Cyber attacks: AFNOR organizes the response

Les chiffres sont effrayants : d’après le baromètre CESIN 2022, plus d’une entreprise française sur deux a vécu au moins une cyberattaque au cours de l’année 2021. Et chacune de ces attaques occasionne un manque-à-gagner de 27 % sur le chiffre d’affaires ! Aucun acteur économique, grand ou petit, public ou privé, n’est à l’abri, ni ne doit fermer les yeux sur ce qu’il faut mettre en place pour prévenir les attaques. A l’heure où nous écrivons cet article, l’hôpital de Versailles est durement touché ! La présence d’un ransomware signe bien souvent déjà la fin d’une attaque”, prévient Lionel Mourer, consultant-formateur pour AFNOR Compétences, qui dispense une formation sur la gestion d’une cyberattaque.
AFNOR Spec 2208 : un condensé de bonnes pratiques
What’s more serious is the form of denial that business leaders are displaying with regard to the risk of cyber-attack. In fact, according to the Eurogroup Consulting barometer, and despite the media coverage of numerous attacks at the end of 2022, cyber risk comes second last in the hit parade of perceived risks, with only 15.7% of executives surveyed citing it. ” Nearly a third of large companies rank it among the top 3 risks for 2023, compared with a minority of small and medium-sized businesses. This downgrading can be explained by both a lack of resources and an underestimation of the risk. “comments Eurogroup Consulting. Yet these smaller businesses are the number one target for hackers: ” The cybercrime threat, and more specifically the ransomware threat is set to continue, with business picking up again in late 2022. It particularly affects VSEs, SMEs and ETIs (40% of all ransomware processed or reported to ANSSI in 2022), local authorities (23%) and public health establishments (10%) “, reports the Agence nationale de la sécurité des systèmes d’information (ANSSI) in its latest
Pour savoir comment s’organiser, AFNOR publie le guide « Cyber-résilience, reconstruction du SI et continuité d’activité métiers en cas de cyberattaque paralysante ». Disponible gratuitement dans la collection AFNOR Editions sous le libellé AFNOR Spec 2208, il centralise les recommandations et bonnes pratiques d’une quarantaine d’acteurs dont beaucoup ont vécu des cyberattaques : PME, ETI, start-up, grands groupe, hôpitaux, etc. « Nous avions besoin de recommandations pour savoir comment s’organiser avant et pendant : comment évaluer le risque, quels critères sélectionner pour prendre des décisions, que prioriser pour maintenir une continuité de service, comme par exemple la lumière dans les chambres et les couloirs », apprécie Béatrice Bérard, pour la Fédération hospitalière de France, l’un des contributeurs.
AFNOR itself suffered a cyber-attack that deprived it of its information system for several weeks in the spring of 2021. ” Our biggest post-attack commitment was to invest in the writing of a guide to help companies facing this situation to cope,” says Frédéric Leconte, Director of Information Systems at AFNOR Group.
AFNOR Spec 2208: continuing the business and rebuilding the information system
This guide has just been published. For CIOs and CISOs, it provides guidelines and operational recommendations for anticipating and dealing with cyber-attacks, depending on the nature of the business, the level of maturity (3 levels are defined) and the organization’s resources. ” Cyber attacks can bring organizations to their knees for long periods: weeks, months. So we started with the concept of a crippling cyberattack. This certainly raises the question of how to rebuild the information system, after the event, but above all how to ensure business continuity, over the long term, in the absence of IT tools or in the presence of tools operating in degraded mode, explains Xavier Hartout, consultant at Adenium BRG, who co-chaired the group that drafted the AFNOR guide. Seen from this angle, a business continuity plan (BCP) is the first thing to put in place. The guide explains how to set it up, and which actions to prioritize in degraded mode, such as the payment of salaries outside payroll software, for example. The idea is that a good BCP ensures resilience. The guide is divided into four parts:
- Recommandations en cas de survenance d’une cyberattaque paralysante
- Spécifications techniques pour la reconstruction du système d’information
- Préconisations pour la continuité d’activité métiers
- Sortie de crise, retour d’expérience et capitalisation après une cyberattaque
It is accompanied by several appendices: a summary of best practices, a cyber-insurance application form, a summary guide for small structures, and a form for triggering an IT continuity plan.

The AFNOR Spec 2208 guide includes numerous figures, such as this one on the Articulation of technical teams for IS reconstruction.
Cybersecurity figures for 2021 in France:
- 54% of French companies under attack in 2021
- +255% more ransomware attacks in 2020 than in 2019
- 50,000: the median cost of a cyber attack
- Average loss of 27% of sales in France