Largely unaware and often ill-prepared, small businesses are most vulnerable to cyber attacks – as we pointed out in a previous article.
Cyber-risks appear abstract to most organisations, with protection measures as complex as they are costly.
How do we change the situation? How do we ensure universal understanding of cybersecurity challenges across businesses?
To achieve this, ANSSI published a guidebook for VSEs/SMEs, in collaboration with the French Directorate General for Enterprise and Cybermalveillance.fr.
The guidebook uses these twelve questions to present the best practices for guaranteed security in small and medium-sized businesses. We summarise the key points.
Grasping the basic principles of IT
Question 1: How well do you know your IT system?
This the very first questions VSEs/SMEs must ask regarding cybersecurity as they review their digital capabilities. What equipment and services are in place? What software is used? What data is processed? Who connects to the information system and under what conditions? What potential interconnections are there with the outside world?
Question 2: Do you perform regular backups?
In the event of a cyber attack, regular data backups help to recover operational activities more quickly. With this in mind, you must identify critical data, find the right pace for backups and select a medium, whether physical or Cloud-based.
Question 3: Do you regularly apply updates?
Updates (to operating systems and software) install essential security patches. That’s why you must remember to enable automatic updates.
Question 4: Do you use antivirus software?
An antivirus programme represents a cybersecurity pillar for VSEs/SMEs. However, always take special care and regularly update your antivirus to enjoy full protection against the latest hacking techniques.
Question 5: Have you enabled a firewall?
A local firewall is one of the available features on most operating systems and antivirus software. It offers protection against web-based attacks.
Further exploring data security
Question 6: Have you adopted a robust password policy?
Cyber attacks flourish whenever a password is overly straightforward. ANSSI therefore recommends that VSEs/SMEs create ‘robust’ passwords.
The latter should include 9 to 14 characters (depending on system criticality), avoid all personal information and require regular updates.
Question 7: How do you secure your email system?
As the primary cause of infected workstations, email systems must be governed by an advanced cybersecurity policy.
For VSEs/SMEs, this security is mostly achieved through good user practices: pay attention to senders, avoid opening suspicious attachments, verify message authenticity through another channel, etc.
Question 8: How do you separate IT uses?
ANSSI promotes a principle of IT “hygiene” based on a separation of uses for cybersecurity purposes. This ranges from the creation of dedicated user accounts for web browsing to the limitation of permissions assigned to each application for each use.
Question 9: How do you manage digital risk during assignments and business trips?
Mobility serves to increase cyber risks. A few simple questions can help us prepare: what must I take with me on assignment (equipment, data backup, passwords, etc.)? What best practices must I follow during and after the assignment?
Question 10: How do you stay informed? How do you raise awareness among collaborators?
VSEs/SMEs must implement an internal awareness policy. The latter is reflected in targeted communication actions to increase user awareness of recommendations, particularly those of ANSSI in the guidebook.
Preparing for a cyber attack
Question 11: Have you assessed your insurance policy coverage for cyber risks?
Insurers offer guarantees adapted to IT risks, with different forms of protection depending on the policy. As such, it’s in the best interests of VSEs/SMEs to ensure coverage for the most critical risks.
Question 12: Do you know how to respond to a cyber attack?
A cyber risk “action plan” is an absolute must in the event of a disaster. This may involve disconnecting your IS or equipment during an incident, tracking actions and related events, communicating the disaster to stakeholders, filing a complaint, not to mention reporting a potential data breach to the French Data Protection Authority, CNIL (as required under the European Union’s General Data Protection Regulation).
Question 13: do you plan to use cloud solutions?
Lastly, although cloud solutions offer a genuine security opportunity, you have to carefully choose the solution that suits you. All cloud offerings (commercial cloud, SecNumCloud qualified cloud, private cloud, etc.) do not meet the same security needs.
The SecNumCloud qualification, a “security visa” issued by the ANSSI, (the French Network and Information Security Agency) not only provides the guarantee of a level of confidence in the security of the infrastructure or service offered, but also offers legal protection against extra-community laws.
These offerings can, for example, suit a company which needs to protect its data against the risk of dispute in competitor countries.
When it comes to cybersecurity for VSEs/SMEs, prevention is better than cure! To develop protection against IT risks, you need a bit of common sense, a handful of trusted partners and a healthy dose of secure solutions – like Oodrive Work, a tool enabling you to work in a trusted environment and share your sensitive documents.
This way, you can collaborate at speed while complying with ANSSI recommendations!
