they do not feel concerned by the problem as long as they have not been attacked. And, training employees is still not a priority for most companies. It is a financial issue and certain firms choose other subjects that they feel are more pertinent to their own business concerns. It is always complicated to get people to understand that cyber security training expenses will help prevent major costs incurred in the event of a crisis. Many companies still prefer curative to preventive measures. This is a strategic mistake; all studies show that cyber security is, and will be even more so, a booster for business and a guarantee of confidence. This is why it must be viewed in terms of gain, rather than cost.
Threats are increasingly sophisticated and those who attack are clearly more and more professional. Cyber-attacks are highly diverse, just like the individuals carrying out the attacks. There are many reasons: to destroy, undermine brand image, steal data, etc. It is also possible to attack a state and its infrastructures through a company. By attacking strategic enterprises, and administrations in particular, it is easy to paralyze a nation. Imagine for a moment that the SNCF railway or RATP metro system were under attack… These attacks can be purely technical, but it is often humans who spread havoc in businesses: a Trojan horse on a USB key, clicking on an email containing a virus… There is also an issue that is often forgotten: all of the information we place on social networks. Through simple social engineering, a hacker can legally gather information. This can happen through WIFI networks and Bluetooth. We must not forget that hackers have all the time they need and can patiently collect the information they want…
In the face of these threats, there are good “students”. Such as companies that have already been attacked and those with mandatory security systems, like organizations and businesses having strategic activities that the State has determined as being of vital importance. The task ahead remains immense, because for the general public, as well as for most companies (in particular micro, small and medium-sized businesses), cyber security training is in its very beginning stages. Once again, cyber security concerns each and every one of us.