CESIN has published an inventory of the practices and reflections of DSI managers. Despite security challenges punctuated in recent years by the sophistication of attacks, the report shows that companies continue to adopt bad reflexes on issues as common as passwords and ransomware.
What the CESIN report says on corporate cybersecurity
In early 2019, CESIN launched an annual survey questioning its members in charge of business cybersecurity. This second report, published in March 2020, is edifying: according to the responses collected by the organization, a large part of good practices in cybersecurity are not applied, despite news punctuated by data leaks.
Thus, the CESIN notes that 51% of those responsible for IT security would be ready to pay in the face of ransomware if the situation required it, while the payment of the ransom in no way guarantees the restitution of data, and that 7% of the companies questioned ignored antivirus to implement an EDR (endpoint detection and response) solution, rather than using the complementarity of cybersecurity tools.
The implementation of zero trust policies, at the heart of current business challenges since it involves rethinking the processes and the management of user access rights, is only undertaken in 6% of companies according to the report. Worse: nearly 80% of them insufficiently secure personal devices in the context of bring your own device (BYOD), which is now widely democratized despite the bans.
Almost one in two businesses has not taken any action to block the use of online storage solutions such as Google Drive, Dropbox or OneDrive; only 2% of respondents have adopted a password-less approach by implementing new authentication methods and barely 12% of them have reviewed their security approach via a security by design process.
Finally, the study reveals that 45% of companies are satisfied with a basic backup system, that 33% of them do not have a good command of the security update of their machines and that despite the explosion in the number of cyber attacks, they are 54% not to have strengthened their security systems.
Cybersecurity: should we sound the alarm bells?
The CESIN report reveals an alarmist inventory of the progression of cybersecurity within companies. Should we therefore conclude that the awareness of the importance of cybersecurity, after the damage caused by Wannacry among others, has fallen like a bellows? Not necessarily.
This survey is very interesting because what it asks CIOs about potential situations: it makes it possible to map the penetration of cybersecurity terms such as EDR or zero trust. Nevertheless, he deals with intentions, and not real actions: the format of his questions, offering respondents to anticipate a situation they have never had to face, is in fact more of a micro-sidewalk than an inventory faithful to reality.
Indeed, if 91% of companies say they are against paying the ransom for a critical ransomware attack, how many actually do so in a situation, so that this type of attack continues to be widely used by hackers?
Likewise, more than 25% of respondents say they have not initiated the implementation of EDR technologies for their cybersecurity. One of the foundations of EDR is antivirus. If today there are more and more EDR-stamped products, how many understand what is behind the acronym?
The question also arises with the zero trust, since in reality, the majority of companies have implemented this practice before it was conceptualized under this name. Non-trust by default is nothing new, but the designation zero trust has possibly clouded the understanding of the question – and therefore skewed the answers. The CESIN poll, despite its qualities, reveals less a vote than an intention to vote.
4 key issues to remember about cybersecurity
Despite a few flaws, this survey nevertheless highlights four issues to be monitored.
1. Online storage
The figures in the report show disparate results on online storage and the security measures put in place to deny access to solutions like Google Drive or Dropbox. Interesting data which indicates hollow that there is still a lot of education to be done to fight the prejudices demonizing this type of solutions. Indeed, today, despite popular belief, online storage is more secure than a datacenter!
It’s almost a cybersecurity fad! Despite all the awareness raised on the importance of securing your password by choosing a different code for each application that is not related to personal information and changing it regularly, the reality is that the majority of users continue to use it. ” use passwords that are too short, and that the authentication steps remain insufficient.
While it is complex to require each user to have a unique password of more than 30 characters including upper and lower case letters, numbers and special characters, solutions are now being developed to authenticate the user in a more secure way, such as the biometric authentication or the zero touch approach that have a bright future.
3. The active directory
Long set aside by companies, the Active Directory consists of listing all the elements of a managed network such as user accounts, servers, printers, shared folders, etc. Terminals that can become the Achilles heel of the IS, if they are not sufficiently monitored and / or protected.
The CESIN report insists on the still weak implementation of the Active Directory, and rightly so. It is an essential infrastructure, but still too little democratized, and hackers have understood it well: it remains the hotspot and the gateway to a growing number of cyberattacks.
4. Securing automation
Scale out, workflow, automation… Companies have automated a large number of actions to speed up processes and free up human intelligence. However, the implementation of its automations can, if poorly protected, be a gateway for malware. This is all the more strategic as if they were well protected when they were put in place, there is a good chance that they were with the solutions available at that time. However, cybersecurity, like cyber attacks, is constantly evolving. It is therefore an important point to watch.
Cybersecurity: towards an age of maturity?
It is always complex to quantify the progress to be made in terms of cybersecurity: the road that remains to be covered for companies is endless, since cybersecurity is an ongoing investment based on a cat-and-mouse game with hackers. .
However, just because companies are lagging behind doesn’t mean they should be afraid of cybersecurity. On the contrary ! It is essential to know your vulnerabilities in order to set up a cybersecurity policy intended to fight against current risks… while regularly reassessing the threats and the installations in place.
In recent decades, cybersecurity has evolved tremendously. The advent of the web has boosted attacks, and therefore solutions, and we quickly went from perimeter security, for which an antivirus and a firewall were sufficient, to a multiplication of risks with the explosion of devices and new technologies. The arrival of 5G, scheduled for 2021, should in turn shake up the IT world in terms of security: with the coming democratization of the IoT, an exponential targeting of smart objects is to be expected. Finally, it is not so much the road to cybersecurity that is long, it is above all that there is no finish line.