Before becoming a cybersecurity consultant at Provadys, Tristan Pinceaux was a systems administrator at the ISC-PIF research institute in Paris and at Orange. He then became an analyst specialising in threat intelligence and incident response for the cybersecurity team at Airbus Defence and Space. Tristan spoke to Akuiteo about the latest cybersecurity concerns for companies.
Hello, Tristan. Can you tell us a bit about your company?
Provadys is an audit and consulting firm specialising in cybersecurity, infrastructure and cloud computing, and transformation for information systems. We offer several cybersecurity services:
- Offensive Security to assess how well you can resist an attack.
- Defensive Security to focus companies’ transformation and digitalisation projects on security.
- Compliance to make sure companies comply with reference documents and certifications by adopting a pragmatic approach to security and respecting each company’s unique features. We are a certifying body for Arjel, PCI DSS (QSA Company) and PASSI, and specialists in ISO 2700x and Personal Data (GDPR).
- SOC to identify, protect, detect and respond to attacks on companies on a daily basis. This is SOC Provadys’s aim – we have a dedicated team of experts that support intermediate-sized companies and SMEs and we offer simple, ready-to-use and affordable solutions.
- Provadys Institute to train and inform companies and their staff about cybersecurity.
We have a range of clients, from the leading listed companies in France to smaller organisations like SMEs and intermediate-sized companies in all sectors.
What are the threats that companies have to deal with today?
There are two key risk areas:
- Technical: infrastructure, networks, vulnerable equipment and software, and badly built architecture, potentially including backdoors.
- Human: the weakest link. Chinks can soon appear in the armour. Attackers normally target staff who have IS privileges or they try to gain access via forgotten pathways, such as service providers who access the IS from a larger organisation.
Read also: The Digital Transformation Myth.
Besides the standard attacks like phishing campaigns and DDoS (Distributed Denial of Service) attempts, we’ve seen three big threats recently:
- Those related to the Internet of Things (IoT).
- Ransomware, which encrypts or blocks access to some or all of a company’s data until you’ve paid a ransom.
- APTs (Advanced Persistent Threats), which look to steal data, among other things, by getting into a company’s IS, targeting specific industrial and media sectors.
What is the first piece of advice you give companies?
Make sure that everyone within the company knows about the latest cybersecurity concerns – and not just for business data but also for personal data, which is going to be regulated soon. To raise awareness, you could try a face-to-face training session or e-learning with a final quiz to assess what staff members have learnt about the different subjects.
The aim is to make staff understand that cybersecurity is everyone’s responsibility. Even if staff members are not network administrators, they are still an important part of the company’s security shield. Social engineering is key. For example, don’t leave passwords lying around on your desk, don’t give out information to people you don’t know very well, check the source of an email before opening an attachment or clicking on a link, and so on.
Read also: Fostering Collaboration Between Finance and Business Teams.
We’re seeing more of a BYOD (Bring Your Own Device) culture within businesses: staff bring in their own machines and access the company’s network. Some administrators also manage network infrastructure from the same computer that they use to surf the web. These practices are risky and show how tricky it is to balance two trends:
- First, understanding the danger that attacks pose for companies.
- Second, wanting to be more flexible and making security transparent for users.
Some big groups are used to managing this problem and employ sustainable solutions to separate work from life. However, some smaller businesses still blur the boundaries between the professional and the personal, which can have catastrophic consequences.
Besides raising awareness among users, what are the three key areas to watch to stop the cyber risks that threaten the IS?
It’s simple: standard good business practices, like the principle of least privilege when giving out rights.
- Strong authentication: good passwords, everywhere, for users, service accounts and so on
- Tougher code and regular updates
How do you ensure that a company is well protected?
A security audit is a very good indicator. It can help to do the following:
- Assess if there are good operational and organisational processes in place from a cybersecurity standpoint.
- Detect possible failures, check if the equipment is up to date and so on, using penetration tests.
And remember: companies very often overlook their service providers. Security is a concern for everyone, from the CEO to the administrator, via the developer or the outside call centre, right up to the marketing manager. Everyone can be affected and so everyone has a role to play.
There’s an all too common problem: companies want to boost their security, but they don’t want to add all of the extra components, such as an HRIS. We then detect vulnerabilities that need patching too late because no one thought about the security concerns. Companies need to protect both their core infrastructure and their entire ecosystem (including IT).