The days when cyber attacks hit a few unlucky SMEs are over. Very profitable for cybercriminals because they are easier to attack than large groups, they have now become a prime target. In the last 12 months, 21% have been victims of a cyber attack. If the cost of these rarely exceeds €10,000, it can happen in very rare cases that the victim company does not recover, especially when the case becomes public. (01/02/2019 – Damien Bancal)(1).
President of Mirat Di Neride, Expert in business strategy and cybercrime and Head of CLUSIR Office – New Aquitaine Ouest, Didier Spella is a former senior officer of the French Air Force, co-founder of Charente-Maritime Cyber Sécurité, a conference that took place for the first time on 17 & 18 October 2018 in La Rochelle, has seen the development of the various concepts that currently govern the cyber-world. His knowledge of both analog and digital security, his experience in risk analysis and his expertise within an American company, have enabled him to position himself as an expert in security strategy definition. Faced with the increasingly important and intrusive cyber attacks in our lifestyles, he recently initiated this conference in which the risks faced by the general population and more particularly by those responsible for VSEs and SMEs were discussed. The theme developed was: “all attacked, all accomplices”.
A «beautiful order…»
Another one of those sunny mornings that make this region so charming. It is time to go to the oyster beds because the tide is not waiting. This morning, René, our oyster farmer, has a big order to ship. Last night, he received a special request by email from his regular sponsor, but he replied that he would do everything in his power to honour it. When the oysters return from the parks, it only takes a few hours to crate the 2 tons of oysters and the delivery person is already ready to drive to Spain. This time, the place of delivery has changed, but hey, these things happen. The day continues, it remains to send the invoice… Two days later, on Thursday, a new order from its sponsor. René takes the opportunity to call him…. «How was your Tuesday order? Did you like it?» «What order? I haven›t ordered anything from you in three weeks? «But what of your message on Monday, the 2 tons of oysters?» «I never sent you a message on Monday, I had been in Morocco since Saturday. I came home Tuesday night. I even put pictures on my Facebook page « René begins to realize that he has just been swindled…. Someone pretended to be his sponsor. By looking back the email address of his order, he realizes that it is slightly different….
Yes, another identity theft… The cyber criminal observed the exchanges of this entrepreneur, monitored the sponsor… We are dealing with a fairly classic crime case, and a small business. We could also have encrypted the data on his computer and asked him for a ransom…
Whether they are Small and Medium Enterprises (SMEs) or Very Small Enterprises (VSEs), their common feature is the centralization of the management of the company. They make them a real competitive advantage because, with limited human resources, these companies are much more responsive and flexible than structures belonging to large groups. To really contextualize VSEs and SMEs, they must be defined. To do this, we will use the definitions published in «Economie Magazine».
A technical distinction
Often, we tend to confuse the VSE with the SME. However, these two notions are really different. But let’s start with Very Small Business. It is customary to qualify as VSEs all structures with legal personality, whose maximum number of employees is less than ten. In addition, the annual turnover or balance sheet total of these VSEs must not exceed the ceiling of two million euros. This form of company is in the vast majority of cases a sole proprietorship, i.e. without employees. It is also called «microenterprise». It corresponds here to the needs of self-employed workers such as craftsmen, traders or the liberal professions. Thus, since the start-up of this type of business does not require many resources, both human and financial, VSEs are the main source of business start-ups in France. Indeed, according to statistics, nearly 93% of the companies created in France are microenterprises. The particularity reserved for microenterprises concerns their tax regime, which is specific. Compared to the VSE, the Small and Medium Enterprise stands out for its size. To date, there is no precise definition of these types of companies, but the definition that seems to be required is that of European Recommendation 96/280/EC of 3 April 1996, amended by Recommendation 2003/361/EC of 6 May 2003. These texts organize a classification of companies according to two combined data: their size and their turnover. Therefore, companies are defined as small enterprises if they have between ten and fifty employees and whose turnover and balance sheet total does not exceed ten million euros per year. Between fifty-one and two hundred and fifty employees, we can define «medium-sized enterprises» whose turnover will be less than fifty million euros and the annual balance sheet total at forty-three million euros. Over two hundred and fifty employees, we will then speak of a «large company».
A few figures…
According to a PWC study, for less than a third of French companies, cyber security is an issue today. On the other hand, two thirds consider that the risk of a cyber threat in their company is not significant. It emerges, perhaps the most serious, that 2 out of 10 companies feel fully capable of handling a cyber attack. To complete this picture, less than one in five companies has actually implemented possible protective measures. Finally, 95% of companies do not plan to hire a person dedicated to cyber security in the next 12 months (2).
What are those cyber risks?
Cyber risks are of two kinds:
•direct risks on the technical environment of Information and Communication Technologies (ICTs),
•more «classic» risks that concern environments using ICTs. It is clear that the problem cannot be reduced to a strengthening of ICTs.
The digital space
First of all, it is necessary to define what the digital space covers. We will give this definition: all the paradigms that are used to provide the service expected of a digital machine. These paradigms, from which the digital space has developed, are four in number: The first is electricity, in the sense of positive and negative “ions”, and all the properties that result from it: energy transport, but also electromagnetism, radio waves, radiation, etc… The second is the paradigm of any digital machine that uses all or part of the standard architecture defined by von Neumann. The third concerns communication. It can be summarized as follows: the transmission of a message requires having a transmitter and a receiver, which encode and decode the transmitted message through a transmission channel. The fourth is the data whose 3 properties we will take over: availability, confidentiality and finally integrity.
