To support our business models and provide the plethora of services we use every day, an astronomical amount of data is exchanged every second across networks, between data centres and millions of terminals. The real-time transmission and processing of this information underpins what is now known as the 'data driven economy'. The functioning of our societies depends on this data. Awareness of this fact means that we need to protect it and make it secure. "While this data is an essential resource, it is also coveted. IT systems are constantly exposed to attacks aiming at capturing data or paralysing the IT systems that use or host it," explains Aurélien Mangin, Information Security Officer at EBRC.
More and more professional attacks
Recent high-profile attacks reveal that hackers become more professional, carrying out increasingly sophisticated attacks, exploiting each and every vulnerability. In December 2020, for example, the attack targeting the Orion network monitoring software, published by SolarWinds, allowed hackers to access the computer networks of 18,000 entities without being detected. Last year, the Log4Shell attack targeted the exploitation of a critical flaw in the use of Java, allowing attackers to remotely execute code across millions of applications worldwide. Even more recently, there has been an increase of attacks related to the geopolitical situation in Ukraine. These are acts of espionage, sabotage, disinformation and propaganda.
“In this uncertain environment, organisations must constantly manage the omnipresent cyber risk," continues Aurélien Mangin. “They must deal with denial-of-service attacks and ransomware. More recently, we have seen attacks that aimed purely and simply at destroying information and systems, without necessarily seeking to exert pressure or obtain anything. These are, acts of war with harm as only purpose.”
Adopting enhanced approaches to security
How can organisations protect themselves? At EBRC, a European player in the protection and management of sensitive data, operating 15,000 m² of Tier IV Data Centres and its own sovereign cloud, EBRC-Trusted Cloud Europe, security is a key concern. In this environment, the company ensures the implementation of the best approaches and practices, complying with the most advanced international standards in the field – ISO 27001 (Information Security), ISO 22301 (Business Continuity), HDS (Health Data Hosting Provider), PCI DSS (Payment Card Industry Data Security Standard) – and scrupulously meets the requirements imposed by the GDPR.
From strong authentication to crisis management
“Strengthening security starts with a few key elements, such as the implementation of multi-factor authentication solutions for users, especially if they need to access the most sensitive data and critical systems," continues the security expert. “Beyond that, it is necessary to be able to implement rules for the real-time supervision and detection of attacks based on indicators of compromise that must be regularly re-evaluated. Because there is no such thing as zero risk, it is important to have an effective back-up strategy which allows systems to be quickly restarted following an attack. Finally, it is necessary to be prepared to deal with any crisis, by implementing ad hoc procedures to ensure rapid decision-making, efficient communication and an appropriate response to the attack in order to go back to normal operations as quickly as possible.”
Adopting a reference framework
To deal with the threat and ensure optimal protection, it is important to rely on the right cybersecurity skills but also to use a secure framework. "The risks associated with data leak, destruction or being held hostage are not negligible. A company's reputation and the trust that users place in it can quickly be damaged. There is also an operational, legal and financial risk and, with regard to personal data, exposure to sanctions linked to the GDPR," continues Aurélien Mangin. “Security cannot be improvised. Using a secure framework, such as the ISO 27001 standard on information security management, or the NIST Cybersecurity Framework, allows us to have a structured approach to security and to implement a continuous improvement process based on risk management.” Today, EBRC is certified on many of these standards, each of them constituting a guarantee of quality and confidence for its clients.
Evaluating oneself and staying humble
"As I said, there is no such thing as zero risk. Therefore, it is also important to evaluate one's approach to security on a regular basis, by carrying out penetration tests, be it internally or via an external provider. Internal and external audits should also be carried out.," continues Aurélien Mangin. “The results of these procedures allow us to take a look at what has been implemented. By being open to criticism, showing humility and admitting our weaknesses, we constantly raise our standards. This is part of the continuous improvement process.”
Personal data, a critical issue
These issues are even more critical when it comes to the use of personal data, where malicious use can have serious consequences for the concerned individuals. In accordance with the General Data Protection Regulation, organisations are obliged to guarantee the data confidentiality, integrity and availability. "If any of these three pillars are compromised, the impact on the individual can be severe, or worse, fatal. Take health data, for example. The unavailability of health data, in an emergency situation, can lead to poor patient care. Its alteration, in the same way, can lead to diagnostic errors”, explains Aurélien Mangin. “Personal data which concerns a political, philosophical or religious opinion being compromised can also have unfortunate consequences”. Every organisation must appoint a Data Protection Officer (DPO) to monitor this data and safeguard the rights of everyone with regard to their personal information. "This function must be attached to the highest level of the organisation's hierarchy. The DPO must ensure that the regulation is properly applied, acting independently based on a global vision of the use of data in the company," explains Aurélien Mangin, Deputy DPO at EBRC. “The DPO must also make employees aware of these issues, mobilise them and implement appropriate checks.”
Continuously raising awareness
Finally, let’s bear in mind the level of security is up to each link of the chain, with the human element being the weakest one. "Everyone can make a mistake. It is human and unavoidable. However, because a mistake can have major consequences, it is essential to raise awareness, so that everyone knows the issues and risks, especially when it comes to phishing or so-called social engineering attacks. Everyone, without exception, must remain vigilant," explains Aurélien Mangin. “In order to strengthen the level of protection, security teams must be able to work with human resources, so that they can communicate regularly with employees, remind them of good practices, and frequently organize security incident exercises”. In this way, we can work to implement a real culture of security serving data protection and contributing to proper business continuity.
How to proceed
Mastering all the devices, tools and standards can be complex and difficult, all the more as it takes several years of practice to master them. The increase of threats and the succession of crises force companies to step up the pace in strengthening their defence and resilience. But how do you do that? "Seeking support from experts in the field, having an overview in order to make the right diagnosis and drawing up an action plan will often be the right approach. Making choices according to the requirements of the client's business is also key for cost effectiveness. This is what we do every day at EBRC with our Trusted Advisory Services teams.”