Before becoming a cybersecurity consultant at Provadys, Tristan Pinceaux was a systems administrator at the ISC-PIF research institute in Paris and at Orange. He then became an analyst specialising in threat intelligence and incident response for the cybersecurity team at Airbus Defence and Space. Tristan spoke to Akuiteo about the latest cybersecurity concerns for companies.
Provadys is an audit and consulting firm specialising in cybersecurity, infrastructure and cloud computing, and transformation for information systems. We offer several cybersecurity services:
We have a range of clients, from the leading listed companies in France to smaller organisations like SMEs and intermediate-sized companies in all sectors.
There are two key risk areas:
Besides the standard attacks like phishing campaigns and DDoS (Distributed Denial of Service) attempts, we’ve seen three big threats recently:
Make sure that everyone within the company knows about the latest cybersecurity concerns – and not just for business data but also for personal data, which is going to be regulated soon. To raise awareness, you could try a face-to-face training session or e-learning with a final quiz to assess what staff members have learnt about the different subjects.
The aim is to make staff understand that cybersecurity is everyone’s responsibility. Even if staff members are not network administrators, they are still an important part of the company’s security shield. Social engineering is key. For example, don’t leave passwords lying around on your desk, don’t give out information to people you don’t know very well, check the source of an email before opening an attachment or clicking on a link, and so on.
Read also: Fostering Collaboration Between Finance and Business Teams.We’re seeing more of a BYOD (Bring Your Own Device) culture within businesses: staff bring in their own machines and access the company’s network. Some administrators also manage network infrastructure from the same computer that they use to surf the web. These practices are risky and show how tricky it is to balance two trends:
Some big groups are used to managing this problem and employ sustainable solutions to separate work from life. However, some smaller businesses still blur the boundaries between the professional and the personal, which can have catastrophic consequences.
It’s simple: standard good business practices, like the principle of least privilege when giving out rights.
A security audit is a very good indicator. It can help to do the following:
And remember: companies very often overlook their service providers. Security is a concern for everyone, from the CEO to the administrator, via the developer or the outside call centre, right up to the marketing manager. Everyone can be affected and so everyone has a role to play.
There’s an all too common problem: companies want to boost their security, but they don’t want to add all of the extra components, such as an HRIS. We then detect vulnerabilities that need patching too late because no one thought about the security concerns. Companies need to protect both their core infrastructure and their entire ecosystem (including IT).