When the digital world is created, we are faced with imposing digital machines that require positioning in dedicated locations. They are expensive, as well as all the peripherals associated with them. They are administered by qualified personnel and require continuous monitoring. Their logical accesses are reduced due to the lack of access potentials and very limited throughput. It appears that only the functions that can be digitized are developed and processed on these machines, which have limited resources.
Next-gen «bunkers» : Mount 10, a.k.a. «Swiss Fort Knox», a server bunker made from a former Swiss Army secret base ©Mount10
We are ten in the presence of computer centers, real physical «bunkers», which will mainly offer electrical protection in terms of availability. A large and qualified staff is employed there. Users of the system are at best connected by wire to process some information. At worst, they initiate processing operations that are returned to them in the form of printed documents (listings). No processing resources are relocated. Network protocols are rigid and complex, but easily traceable. Flow rates are limited. The main priority in terms of data is availability. We are in a technical, cumbersome, resource-intensive and specialized environment. In fact, a fairly closed world whose users «attached» to a processing center must respect its rules and constraints. Our four paradigms then appear as pillars. We are really in a physical and technical security, which is used by a technical world, implemented by specialists. For VSEs and SMEs, digital investment is rare and specific. Machines must be installed by experienced service providers. The entire system management is entrusted to a specialist for larger structures or totally outsourced to a service provider.
…To cyber security
A definition of Cybersecurity
Cybersecurity (according to ANSSI) is the desired state of an information system that enables it to resist cyberspace events that could compromise the availability, integrity or confidentiality of stored, processed or transmitted data and related services that these systems offer or make accessible. Cybersecurity uses information system security techniques and is based on the fight against cybercrime and the establishment of cyber defence.
Over the last 20 years, the 4 paradigms have undergone changes. Electricity has seen its properties developed and used, particularly in terms of energy consumption, its electromagnetic properties, its radiation properties, its undulation properties… The von Neumann machine could be reduced, miniaturized and reinforced. It fits into very small, portable and portable machines. They are more robust and do not require regulated environments. In addition, the systems can be preconfigured on the machine. Their costs are becoming increasingly lower. Distributed in “general public” shops, they can be implemented by non-specialists.
Communications have undergone phenomenal evolutions, in terms of support, whose speeds are increasing and protocols are simpler. The combined package then allows “cloudy” diffusions making all forms of cable obsolete. We no longer need network expertise to implement these communications. As far as data is concerned, while its availability is ensured by increasingly efficient, miniaturized and inexpensive media, its confidentiality seems fairly simple to ensure. In fact, its integrity becomes the new security issue. These developments have led to a complete popularization of this digital technology, which then appears simple and inexpensive. We can digitize everything, so everything is digitized. The power that was over the computer system moves from experts and specialists to end users who no longer need to know these technologies. All management of the digital world is vested in the end user. Technologies have evolved to enable it to manage this, but they open up new avenues for fraudulent activities around this digital world. Gone are the secure bunkers where the processing machines were positioned. Gone are the protocols that made it possible to follow the progress of the frames. We are in an open technological world, implemented by users. Faced with the evolution of these paradigms, we can understand the confusion of business leaders in very small and small businesses. The 4 pillars of digital technology have become the 4 riders of the apocalypse.
How to move from IT security to cyber security
After this heavy observation, it is time to identify some areas of evolution in order to bring business leaders to better understand these evolutions. It is therefore necessary to address the problem of Cybersecurity, not as a technical problem but as a societal problem. The company manager must therefore take it over, involving the IT manager for those who have one, and/or their service providers for the others. They are key players in this process. However, they are not the only ones who should be involved in this process.
Risk-cost-protection basic scheme © Eidebally
Acceptable objectives – risk
It is first up to the company manager to identify all his risks. For all areas of the company, this approach will require a detailed analysis. Depending on this, the manager of a company will have to start by improving his safety and then his security, in order to reduce all the risks initially identified. It may even transfer some of these risks to an insurer specialized in the field concerned. His risk then becomes acceptable.
Acceptable objectives – cost
All the solutions that the business leader will have to implement will have a cost for his company. He will have to compare these costs with those of a claim, due to the risks assessed at the time of the analysis. This approach makes the cost acceptable.
A classi cal office… where everything is wrong… Ad for the University of British Columbia 2017 Cybersecurity Month ©UBC.ca
Acceptable objectives – protection
The means implemented must be accepted by all the company’s internal and external stakeholders. If protection is not accepted by all employees, we will then develop a «Katangese» effect and the means implemented will be dreadfully ineffective. We can see that these objectives can only be defined by the entrepreneur and this is perhaps where there is a strong contradiction for him. On the one hand, the protection of a technical world can only be achieved through non-specialist approaches. On the other hand, whether for risks or protection, all employees are concerned. It is therefore necessary to have a «human» approach to these problems. It is the term of protection that becomes acceptable…
Beyond the technical solutions that will be built and implemented by specialists in the field (and here we
find in part, our IT security), it will be necessary to review the company’s organization. All digital components that may be personal or professional, as well as their uses and context of use, then present the risk of no longer being protected by the technical equipment used in the professional environment. It will therefore be necessary to review the rules of use of all these “digital” components. It will be necessary to educate employees in order to develop a collective awareness within the company. All this clearly shows all the problems faced by our VSEs and SMEs. Focused on productivity that is essential to their survival, they use a technology that has evolved along divergent lines. This requires them to reflect not only on a technological aspect but also on a societal one. Our awareness must focus on these aspects in order to help business leaders better understand their approach to cyber security.
Author: Didier Spella