2016 is said to have been a record-breaking year for cyberattacks. And the outlook for 2017 isn’t great either. While protecting IT systems and data is a top priority for businesses, the French National Cybersecurity Agency (ANSSI) has released a new version of its guide to keeping IT systems safe and secure. It contains 42 invaluable ways to help professionals strengthen the security of their infrastructure and thereby prevent cyberattacks.
The guide was created on the back of a sudden realization. “If the prescribed measures had been implemented by the bodies concerned, the majority of cyberattacks requiring help from ANSSI could have been prevented”. The French authority’s assessment of the security situation can’t be denied.
No company or organization today is immune from the problem. The number of cyberattacks is growing and they’re getting more sophisticated. It’s vital that companies boost their protection given the new regulations – especially at an EU level – which impose heavy fines on them if they don’t do their utmost to protect their customers’ data. To prevent any kind of incident, help is available in the form of the new IT security guide published by ANSSI.
“Security is no longer optional. The challenges of digital security must be reconciled with the economic, strategic, and even image concerns of decision-makers. If we put that need into context, remind ourselves of the objective pursued and respond with targeted measures as appropriate, this IT security guide is a road map incorporating the interests of any organization which understands the value of data,” the agency explained.
An evolving threat
The first version of the good practice guide was released in 2013. At the time, it featured 40 measures for companies to implement. The 2017 version is an update in view of the technologies and practices – both new and developing – which need to be applied when it comes to security. In compiling the new guide, the authors factored in the emerging threats and the challenges that businesses face. “To make sure the digital world remains a place of freedom, exchange, and growth, trust and security need to be built up and protected,” the agency commented.
Security – an issue that affects us all
Among the new editions to the 2017 guide is an emphasis on training and awareness. In 2013, this issue was ranked 12th in terms of significance. Today it’s ANSSI’s highest recommendation. Within a company, every single member of staff is affected by security. Training operational teams on IT system security is a priority. It is also vital to raise users’ awareness of basic good practices in security.
“Moreover, a new generation of IT security experts needs to be trained to respond to the demands of our digital society,” the agency remarked.
The guide to IT security also stresses the fact that, to ensure a secure IT system, a company needs to have absolute control over the hardware connected to it. “Each device represents a potentially vulnerable point of entry”. Personal devices (such as laptops, tablets, and smartphones) are by definition difficult to control, as it is the users who decide their level of security. ANSSI therefore recommends prohibiting the connection of such devices to company hardware.
“This recommendation is often seen as unacceptable or outdated at an organizational level. But to do otherwise jeopardizes the company network and opens up the possibility of an attack,” ANSSI warned. “Raising awareness among users must therefore involve sharing practical solutions that respond to their needs.”
Favoring approved products and services
In addition, ANSSI recommends using products and services that have been approved by the agency. “The approval system provided by ANSSI provides assurances on security and trust for buyers of solutions listed in the catalogs of approved products and service providers, as published by the agency”. Oodrive is a software publisher which develops 100% secure professional cloud solutions. It is currently collaborating with ANSSI on the pilot phase of the approval process under the SecNumCloud label.